on 01-25-2021 03:13 PM - edited on 02-04-2022 01:21 PM by RPrasadi
FEATURE
|
DESCRIPTION
|
---|---|
Data Profiles for Prisma Cloud Data Security
|
To provide control over which data profiles you use to discover sensitive content in your S3 buckets, you can now enable and disable data profiles.
For example, if you want Prisma Cloud to generate alerts for violations that pertain to PII and Intellectual Property only, you can disable the other data profiles. Doing so allows you reduce the number of alerts and focus on data security issues that you care about the most.
|
Scan Status in Data Inventory
|
If you have enabled the Prisma Cloud Data Security subscription, you can review the scan status on the Data Inventory table on
Inventory
Data
The states are:
|
Serverless Remediation Scripts for AWS
|
For auto-remediation of alerts generated against resources deployed on AWS, Prisma Cloud provides scripts that use AWS Lambda. The Prisma Cloud platform sends alert messages to an AWS SQS Queue, which in turn invokes a lambda function
index_prisma.py
. The function then calls the appropriate runbook script to remediate the alert(s).To use AWS Lambda for automatic remediation, you do not need to give Prisma Cloud read-write access to your AWS accounts, and is an alternative way for you to try remediation for violating resources. Get the scripts from the GitHub repository.
There are 46 runbooks currently, and these are available to you at no cost. Please use the runbooks and flaunt your expertise by contributing to the community, if you have a good way to solve a security concern.
|
RQL Attribute
azure.resource.group
|
A new Config query RQL attribute
azure.resource.group
enables you to search for the configuration of the resources that are hosted within a specific Azure Resource Group.
For example:
config where resource.status = Active AND azure.resource.group IN ( 'Azureprod1' , 'Azureprod-2' )
|
API Ingestion
|
Azure Compute
azure-virtual-machine-scale-set-vm
Additional permissions required:
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read
|
Google Cloud Spanner
gcloud-cloud-spanner-database
Additional permissions required:
spanner.databases.list
Optional
spanner.databases.getIamPolicy
These permissions are included in the predefined Project Viewer role.
|
|
AWS Cloud Formation
aws-cloudformation-describe-stacks
Updated the API to now retrieve metadata on
enableTerminationProtection
. |
|
Amazon S3 Glacier
aws-glacier-vault
Additional permissions required:
glacier:ListTagsForVault
glacier:ListVaults
are included with the Security Audit policy |
POLICY NAME
|
DESCRIPTION
|
---|---|
New Policies
|
The following new policies are being added:
AWS Database Migration Service endpoint do not have SSL configured
Identifies Database Migration Service (DMS) endpoints that are not configured with SSL to encrypt connections between source and target endpoints.
|
|
AWS SageMaker notebook instance not configured with data encryption at rest using KMS key
Identifies SageMaker notebook instances that are not configured with data encryption at rest using the AWS Managed KMS key.
|
|
AWS SageMaker notebook instance configured with direct internet access
Identifies SageMaker notebook instances that are configured with direct internet access and allow unrestricted access from any source outside the VPC to establish a connection to the notebook instance.
|
|
Azure Application gateways listener that allow connection requests over HTTP
Identifies Azure application gateways that accept connection requests over HTTP, instead of using HTTPS for encrypted communication between application clients and gateways.
|
|
GCP cloud storage bucket with uniform bucket-level access disabled
Identifies the storage buckets not configured with uniform bucket-level access. This will help support uniform permission system by allowing access only through cloud IAM.
|
|
GCP VM instance configured with default service account
Identifies the GCP VM instances configured with the default service account, which increases the risk of privilege escalations if your VM is compromised.
|
Policy Updates—Description
|
AWS IAM policy attached to users
Updated Description—This policy identifies IAM policies attached to users. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups but not users.
|
Policy Updates—RQL and Metadata
|
Azure Security Center contact phone number not set
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = 'securityContacts is empty or securityContacts[?any(properties.phone is empty)] exists'
Updated Recommendation—Includes the CLI command to create new contact with phone number.
|
|
AWS Inactive users for more than 30 days
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-credential-report' AND json.rule = 'user does not equal <root_account> and _DateTime.ageInDays(user_creation_time) > 30 and (password_last_used equals N/A or password_last_used equals no_information or _DateTime.ageInDays(password_last_used) > 30) and ((access_key_1_last_used_date equals N/A or _DateTime.ageInDays(access_key_1_last_used_date) > 30) and (access_key_2_last_used_date equals N/A or _DateTime.ageInDays(access_key_2_last_used_date) > 30))'
With this change, the policy will exclude root users who are inactive for more than 30 days. Alerts generated for root users will be resolved and reason being is POLICY UPDATED.
|
|
AWS CloudTrail bucket is publicly accessible
Updated RQL—The RQL has been updated to
config from cloud.resource where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule = "((((acl.grants[?(@.grantee=='AllUsers')] size > 0) or policyStatus.isPublic is true) and publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration does not exist) or ((acl.grants[?(@.grantee=='AllUsers')] size > 0) and ((publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false) or (publicAccessBlockConfiguration.ignorePublicAcls is false and accountLevelPublicAccessBlockConfiguration.ignorePublicAcls is false))) or (policyStatus.isPublic is true and ((publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration does not exist) or (publicAccessBlockConfiguration does not exist and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false) or (publicAccessBlockConfiguration.restrictPublicBuckets is false and accountLevelPublicAccessBlockConfiguration.restrictPublicBuckets is false))))" as X; config from cloud.resource where api.name = 'aws-cloudtrail-describe-trails' as Y; filter'$.X.bucketName equals $.Y.s3BucketName'; show X;
With this change, the policy checks for AWS S3 account level public block access setting and any open alerts for S3 buckets that are configured to block access at the account level will be resolved.
And the remediation CLI is removed, so this policy is no longer a
Remediable
policy that includes the automatic remediation for the violating resource. |
CHANGE
|
DESCRIPTION
|
---|---|
Cloud Account APIs
|
A new, optional request query parameter
skipStatusChecks
enables you to skip account status checks to reduce the response time for the following APIs:
|
IaC Scan V2 APIs
|
The response object for GET /iac/v2/scans/{scanId}/results includes a new attribute
data.attributes.docUrl
, which provides a URL to policy documentation relevant to a violation the IaC scan identifies. |