diff --git a/docs/en/enterprise-edition/content-collections/connect/connect-cloud-accounts/onboard-gcp/prerequisites-to-onboard-gcp.adoc b/docs/en/enterprise-edition/content-collections/connect/connect-cloud-accounts/onboard-gcp/prerequisites-to-onboard-gcp.adoc index 2df71443af..75e2f47ab6 100644 --- a/docs/en/enterprise-edition/content-collections/connect/connect-cloud-accounts/onboard-gcp/prerequisites-to-onboard-gcp.adoc +++ b/docs/en/enterprise-edition/content-collections/connect/connect-cloud-accounts/onboard-gcp/prerequisites-to-onboard-gcp.adoc @@ -106,6 +106,8 @@ The following table lists the APIs and associated granular permissions if you wa |Allows you to access App Engine, which is a fully managed serverless platform on GCP. |App Engine Viewer |`appengine.applications.get` +`appengine.services.list` +`appengine.versions.list` |Project where you have created the service account |Access Context Manager API @@ -358,6 +360,14 @@ Every project that the service account can access `biglake.tables.list` |Every project that the service account can access +|Google BigQuery Data Policy +|`bigquerydatapolicy.googleapis.com` +|Bigquery Data governance is the management of the security and quality of data throughout its lifecycle to ensure that the access and accuracy are in accordance with organizational policies and regulations. +|Project Viewer +|`bigquery.dataPolicies.list` +`bigquery.dataPolicies.getIamPolicy` +|Project where you have created the service account + |Google BigQuery Data Transfer |`bigquerydatatransfer.googleapis.com` |BigQuery Data Transfer Service automates data movement into BigQuery on a scheduled, managed basis @@ -847,6 +857,15 @@ NOTE:You must manually add the permission or update the Terraform template to en `clientauthconfig.clients.listWithSecrets` |Every project that the service account can access +|Google Integration Connectors +|`connectors.googleapis.com` +|Integration Connectors provide a powerful and flexible solution for connecting on-premises applications and data to GCP services while minimizing the complexity and risks associated with hybrid integration. +|Project Viewer +|`connectors.endpointAttachments.list` +`connectors.customConnectors.list` +`connectors.customConnectorVersions.list` +|Every project that the service account can access + |Google Traffic Director |`networksecurity.googleapis.com` |Traffic Director is Google Cloud's fully managed application networking platform and service mesh. diff --git a/docs/en/enterprise-edition/rn/_graphics/action-plans-rn.gif b/docs/en/enterprise-edition/rn/_graphics/action-plans-rn.gif new file mode 100644 index 0000000000..121b8593c3 Binary files /dev/null and b/docs/en/enterprise-edition/rn/_graphics/action-plans-rn.gif differ diff --git a/docs/en/enterprise-edition/rn/book.yml b/docs/en/enterprise-edition/rn/book.yml index e5e398116f..cc4c294f88 100644 --- a/docs/en/enterprise-edition/rn/book.yml +++ b/docs/en/enterprise-edition/rn/book.yml @@ -22,6 +22,8 @@ topics: topics: - name: Features Introduced in 2024 file: features-introduced-in-2024.adoc + - name: Features Introduced in December 2024 + file: features-introduced-in-december-2024.adoc - name: Features Introduced in November 2024 file: features-introduced-in-november-2024.adoc - name: Features Introduced in October 2024 diff --git a/docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-infrastructure.adoc b/docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-infrastructure.adoc index b25b5502cf..b8763af50f 100644 --- a/docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-infrastructure.adoc +++ b/docs/en/enterprise-edition/rn/look-ahead-planned-updates-prisma-cloud/look-ahead-secure-the-infrastructure.adoc @@ -3,7 +3,7 @@ Here are the changes planned in the next Prisma Cloud release to ensure the security of your infrastructure. -Read this section to learn about what is planned in the 24.12.1 CSPM Platform, Agentless Container Host, Agentless Host Security, CIEM, Data Security, and CDEM releases. +Read this section to learn about what is planned in the 25.1.1 CSPM Platform, Agentless Container Host, Agentless Host Security, CIEM, Data Security, and CDEM releases. The Look Ahead announcements are for an upcoming release and is not a cumulative list of all announcements. @@ -16,8 +16,8 @@ The details and functionalities listed below are a preview and the actual releas * <> * <> * <> -* <> -* <> +//* <> +//* <> * <> * <> @@ -32,8 +32,9 @@ The details and functionalities listed below are a preview and the actual releas |*New Rate Limits for Search API* //RLP-151274 +// Updated the release date from 24.12.1 to 25.1.1. Please check with Ashwini before moving