1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Release Notes
    5. Prisma™ Cloud Release Information
    6. Look Ahead—Planned Updates on Prisma Cloud

    Look Ahead—Planned Updates on Prisma Cloud

    Review any deprecation notices and policy changes planned in the next Prisma Cloud release.
    Read this section to learn about what is planned to be included in the next release. Note that the details and functionality listed below are a preview and the actual release date is subject to change.
    The policy updates planned for release in 20.11.1:
    New Policies and Policy Updates
    New Policies
    The following new policies are being added:
    AWS Database Migration Service endpoint do not have SSL configured
    Identifies Database Migration Service (DMS) endpoints that are not configured with SSL to encrypt connections between source and target endpoints.
    AWS SageMaker notebook instance not configured with data encryption at rest using KMS key
    Identifies SageMaker notebook instances that are not configured with data encryption at rest using the AWS Managed KMS key.
    AWS SageMaker notebook instance configured with direct internet access
    Identifies SageMaker notebook instances that are configured with direct internet access and allow unrestricted access from any source outside the VPC to establish a connection to the notebook instance.
    Azure Application gateways listener that allow connection requests over HTTP
    Identifies Azure application gateways that accept connection requests over HTTP, instead of using HTTPS for encrypted communication between application clients and gateways.
    GCP VM instance configured with default service account
    Identifies the GCP VM instances configured with the default service account, which increases the risk of privilege escalations if your VM is compromised.
    GCP cloud storage bucket with uniform bucket-level access disabled
    Identifies the storage buckets not configured with uniform bucket-level access. This will help support uniform permission system by allowing access only through cloud IAM.
    Policy Updates—Description
    AWS IAM policy attached to users description change
    Updated Description—This policy identifies IAM policies attached to user. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups but not users.
    Policy Updates—RQL and Metadata
    Azure Security Center contact phone number not set
    Updated RQL—The RQL has been updated to
    config where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[?any(properties.phone is empty)] exists'
    Updated Recommendation—Includes the CLI command to create new contact with phone number.
    AWS Inactive users for more than 30 days
    Updated RQL—The RQL has been updated to
    config where cloud.type = 'aws' and api.name = 'aws-iam-get-credential-report' AND json.rule = 'user does not equal <root_account> and _DateTime.ageInDays(user_creation_time) > 30 and (password_last_used equals N/A or password_last_used equals no_information or _DateTime.ageInDays(password_last_used) > 30) and ((access_key_1_last_used_date equals N/A or _DateTime.ageInDays(access_key_1_last_used_date) > 30) and (access_key_2_last_used_date equals N/A or _DateTime.ageInDays(access_key_2_last_used_date) > 30))'
    With this change, the policy will exclude root users who are inactive for more than 30 days. Alerts generated for root users will be resolved and the resolution reason is
    Policy Updated
    .
    AWS CloudTrail bucket is publicly accessible
    Updated RQL—The RQL has been updated to
    config where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule = "((((acl.grants[?(@.grantee=='AllUsers')] size > 0) or policyStatus.isPublic is true) and publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration does not exist) or ((acl.grants[?(@.grantee=='AllUsers')] size > 0) and ((publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false) or (publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false))) or (policyStatus.isPublic is true and ((publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false) or (publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false))))" as X; config where api.name = 'aws-cloudtrail-describe-trails' as Y; filter'$.X.bucketName equals $.Y.s3BucketName'; show X;
