Features Introduced in June 2023
Table of Contents
Features Introduced in June 2023
Learn what’s new on Prisma™ Cloud in June 2023.
New Features Introduced in 23.6.2
New Features
FEATURE | DESCRIPTION |
IAM Security metrics included in Cloud Security Report powered by Adoption Advisor
Enhancement | Implement least-privileged access by quantifying and sharing key IAM security metrics, such as unused over-privileged permissions, now available in the Prisma Cloud Cloud Security report powered by Adoption Advisor. These newly surfaced KPIs allow you to minimize the attack surface by restricting excessive permissions that may pose a significant security risk. Navigate to Adoption Advisor > Create Report from the Prisma Cloud administrative console to explore the latest available IAM security metrics. |
API Ingestions
SERVICE | API DETAILS |
Amazon API Gateway | aws-apigatewayv2-route Additional permission required:
The Security Audit role includes the permission. |
Amazon Route53
Update | aws-route53-list-hosted-zones The resource JSON for this API will be updated to remove a “.”(dot) at the end from the field.
|
AWS WAF | aws-waf-v2-rule-group Additional permission required:
The Security Audit role includes the permission. |
OCI Block Storage | oci-block-storage-volume-group Additional permission required:
You must update the Terraform template to enable the permission. |
OCI Database | oci-database-keystore Additional permission required:
You must update the Terraform template to enable the permission. |
New Policies
NEW POLICIES | DESCRIPTION |
GCP VM instance that is reachable from untrust internet source to ports with high risk | Identifies GCP VM instances that are reachable from untrusted internet sources to ports with high risk. VM instances with unrestricted access to the internet for high risky port may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit access to known hosts, services, or specific entities.
Policy Type— NetworkSeverity— High |
Policy Updates
POLICY UPDATES | DESCRIPTION |
Policy Updates-Metadata | |
AWS S3 bucket policy overly permissive to any principal | Changes— Updating Policy Name, and DescriptionPolicy Type— ConfigSeverity— MediumPolicy Name— AWS S3 buckets are accessible to publicUpdated Policy Name— AWS S3 buckets are accessible to public via ACLDescription- The policy name, description, and recommendation steps are updated to be specific on the criteria through which the S3 bucket is made public. Amazon S3 often stores highly sensitive enterprise data, allowing public access to S3 buckets through ACL results in sensitive data being compromised. It is highly recommended to disable ACL configuration for all S3 buckets and use resource based policies to allow access to S3 buckets.Impact— No impact, as this is a metadata change. |
New Compliance Benchmarks and Updates
No new compliance benchmarks and updates for 23.6.2.
Changes in Existing Behavior
FEATURE | DESCRIPTION |
Rate Limit on POST /login Endpoint | The POST /login endpoint will enforce rate limiting (HTTP Response Code 429). This change was first announced in the look ahead that was published with the 23.5.1 release. |
REST API Updates
No REST API updates for 23.6.2.
New Features Introduced in 23.6.1
New Features
FEATURE | DESCRIPTION |
Trendline for Critical Severity in Adoption Advisor Widgets | The Assets With Urgent Alerts, Incident Burndown, and Risk Burndown widgets have a trendline for critical severity alerts and assets to help you quickly review the trends for the most critical issues. For Assets With Urgent Alerts, you can see the critical and high severity asset data points in all the 30, 60, and 90 day time series starting June 2023.  |
API Ingestions
SERVICE | API DETAILS |
Amazon DAX | aws-dax-parameter-group Additional permissions required:
The Security Audit role includes the permissions. |
AWS Shield | aws-shield-drt-access Additional permission required:
The Security Audit role includes the permission. |
Amazon API Gateway | aws-apigatewayv2-stage Additional permission required:
The Security Audit role includes the permission. |
Google Cloud DNS | gcloud-dns-resource-record-set Additional permissions required:
The Viewer role includes the permissions. |
Google Vertex AI | gcloud-vertex-ai-notebook-instance-schedule Additional permissions required:
The Viewer role includes the permissions. |
Google Dataplex | gcloud-dataplex-lake-zone-action Additional permissions required:
The Viewer role includes the permissions. |
Google Dataplex | gcloud-dataplex-lake-action Additional permissions required:
The Viewer role includes the permissions. |
OCI Service Mesh | oci-service-mesh-ingressgateway-routetable Additional permissions required:
You must update the Terraform template to enable the permissions. |
OCI Service Mesh | oci-service-mesh-ingressgateway Additional permissions required:
You must update the Terraform template to enable the permissions. |
OCI Database | oci-database-db-node Additional permissions required:
You must update the Terraform template to enable the permissions. |
New Policies
NEW POLICIES | DESCRIPTION |
AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0) to Admin ports | Identifies AWS EC2 instances that are internet reachable with unrestricted access (0.0.0.0/0) to Admin ports (22 / 3389). EC2 instances with unrestricted access to the internet for admin ports may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit access to known hosts, services, or specific entities.