this blurb to current features. -|Starting with the 24.12.1 release, to improve user experience and enhance search performance, rate limits will be implemented for the following APIs: +|Starting with the 25.1.1 release, to improve user experience and enhance search performance, rate limits will be implemented for the following APIs: * *Config Search* ** https://pan.dev/prisma-cloud/api/cspm/search-config/[search/config] @@ -46,26 +47,6 @@ Request Rate Limit = 150 *Impact—* Requests exceeding the limits will result in an *HTTP 429* Too Many Requests response. See Prisma Cloud API guidance on https://pan.dev/prisma-cloud/api/cspm/rate-limits/[Rate Limits]. - -|*Amazon EC2 VPC Endpoint Service Count Updates* -//RLP-152289 - -|Starting with the 24.12.1 release, Prisma Cloud will no longer ingest EC2 VPC Endpoint Services that are visible to, but not owned by AWS accounts. Only VPC Endpoint Services directly owned by an AWS account will be ingested. - -*Impact—* Low. Since the VPC Endpoint Services that will not be ingested are resources owned by Amazon. - - -// |*GCP API Update* -//RLP-150422 (Older version of blurb above, remove after confirming) - -// |*API*: gcloud-container-describe-clusters - -// *Change*: The Prisma cloud API will be updated to compute attributes `isMasterVersionSupported` and `isNodeVersionSupported` to provide results based on the latest improvements made by the GCP team with respect to the GetServerConfig API. This enhancement is planned to provide more accurate results for the alerts based on the default policies. - -// *Issue*: The default policies GCP GKE unsupported Master node version and GCP GKE unsupported node version are currently checking the GCP GKE version based on major and minor values. To provide accurate results, we are enhancing the Prisma API attribute to compare complete versions from the GCP API. - -//*Impact*: New alerts might be triggered based on the complete GKE version used for clusters and nodes.If you have custom policies, you must manually update them to check using the updated attribute. - |=== @@ -87,7 +68,7 @@ The folder contains RQL based Config, IAM, Network, and Audit Event policies in + The *Master* branch represents the Prisma Cloud release that is generally available. You can switch to a previous release or the next release branch, to review the policies that were published previously or are planned for the upcoming release. + -Because Prisma Cloud typically has 2 releases in a month, the release naming convention in GitHub is PCS-... For example, PCS-24.12.1. +Because Prisma Cloud typically has 2 releases in a month, the release naming convention in GitHub is PCS-... For example, PCS-25.1.1. . Review the updates. + @@ -98,181 +79,22 @@ Use the *policies* folder to review the JSON for each policy that is added or up [#policy-updates] === Policy Updates -//There are no policy updates as of October 31, 2024. - -//Check and update this section before final publish on November 1, 2024. - -[cols="35%a,65%a"] -|=== -|*Policy Updates* -|*Description* - -2+|*Policy Updates—RQL* - -|*AWS EMR cluster is not enabled with local disk encryption* -//RLP-151949 - -|The policy will be updated to exclude different `TERMINATED` states of the EMR cluster while triggering alerts to provide more accurate results. - -*Current RQL–* ----- -config from cloud.resource where api.name = 'aws-emr-describe-cluster' as X; config from cloud.resource where api.name = 'aws-emr-security-configuration' as Y; filter '($.X.status.state does not contain TERMINATING) and ($.X.securityConfiguration contains $.Y.name) and ($.Y.EncryptionConfiguration.EnableAtRestEncryption is true) and ($.Y.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration does not exist)' ; show X; ----- - -*Updated RQL–* ----- -config from cloud.resource where api.name = 'aws-emr-describe-cluster' as X; config from cloud.resource where api.name = 'aws-emr-security-configuration' as Y; filter '($.X.status.state does not contain TERMINATING and $.X.status.state does not contain TERMINATED and $.X.status.state does not contain TERMINATED_WITH_ERRORS) and ($.X.securityConfiguration contains $.Y.name) and ($.Y.EncryptionConfiguration.EnableAtRestEncryption is true) and ($.Y.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration does not exist)' ; show X; ----- - -*Policy Type–* Config - -*Policy Severity–* Low - -*Impact–* Low. Existing alerts where the state of the EMR cluster is `TERMINATED` or `TERMINATED_WITH_ERRORS` will be resolved. - - -|*AWS EMR cluster is not enabled with local disk encryption using Custom key provider* -//RLP-152866 - -|The policy RQL will be updated to exclude different `TERMINATED` states of the EMR cluster  while triggering alerts to provide more accurate results. - -*Current RQL–* ----- -config from cloud.resource where api.name = 'aws-emr-describe-cluster' as X; config from cloud.resource where api.name = 'aws-emr-security-configuration' as Y; filter '($.X.status.state does not contain TERMINATING) and ($.X.securityConfiguration equals $.Y.name) and ($.Y.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration exists and $.Y.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType does not equal Custom)' ; show X; ----- - -*Updated RQL–* ----- -config from cloud.resource where api.name = 'aws-emr-describe-cluster' as X; config from cloud.resource where api.name = 'aws-emr-security-configuration' as Y; filter '($.X.status.state does not contain TERMINATING and $.X.status.state does not contain TERMINATED and $.X.status.state does not contain TERMINATED_WITH_ERRORS) and ($.X.securityConfiguration equals $.Y.name) and ($.Y.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration exists and $.Y.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType does not equal Custom)'; show X; ----- - -*Policy Type–* Config - -*Policy Severity–* Low - -*Impact–* Low. Existing alerts where the state of the EMR cluster is `TERMINATED` or `TERMINATED_WITH_ERRORS` will be resolved. - - -|*GCP PostgreSQL instance database flag log_hostname is not set to off* -//RLP-153056 - -|The policy RQL will be updated to not generate false positive alerts in case the `log_hostname` is not set by default. - -*Current RQL–* ----- -config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-sql-instances-list' AND json.rule = "state equals RUNNABLE and databaseVersion contains POSTGRES and (settings.databaseFlags[*].name does not contain log_hostname or settings.databaseFlags[?any(name contains log_hostname and value contains on)] exists)" ----- - -*Updated RQL–* ----- -config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-sql-instances-list' AND json.rule = "state equals RUNNABLE and databaseVersion contains POSTGRES and settings.databaseFlags[?any(name contains log_hostname and value contains on)] exists" ----- - -*Policy Type–* Config - -*Policy Severity–* Informational - -*Impact–* Low. Existing alerts where the `log_hostname` flag is not set will be resolved. - -|*GCP GKE unsupported node version* -//RLP-152864 - -|The policy RQL will be updated to provide accurate results. - -*Current RQL–* ----- -config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = NOT ( currentNodeVersion starts with "1.27." or currentNodeVersion starts with "1.28." or currentNodeVersion starts with "1.29." or currentNodeVersion starts with "1.30." or currentNodeVersion starts with "1.31.") ----- - -*Updated RQL–* ----- -config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = isNodeVersionSupported exists AND isNodeVersionSupported does not equal "true" ----- - -*Policy Type–* Config - -*Policy Severity–* Medium - -*Impact–* Medium. New alerts may be triggered when the GKE version is not supported since the policy RQL is updated to check for the complete version. - -|*GCP GKE unsupported Master node version* -//RLP-151935 - -|The policy RQL will be updated to provide accurate results. - -*Current RQL–* ----- -config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = NOT ( currentNodeVersion starts with "1.27." or currentNodeVersion starts with "1.28." or currentNodeVersion starts with "1.29." or currentNodeVersion starts with "1.30." or currentNodeVersion starts with "1.31.") ----- - -*Updated RQL–* ----- -config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = isMasterVersionSupported exists AND isMasterVersionSupported does not equal "true" ----- -*Policy Type–* Config +There are no policy updates planned till December 15th, 2024. -*Policy Severity–* Medium +//Check and update this section before final publish on November 29, 2024. -*Impact–* Medium. New alerts may be triggered when the GKE version is not supported since the policy RQL is updated to check for the complete version. - -2+|*Policy Delete* - -|*GCP VM instance is assigned with public IP* -//RLP-152838 - -|This policy will be deleted and combined with *GCP VM instance with the external IP address* as a single policy. - -*Impact–* Low. Existing alerts will be resolved as *POLICY_DELETED*. - - -|=== - -[#iam-policy-update] -=== IAM Policy Update -//RLP-153086 - -The remediation steps for the following IAM policies will be updated in 24.12.1 release. - -* GCP Users and Machine Identities with IAM Metadata Write permissions are unused for 90 days -* GCP Users and Machine Identities with IAM Metadata Read permissions are unused for 90 days -* GCP Users