    With this change, the policy checks for AWS S3 account level public block access setting and any open alerts for S3 buckets that are configured to block access at the account level will be resolved. And the remediation CLI is removed, so this policy is no longer a
    Remediable
     policy that includes the automatic remediation for the violating resource.
    API Ingestion
    The following Cloud Service Provider APIs are planned for ingestion on Prisma Cloud in 20.11.1:
    Service
    API Details
    Amazon S3 Glacier
    aws-glacier-vault
    Additional permissions required:
    glacier:ListTagsForVault
    glacier:ListVaults
    are included with the Security Audit policy
    Azure Compute
    azure-virtual-machine-scale-set-vm
    Additional permissions required:
    Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
    Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read
    Google Cloud Spanner
    gcloud-cloud-spanner-database
    Additional permissions required:
    spanner.databases.list
    optional
    spanner.databases.getIamPolicy
    These permissions are included in the predefined Project Viewer role.
    Licensing Updates
    Starting with release 20.11.1, the Visibility, Compliance and Governance module will count your usage of the following resources toward Prisma Cloud credits:
    • AWS
      —AWS Elastic Cache, AWS DynamoDB, AWS ELBv2
    • Azure
      —Azure PostgreSQL Database, Azure SQL Managed Instances, Azure Application Gateway, Azure Redis Cache
    • GCP
      —GCP Load Balancing, GCP Cloud Spanner, GCP Cloud NAT
    Deprecation Notice
    Deprecation Notice
    Deprecation Notice—AWS CloudTrail Events for Specified Services
    The following AWS CloudTrail events will no longer be saved on Prisma Cloud due to the limited relevance to security functions associated with the high volume of data for these events:
    • AWS Cognito
      • InitiateAuth
      • AdminInitiateAuth
      • RespondToAuthChallenge
      • SignUp
    • AWS Step Functions—SendTaskHeartbeat
    • AWS Transcribe—StartTranscriptionJob
    • AWS CloudWatch—PutDashboard
    • AWS Support—RefreshTrustedAdvisorCheck
    • AWS CodePipeline—AcknowledgeJob
    • AWS EventBridge—TestEventPattern
    • AWS Backup—BackupJobCompleted
    Prisma Cloud Public REST APIs for Alerts
    Some Alert API request parameters and response object fields are now deprecated.
    Query parameter
    risk.grade
     is deprecated for the following requests:
    • GET /alert
    • GET /v2/alert
    • GET /alert/policy
    Request body parameter
    risk.grade
     is deprecated for the following requests:
    • POST /alert
    • POST /v2/alert
    • POST /alert/policy
    Response object field
    riskDetail
    is deprecated for the following requests:
    • GET /alert
    • POST /alert
    • GET /alert/policy
    • POST /alert/policy
    • GET /alert/{id}
    • GET /v2/alert
    • POST /v2/alert
    Response object field
    risk.grade.options
     is deprecated for the following request:
    • GET /filter/alert/suggest
    Prisma Cloud Public REST APIs for User Profile
    The following APIs are deprecated and will be removed in a future release:
    • GET /user
    • POST /user
    • GET /user/{id}
    • PUT /user/{id}
    Prisma Cloud Public REST APIs for Asset Inventory
    The following APIs are deprecated and will be removed in a future release:
    • GET /inventory/suggest
    • POST /filter/inventory/suggest
    • POST /inventory/dashboard
    • POST /dashboard/history
    • POST /inventory/dashboard/history
    Prisma Cloud Public REST APIs for Compliance Dashboard
    The Compliance Dashboard APIs are deprecated and will be removed in a future release. The deprecated APIs are:
    • GET /compliance/dashboard
    • GET /compliance/dashboard/history
    • GET /filter/compliance/suggest
    • POST /filter/compliance/suggest
    Prisma Cloud Public REST APIs for IaC Scan
    Version 1 of the IaC Scan REST APIs is deprecated and will continue to be supported until January 31, 2021. The deprecated APIs are:
    • POST /iac/tf/v1/scan
    • POST /iac/cft/v1/scan
    • POST /iac/k8s/v1/scan
    • POST /iac_scan
    Prisma Cloud Public REST APIs for Licensing
    The following Licensing APIs are deprecated and will be removed in a future release.
    • POST /usage/{cloud_type}
    • POST /timeline/usage
    • POST /v2/usage

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2020 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo