Look Ahead—Planned Updates on Prisma Cloud

Review any deprecation notices and policy changes planned in the next Prisma Cloud release.
Read this section to learn about what is planned to be included in the next release. Note that the details and functionality listed below are a preview and the actual release date is subject to change.
The policy updates planned for release in 20.11.1:
New Policies and Policy Updates
New Policies
The following new policies are being added:
AWS Database Migration Service endpoint do not have SSL configured
Identifies Database Migration Service (DMS) endpoints that are not configured with SSL to encrypt connections between source and target endpoints.
AWS SageMaker notebook instance not configured with data encryption at rest using KMS key
Identifies SageMaker notebook instances that are not configured with data encryption at rest using the AWS Managed KMS key.
AWS SageMaker notebook instance configured with direct internet access
Identifies SageMaker notebook instances that are configured with direct internet access and allow unrestricted access from any source outside the VPC to establish a connection to the notebook instance.
Azure Application gateways listener that allow connection requests over HTTP
Identifies Azure application gateways that accept connection requests over HTTP, instead of using HTTPS for encrypted communication between application clients and gateways.
GCP VM instance configured with default service account
Identifies the GCP VM instances configured with the default service account, which increases the risk of privilege escalations if your VM is compromised.
GCP cloud storage bucket with uniform bucket-level access disabled
Identifies the storage buckets not configured with uniform bucket-level access. This will help support uniform permission system by allowing access only through cloud IAM.
Policy Updates—Description
AWS IAM policy attached to users description change
Updated Description—This policy identifies IAM policies attached to user. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups but not users.
Policy Updates—RQL and Metadata
Azure Security Center contact phone number not set
Updated RQL—The RQL has been updated to
config where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[?any(properties.phone is empty)] exists'
Updated Recommendation—Includes the CLI command to create new contact with phone number.
AWS Inactive users for more than 30 days
Updated RQL—The RQL has been updated to
config where cloud.type = 'aws' and api.name = 'aws-iam-get-credential-report' AND json.rule = 'user does not equal <root_account> and _DateTime.ageInDays(user_creation_time) > 30 and (password_last_used equals N/A or password_last_used equals no_information or _DateTime.ageInDays(password_last_used) > 30) and ((access_key_1_last_used_date equals N/A or _DateTime.ageInDays(access_key_1_last_used_date) > 30) and (access_key_2_last_used_date equals N/A or _DateTime.ageInDays(access_key_2_last_used_date) > 30))'
With this change, the policy will exclude root users who are inactive for more than 30 days. Alerts generated for root users will be resolved and the resolution reason is
Policy Updated
.
AWS CloudTrail bucket is publicly accessible
Updated RQL—The RQL has been updated to
config where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule = "((((acl.grants[?(@.grantee=='AllUsers')] size > 0) or policyStatus.isPublic is true) and publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration does not exist) or ((acl.grants[?(@.grantee=='AllUsers')] size > 0) and ((publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false) or (publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false))) or (policyStatus.isPublic is true and ((publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false) or (publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false))))" as X; config where api.name = 'aws-cloudtrail-describe-trails' as Y; filter'$.X.bucketName equals $.Y.s3BucketName'; show X;
With this change, the policy checks for AWS S3 account level public block access setting and any open alerts for S3 buckets that are configured to block access at the account level will be resolved. And the remediation CLI is removed, so this policy is no longer a
Remediable
policy that includes the automatic remediation for the violating resource.
API Ingestion
The following Cloud Service Provider APIs are planned for ingestion on Prisma Cloud in 20.11.1:
Service
API Details
Amazon S3 Glacier
aws-glacier-vault
Additional permissions required:
glacier:ListTagsForVault
glacier:ListVaults
are included with the Security Audit policy
Azure Compute
azure-virtual-machine-scale-set-vm
Additional permissions required:
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read
Google Cloud Spanner
gcloud-cloud-spanner-database
Additional permissions required:
spanner.databases.list
optional
spanner.databases.getIamPolicy
These permissions are included in the predefined Project Viewer role.
Licensing Updates
Starting with release 20.11.1, the Visibility, Compliance and Governance module will count your usage of the following resources toward Prisma Cloud credits:
  • AWS
    —AWS Elastic Cache, AWS DynamoDB, AWS ELBv2
  • Azure
    —Azure PostgreSQL Database, Azure SQL Managed Instances, Azure Application Gateway, Azure Redis Cache
  • GCP
    —GCP Load Balancing, GCP Cloud Spanner, GCP Cloud NAT
Deprecation Notice
Deprecation Notice
Deprecation Notice—AWS CloudTrail Events for Specified Services
The following AWS CloudTrail events will no longer be saved on Prisma Cloud due to the limited relevance to security functions associated with the high volume of data for these events:
  • AWS Cognito
    • InitiateAuth
    • AdminInitiateAuth
    • RespondToAuthChallenge
    • SignUp
  • AWS Step Functions—SendTaskHeartbeat
  • AWS Transcribe—StartTranscriptionJob
  • AWS CloudWatch—PutDashboard
  • AWS Support—RefreshTrustedAdvisorCheck
  • AWS CodePipeline—AcknowledgeJob
  • AWS EventBridge—TestEventPattern
  • AWS Backup—BackupJobCompleted
Prisma Cloud Public REST APIs for Alerts
Some Alert API request parameters and response object fields are now deprecated.
Query parameter
risk.grade
is deprecated for the following requests:
  • GET /alert
  • GET /v2/alert
  • GET /alert/policy
Request body parameter
risk.grade
is deprecated for the following requests:
  • POST /alert
  • POST /v2/alert
  • POST /alert/policy
Response object field
riskDetail
is deprecated for the following requests:
  • GET /alert
  • POST /alert
  • GET /alert/policy
  • POST /alert/policy
  • GET /alert/{id}
  • GET /v2/alert
  • POST /v2/alert
Response object field
risk.grade.options
is deprecated for the following request:
  • GET /filter/alert/suggest
Prisma Cloud Public REST APIs for User Profile
The following APIs are deprecated and will be removed in a future release:
  • GET /user
  • POST /user
  • GET /user/{id}
  • PUT /user/{id}
Prisma Cloud Public REST APIs for Asset Inventory
The following APIs are deprecated and will be removed in a future release:
  • GET /inventory/suggest
  • POST /filter/inventory/suggest
  • POST /inventory/dashboard
  • POST /dashboard/history
  • POST /inventory/dashboard/history
Prisma Cloud Public REST APIs for Compliance Dashboard
The Compliance Dashboard APIs are deprecated and will be removed in a future release. The deprecated APIs are:
  • GET /compliance/dashboard
  • GET /compliance/dashboard/history
  • GET /filter/compliance/suggest
  • POST /filter/compliance/suggest
Prisma Cloud Public REST APIs for IaC Scan
Version 1 of the IaC Scan REST APIs is deprecated and will continue to be supported until January 31, 2021. The deprecated APIs are:
  • POST /iac/tf/v1/scan
  • POST /iac/cft/v1/scan
  • POST /iac/k8s/v1/scan
  • POST /iac_scan
Prisma Cloud Public REST APIs for Licensing
The following Licensing APIs are deprecated and will be removed in a future release.
  • POST /usage/{cloud_type}
  • POST /timeline/usage
  • POST /v2/usage

Recommended For You