and Machine Identities with IAM Data Write permissions are unused for 90 days -* GCP Users and Machine Identities with IAM Data Read permissions are unused for 90 daysGCP Groups and Service Accounts with IAM Metadata Write permissions are unused for 90 days -* GCP Groups and Service Accounts with IAM Metadata Read permissions are unused for 90 days -* GCP Groups and Service Accounts with IAM Data Write permissions are unused for 90 days -* GCP Groups and Service Accounts with IAM Data Read permissions are unused for 90 daysGCP Administrators with IAM permissions are unused for 90 daysGCP Users and Machine Identities with Administrative Permissions -* GCP Groups and Service Accounts with Administrative Permissions - - -[#new-compliance-benchmarks-and-updates] -=== New Compliance Benchmarks and Updates -[cols="50%a,50%a"] -|=== -|*Compliance Benchmark* -|*Description* - -|*PCI DSS v4.0.1* -//RLP-153448 - -|Prisma Cloud now supports the latest version of PCI DSS v4.0.1 compliance framework. This latest revision emphasizes a risk-based approach, incorporating new requirements that address evolving threats such as phishing and e-skimming attacks. Notably, the updated standard mandates stricter multi-factor authentication measures, increased password complexity, and enhanced controls for managing client-side scripts to safeguard against unauthorized modifications. - -You can now access this built-in compliance standard and related policies on the *Compliance > Standards* page. Additionally, users can generate reports for immediate viewing or downloading, as well as set up scheduled reports to continuously monitor compliance with the PCI DSS v4.0.1 framework over time. - -|*ACSC Information Security Manual (ISM)* -//RLP-153446 - -|Prisma Cloud now supports the latest version (September 2024) of ACSC Information Security Manual (ISM) compliance framework. This framework provides a structured approach for managing compliance risks, ensuring that sensitive information is safeguarded while adapting to changing regulations. - -You can now access this built-in compliance standard and related policies on the *Compliance > Standards* page. Additionally, users can generate reports for immediate viewing or downloading, as well as set up scheduled reports to continuously monitor compliance with the ACSC Information Security Manual (ISM) framework over time. - -|tt:[Update] *MLPS 2.0, MLPS 2.0 (Level 2) & MLPS 2.0 (Level 3)* -//RLP-153385 - -|New mappings are added for Multi-Level Protection Scheme 2.0 - MLPS 2.0, MLPS 2.0 (Level 2) & MLPS 2.0 (Level 3) compliance standards for enhanced coverage. +//[cols="35%a,65%a"] +//|=== +//|*Policy Updates* +//|*Description* -*Impact—* As new mappings are added, compliance score may vary +//|Placeholder +//|Placeholder +//|=== -|=== +//[#iam-policy-update] +//=== IAM Policy Update [#api-ingestions] === API Ingestions @@ -282,178 +104,157 @@ You can now access this built-in compliance standard and related policies on the |*Service* |*API Details* -|*Amazon Cognito* -//RLP-152575 - -|*aws-cognito-user-pool-client* - -Additional permissions required: +|tt:[Update] *Amazon CodePipeline* +//RLP-153691 +|*aws-code-pipeline-pipeline* -* `cognito-idp:ListUserPools` -* `cognito-idp:ListUserPoolClients` -* `cognito-idp:DescribeUserPoolClient` +The resource JSON for the API has been updated to include new fields: -The Security Audit role includes the above permissions. +* `stages` +* `Deploy` +* `Source` +* `Build` -|*Amazon Data Lifecycle Manager* -//RLP-152595 -|*aws-dlm-lifecycle-policy* +|*Amazon Cognito* +//RLP-152946 +|*aws-cognito-user-pool-group* -Additional permissions required: +Additional permissions needed: -* `dlm:GetLifecyclePolicies` -* `dlm:GetLifecyclePolicy` +* `cognito-idp:ListUserPools` +* `cognito-idp:ListGroups` +* `cognito-idp:GetGroup` -The Security Audit role does not include the above permissions. You must manually update the CFT template to enable them. +The Security Audit role only includes the `cognito-idp:ListUserPools` and `cognito-idp:ListGroups` permissions. -|*Amazon EC2* -//RLP-152556 +You must manually update the `cognito-idp:GetGroup` permission in the CFT template and enable it. -|*aws-ec2-network-insights-analysis* +|*Amazon Connect High Volume Outbound Communications* +//RLP-153462 +|*aws-connect-high-volume-outbound-campaign* -Additional permission required: +Additional permissions needed: -* `ec2:DescribeNetworkInsightsAnalyses` +* `connect-campaigns:ListCampaigns` +* `connect-campaigns:DescribeCampaign` -The Security Audit role includes the above permission. +The Security Audit role does not include the above permissions. You must manually update the