Policy Type— NetworkSeverity— High. |
AWS EC2 instance that is reachable from untrust internet source to ports with high risk | Identifies AWS EC2 instances that are internet reachable with untrust internet source to ports with high risk. EC2 instances with unrestricted access to the internet for high risky port may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit the access to known hosts, services, or specific entities.
Policy Type— NetworkSeverity— High. |
Azure Virtual Machine that is internet reachable with unrestricted access (0.0.0.0/0) to Admin ports | Identifies Azure Virtual Machines that are internet reachable with unrestricted access (0.0.0.0/0) to admin ports. Azure VMs with unrestricted internet access to admin ports may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit the access to known hosts, services, or specific entities.
Policy Type— NetworkSeverity— High. |
GCP VM instance that is internet reachable with unrestricted access (0.0.0.0/0) to Admin ports | Identifies GCP VM instances that are internet reachable with unrestricted access (0.0.0.0/0) to Admin ports (22 / 3389). VM instances with unrestricted internet access to admin ports may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit access to known hosts, services, or specific entities.
Policy Type— NetworkSeverity— High. |
Policy Updates
POLICY UPDATES | DESCRIPTION |
Policy Updates—RQL | |
AWS S3 bucket policy overly permissive to any principal | Changes— The policy description and RQL are updated. The RQL now considers Block public access settings configuration at account and bucket Level.Updated Description—
Identifies the S3 buckets that have a bucket policy overly permissive to any principal and don’t have Block public and cross-account access to buckets and objects through any public bucket or access point policies enabled. It is recommended to follow the principle of least privileges ensuring that the only restricted entities have permission on S3 operations instead of any anonymous.Policy Type— ConfigSeverity— Medium.Current RQL—
Updated RQL—
Impact— Medium. Based on the Block Public Access settings at account and bucket Level, some alerts might get resolved. |
AWS S3 bucket publicly writable | Changes— The policy remediation steps and RQL are updated. The policy RQL now checks for Authenticated Users access.Policy Type— ConfigSeverity— High.Current RQL—
Updated RQL—
Impact— Low. New alerts may be generated if Authenticated Users have Write permissions. |
GCP Log metric filter and alert does not exist for VPC network route delete and insert | Changes— The Policy RQL is updated to verify if resource type is present in the Log metric filter.Policy Type— ConfigSeverity— Informational.Current RQL—
Updated RQL—
Impact— Low. New alerts will be generated against the policy violations. |
GCP Log metric filter and alert does not exist for VPC network route changes | Changes— The Policy RQL is updated to verify if resource type is present in the Log metric filter.Policy Type— ConfigSeverity— Informational.Current RQL—
Updated RQL—
Impact— Low. New alerts will be generated against the policy violations. |
GCP Log metric filter and alert does not exist for VPC network route patch and insert | Changes— The Policy RQL is updated to verify if resource type is present in the Log metric filter.Policy Type— ConfigSeverity— Informational.Current RQL—
Updated RQL—
Impact— Low. New alerts will be generated against the policy violations. |
GCP Log metric filter and alert does not exist for VPC network changes | Changes— The Policy RQL is updated to verify if resource type is present in the Log metric filter.Policy Type— ConfigSeverity— Informational.Current RQL—
Updated RQL—
Impact— Low. New alerts will be generated against the policy violations. |
GCP Log metric filter and alert does not exist for Cloud Storage IAM permission changes | Changes— The Policy RQL is updated to verify if resource type is present in the Log metric filter.Policy Type— ConfigSeverity— Informational.Current RQL—
Updated RQL—
Impact— Low. New alerts will be generated against the policy violations. |
New Compliance Benchmarks and Updates
COMPLIANCE BENCHMARK | DESCRIPTION |
CIS Google Kubernetes Engine (GKE) v1.4.0 - (Level 1 and Level 2) | The Center for Internet Security (CIS) releases benchmarks for best practice security recommendations. CIS Google Kubernetes Engine (GKE) v1.4.0 - (Level 1 and Level 2) is a set of recommendations for configuring Kubernetes to support a strong security posture. Benchmarks are tied to specific Kubernetes releases. The CIS Kubernetes Benchmark is written for open-source Kubernetes distribution and is intended to be universally applicable. Based on the existing CIS Benchmark, this standard adds additional Google Cloud-specific controls. You can review this compliance standard and its associated policies on Prisma Cloud’s Compliance > Standard page. |
Changes in Existing Behavior
FEATURE | DESCRIPTION |
S3 Flow Logs with Hourly Partition This change was first announced in the look ahead that was published with the 23.1.1 release. | If you currently ingest AWS flow logs using S3 with the 24-hour partition, you need to change it to the hourly partition. To make this change, Configure Flow Logs to use the hourly partition and enable the required additional fields. Impact — VPC Flow logs with partitions set to Every 24 hours (default) will be disabled. As a result, you will no longer be able to monitor or receive alerts for these logs. |
REST API Updates
No REST API updates for 23.6.1.