CFT template to enable them. |*Amazon EC2* -//RLP-152588 +//RLP-153463 +|*aws-ec2-spot-fleet-request* -|*aws-ec2-egress-only-internet-gateway* +Additional permission needed: -Additional permission required: +* `ec2:DescribeSpotFleetRequests` -* `ec2:DescribeEgressOnlyInternetGateways` +The Security Audit role includes the permission. -The Security Audit role includes the above permission. +|*Amazon ElastiCache* +//RLP-152949 +|*aws-elasticache-serverless-cache* +Additional permissions needed: -|*Amazon EventBridge* -//RLP-152572 +* `elasticache:DescribeServerlessCaches` +* `elasticache:ListTagsForResource` -|*aws-events-archive* +The Security Audit role includes the permissions. -Additional permissions required: -* `events:ListArchives` -* `events:DescribeArchive` +|*Amazon Fraud Detector* +//RLP-153298 +|*aws-fraud-detector-entity-type* -The Security Audit role includes the above permissions. +Additional permissions needed: -|*Amazon EventBridge* -//RLP-152593 - -|*aws-events-connection* - -Additional permissions required: - -* `events:ListConnections` -* `events:DescribeConnection` - -The Security Audit role includes the above permissions. - - -|*Amazon IVS* -//RLP-153175 - -|*aws-ivs-channel* - -Additional permissions required: - -* `ivs:ListChannels` -* `ivs:GetChannel` +* `frauddetector:GetEntityTypes` +* `frauddetector:ListTagsForResource` The Security Audit role does not include the above permissions. You must manually update the CFT template to enable them. +|*Amazon Fraud Detector* +//RLP-152954 +|*aws-fraud-detector-label* -|*Amazon Lightsail* -//RLP-153174 - -|*aws-lightsail-storage-bucket* - -Additional permission required: +Additional permissions needed: -* `lightsail:GetBuckets` +* `frauddetector:GetLabels` +* `frauddetector:ListTagsForResource` -The Security Audit role includes the above permission. +The Security Audit role does not include the above permissions. You must manually update the CFT template to enable them. -|*Amazon Lightsail Disk* -//RLP-152570 +|*Amazon Fraud Detector* +//RLP-152945 +|*aws-fraud-detector-variable* -|*aws-lightsail-disk* +Additional permission needed: -Additional permission required: +* `frauddetector:GetVariables` -* `lightsail:GetDisks` +The Security Audit role does not include the above permission. You must manually update the CFT template to enable it. -The Security Audit role includes the above permission. +|*AWS Glue* +//RLP-153177 +|*aws-glue-dev-endpoint* -|*Amazon MemoryDB* -//RLP-153172 -|*aws-memorydb-subnet-group* +Additional permission needed: -Additional permissions required: +* `glue:GetDevEndpoints` -* `memorydb:DescribeSubnetGroups` -* `memorydb:ListTags` +The Security Audit role includes the permission. -The Security Audit role does not include the above permissions. You must manually update the CFT template to enable them. -|*Amazon MemoryDB* -//RLP-153171 -|*aws-memorydb-snapshot* +|*Amazon Lightsail* +//RLP-153464 +|*aws-lightsail-container-service* -Additional permissions required: +Additional permission needed: -* `memorydb:DescribeSnapshots` -* `memorydb:ListTags` +* `lightsail:GetContainerServices` -The Security Audit role does not include the above permissions. You must manually update the CFT template to enable them. +The Security Audit role includes the permission. -|*AWS Application Migration Service* -//RLP-152978 -|*aws-mgn-source-server* +|*Amazon Lightsail* +//RLP-152947 +|*aws-lightsail-key-pair* -Additional permission required: +Additional permission needed: -* `mgn:DescribeSourceServers` +* `lightsail:GetKeyPairs` The Security Audit role does not include the above permission. You must manually update the CFT template to enable it. -|*AWS Fault Injection Service* -//RLP-149977 -|*aws-fis-experiment-template* +|*Amazon MSK* +//RLP-153302 +|*aws-msk-configuration* -Additional permissions required: +Additional permissions needed: -* `fis:ListExperimentTemplates` -* `fis:GetExperimentTemplate` - -The Security Audit role does not include the above permissions. You must manually update the CFT template to enable them. +* `kafka:ListConfigurations` +* `kafka:DescribeConfiguration` +The Security Audit role includes the permissions. |*AWS Network Manager* -//RLP-153173 - -|*aws-network-manager-global-network-site* +//RLP-153465 +|*aws-network-manager-global-network-device* -Additional permissions required: +Additional permissions needed: * `networkmanager:DescribeGlobalNetworks` -* `networkmanager:GetSites` +* `networkmanager:GetDevices` -The Security Audit role only includes `networkmanager:DescribeGlobalNetworks` permission. +The Security Audit role only includes the `networkmanager:DescribeGlobalNetworks` permission. -You must manually include `networkmanager:GetSites` permission in the CFT template to enable it. +You must manually update the `networkmanager:GetDevices` permission in the CFT template and enable it. |*Amazon Recycle Bin* -//RLP-153169 +//RLP-153461 +|*aws-recycle-bin-ami-rule* -|*aws-recycle-bin-ebs-snapshot-rule* - -Additional permissions required: +Additional permissions needed: * `rbin:ListRules` * `rbin:GetRule` @@ -463,243 +264,87 @@ The Security Audit role does not include the above permissions. You must manuall |*Amazon SageMaker* -//RLP-152567 - -|*aws-sagemaker-notebook-instance-lifecycle-config* - -Additional permissions required: +//RLP-153466 +|*aws-sagemaker-studio-lifecycle-config* -* `sagemaker:ListNotebookInstanceLifecycleConfigs` -* `sagemaker:DescribeNotebookInstanceLifecycleConfig` +Additional permissions needed: -The Security Audit role includes the above permissions. +* `sagemaker:ListStudioLifecycleConfigs` +* `sagemaker:DescribeStudioLifecycleConfig` -|*Amazon S3* -//RLP-152559 +The Security Audit role includes the permissions. -|*aws-s3-multi-region-access-point* +|*Amazon SES* +//RLP-153304 +|*aws-ses-template* -Additional permission required: +Additional permissions needed: -* `s3:ListMultiRegionAccessPoints` +* `ses:ListTemplates` +* `ses:GetTemplate` -The Security Audit role includes the above permission. - -|*Amazon Transcribe* -//RLP-152594 - -|*aws-transcribe-transcription-job* - -Additional permissions required: - -* `transcribe:ListTranscriptionJobs` -* `transcribe:GetTranscriptionJob` - -The Security Audit role only includes `transcribe:ListTranscriptionJobs` permission. - -You must manually include `transcribe:GetTranscriptionJob` permission in the CFT template to enable it. - - -|*Azure Active Directory* -//RLP-152710 - -|*azure-active-directory-role-assignment-schedules* +The Security Audit role does not include the above permissions. You must manually update the CFT template to enable them. -Additional permission required: +|*Amazon Translate* +//RLP-153288 +|*aws-translate-text-translation-job* -* `RoleAssignmentSchedule.Read.Directory` +Additional permissions needed: -The Reader role includes the above permission. +* `translate:ListTextTranslationJobs` +* `translate:DescribeTextTranslationJob` +The Security Audit role only includes `translate:ListTextTranslationJobs` permission. -|*Azure Application Insights* -//RLP-152944 +You must manually include `translate:DescribeTextTranslationJob` permission in the CFT template to enable it. -|*azure-application-insights-workbooks* -Additional permission required: +|*Amazon VPC Lattice* +//RLP-153467 +|*aws-vpc-lattice-service-network* -* `Microsoft.Insights/Workbooks/Read` +Additional permissions needed: -The Reader role includes the above permission. +* `vpc-lattice:ListServiceNetworks` +* `vpc-lattice:GetServiceNetwork` +* `vpc-lattice:TagResource` -|*Azure API Management* -//RLP-152712 +The Security Audit role does not include the above permissions. You must manually update the CFT template to enable them. -|*azure-api-management-service-subscriptions* +|*AWS Glue DataBrew* +//RLP-153178 +|*aws-glue-data-brew-project* -Additional permissions required: +Additional permissions needed: -* `Microsoft.ApiManagement/service/read` -* `Microsoft.ApiManagement/service/subscriptions/read` +* `databrew:ListProjects` +* `databrew:DescribeProject` -The Reader role includes the above permissions. +The Security Audit role includes the permissions. |*Azure App Service* -//RLP-152983 - -|*azure-app-service-connections* - -Additional permission required: - -* `Microsoft.Web/connections/Read` - -The Reader role includes the above permission. - - -|*Azure Automation Accounts* -//RLP-152714 - -|*azure-automation-account-hybrid-runbook-workers* - -Additional permissions required: - -* `Microsoft.Automation/automationAccounts/read` -* `Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/hybridRunbookWorkers/read` - -The Reader role includes the above permissions. - - -|*Azure Compute* -//RLP-152979 - -|*azure-compute-restore-point-collections* - -Additional permission required: - -* `Microsoft.Compute/restorePointCollections/read` - -The Reader role includes the above permission. - -|*Azure Compute* -//RLP-152976 - -|*azure-compute-proximity-placement-groups* - -Additional permission required: - -* `Microsoft.Compute/proximityPlacementGroups/read` - -The Reader role includes the above permission. - -|*Azure Machine Learning* -//RLP-152705 - -|*azure-machine-learning-workspace-diagnostic-settings* - -Additional permissions required: - -* `Microsoft.MachineLearningServices/workspaces/read` -* `Microsoft.Insights/DiagnosticSettings/Read` +//RLP-153586 +|*azure-app-service-web-apps-app-settings* -The Reader role includes the above permissions. +Additional permissions needed: +* `Microsoft.Web/sites/Read` +* `Microsoft.Web/sites/config/list/Action` -|*Azure Virtual WAN* -//RLP-152956 +The Reader role includes the permissions. -|*azure-virtual-wan-virtual-hubs* +|*Azure Database for PostgreSQL* +//RLP-153589 +|*azure-postgresql-flexible-server-configurations* -Additional permission required: +Additional permissions needed: -* `Microsoft.Network/virtualHubs/read` +* `Microsoft.DBforPostgreSQL/flexibleServers/read` +* `Microsoft.DBforPostgreSQL/flexibleServers/configurations/read` -The Reader role includes the above permission. +The Reader role includes the permissions. -|*Google App Engine* -//RLP-152631 - -|*gcloud-app-engine-service-version* - -Additional permissions required: - -* `appengine.services.list` -* `appengine.versions.list` - -The Viewer role includes the above permissions. - -|*Google App Engine* -//RLP-152630 - -|*gcloud-app-engine-service* - -Additional permission required: - -* `appengine.services.list` - -The Viewer role includes the above permission. - - -|*Google App Engine* -//RLP-152628 - -|*gcloud-app-engine-domain-mapping* - -Additional permission required: - -* `appengine.applications.get` - -The Viewer role includes the above permission. - -|*Google Bigquery Data Policy* -//RLP-152706 - -|*gcloud-bigquery-data-policy* - -Additional permissions required: - -* `bigquery.dataPolicies.list` -* `bigquery.dataPolicies.getIamPolicy` - -The Viewer role includes the above permissions. - - -|*Google Integration Connectors* -//RLP-152611 - -|*gcloud-integration-connectors-endpoint-attachment* - -Additional permission required: - -* `connectors.endpointAttachments.list` - -The Viewer role includes the above permission. - -|*Google Integration Connectors* -//RLP-151553 - -|*gcloud-integration-connectors-custom-connector-version* - -Additional permissions required: - -* `connectors.customConnectors.list` -* `connectors.customConnectorVersions.list` - -The Viewer role includes the above permissions. - -|*Google Integration Connectors* -//RLP-151552 - -|*gcloud-integration-connectors-custom-connector* - -Additional permission required: - -* `connectors.customConnectors.list` - -The Viewer role includes the above permission. - -|*OCI Vaults* -//RLP-149812 - -|*oci-vault-secret-versions* - -Additional permissions required: - -* `SECRET_INSPECT` -* `SECRET_VERSION_INSPECT` - -The Reader role includes the above permissions. |=== @@ -730,20 +375,6 @@ The Reader role includes the above permissions. |*Sunset Release* |*Replacement Endpoints* -|tt:[*End of support for AWS Polly Voices API*] -//RLP-150335, RLP-152490 - -`aws-polly-voices` API is planned for deprecation. Due to this change, Prisma Cloud will no longer ingest metadata for the `aws-polly-voices` API. - -In RQL, the key will not be available in the `api.name` attribute auto-completion. - -*Impact*: If you have a saved search based on this API, you must manually delete it. - -|24.11.1 - -|24.12.1 - -|NA |tt:[*Audit Logs API*] diff --git a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-2024.adoc b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-2024.adoc index e3716b4c3a..99f5aaec89 100644 --- a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-2024.adoc +++ b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-2024.adoc @@ -4,6 +4,7 @@ Stay informed on the new capabilities and policies added to Prisma Cloud for Clo //The following topics provide a snapshot of new features introduced for Prisma® Cloud in 2023. Refer to the https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin[Prisma® Cloud Administrator’s Guide] for more information on how to use the service. +* xref:features-introduced-in-december-2024.adoc[Features Introduced in December 2024] * xref:features-introduced-in-november-2024.adoc[Features Introduced in November 2024] * xref:features-introduced-in-october-2024.adoc[Features Introduced in October 2024] * xref:features-introduced-in-september-2024.adoc[Features Introduced in September 2024] diff --git a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-december-2024.adoc b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-december-2024.adoc new file mode 100644 index 0000000000..61eb2ef03c --- /dev/null +++ b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/features-introduced-in-2024/features-introduced-in-december-2024.adoc @@ -0,0 +1,1394 @@ +== Features Introduced in December 2024 + +Learn what's new on Prisma® Cloud in December 2024. + +//* <> +* <> +//* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> +//* <> + + +[#new-features] +=== New Features + +[cols="30%a,70%a"] +|=== +|*Feature* +|*Description* + +|*Action Plans* + +tt:[Secure the Infrastructure] + +tt:[24.12.1] +//RLP-153672 + +|Secure your cloud assets with enhanced efficiency with https://docs.prismacloud.io/en/enterprise-edition/content-collections/administration/action-plans[Prisma Cloud Action Plans]. Action Plans programmatically group multiple alerts related to a single affected asset into one actionable plan. Every Action Plans include a summary as well as specific remediation steps, tailored to effectively maximize risk reduction. + +* *Prioritization*: Action Plans group together alerts and assets that can be secured through a single fix, ensuring your security team spends time on the most effective outcomes. Actions are prioritize based on security context and Prisma Cloud alerts. +* *Execution and Delegation*: Leverage your integrations on Prisma Cloud to help delegate security fixes to your team through Jira tickets and/or Slack messages with a single click. +* *Detailed Visibility*: Ensure that every alert resolved or asset impacted is visible in one location, and provide detailed context to your security teams. +* *Security Fix Efficiency*: Using machine learning and generative models, Action Plans help summarize tasks acrossthe various alerts that impact the same asset, ensuring that there is a comprehensive plan to reduce alerts with the least number of required steps. + +image::action-plans-rn.gif[] + + +|*AISPM Compliance with OWASP Top 10 for LLM and NIST AI 600-1* + +tt:[Secure the Data] + +tt:[24.12.1] +//RLP-153672 + +|To empower your organization to proactively address the unique security, ethical, and regulatory challenges associated with AI deployments, Prisma Cloud AISPM now includes enhanced risk identification and compliance capabilities for AI and ML systems that aligns with two critical standards - OWASP Top 10 for Large Language Models (LLM) and NIST AI 600-1. + +|=== + +[#changes-in-existing-behavior] +=== Changes in Existing Behavior + +[cols="50%a,50%a"] + +|=== +|*Feature* +|*Description* + +|*Amazon EC2 VPC Endpoint Service Count Updates* + +tt:[24.12.1] +//RLP-152289 + +|Prisma Cloud will no longer ingest EC2 VPC Endpoint Services that are visible to, but not owned by AWS accounts. Only VPC Endpoint Services directly owned by an AWS account will be ingested. + +*Impact—* Low. Since the VPC Endpoint Services that will not be ingested are resources owned by Amazon. + +|=== + +[#api-ingestions] +=== API Ingestions + + +[cols="50%a,50%a"] +|=== +|*Service* +|*API Details* + +|*Amazon Cognito* + +tt:[24.12.1] + +//RLP-152575 + +|*aws-cognito-user-pool-client* + +Additional permissions required: + +* `cognito-idp:ListUserPools` +* `cognito-idp:ListUserPoolClients` +* `cognito-idp:DescribeUserPoolClient` + +The Security Audit role includes the above permissions. + +|*Amazon Data Lifecycle Manager* + +tt:[24.12.1] + +//RLP-152595 +|*aws-dlm-lifecycle-policy* + +Additional permissions required: + +* `dlm:GetLifecyclePolicies` +* `dlm:GetLifecyclePolicy` + +The Security Audit role does not include the above permissions. You must manually update the CFT template to enable them. + +|*Amazon EC2* + +tt:[24.12.1] + +//RLP-152556 + +|*aws-ec2-network-insights-analysis* + +Additional permission required: + +* `ec2:DescribeNetworkInsightsAnalyses` + +The Security Audit role includes the above permission. + +|*Amazon EC2* + +tt:[24.12.1] + +//RLP-152588 + +|*aws-ec2-egress-only-internet-gateway* + +Additional permission required: + +* `ec2:DescribeEgressOnlyInternetGateways` + +The Security Audit role includes the above permission. + + +|*Amazon EventBridge* + +tt:[24.12.1] + +//RLP-152572 + +|*aws-events-archive* + +Additional permissions required: + +* `events:ListArchives` +* `events:DescribeArchive` + +The Security Audit role includes the above permissions. + +|*Amazon EventBridge* + +tt:[24.12.1] + +//RLP-152593 + +|*aws-events-connection* + +Additional permissions required: + +* `events:ListConnections` +* `events:DescribeConnection` + +The Security Audit role includes the above permissions. + + +|*Amazon IVS* + +tt:[24.12.1] + +//RLP-153175 + +|*aws-ivs-channel* + +Additional permissions required: + +* `ivs:ListChannels` +* `ivs:GetChannel` + +The Security Audit role does not include the above permissions. You must manually update the CFT template to enable them. + + +|*Amazon Lightsail* + +tt:[24.12.1] + +//RLP-153174 + +|*aws-lightsail-storage-bucket* + +Additional permission required: + +* `lightsail:GetBuckets` + +The Security Audit role includes the above permission. + +|*Amazon Lightsail Disk* + +tt:[24.12.1] + +//RLP-152570 + +|*aws-lightsail-disk* + +Additional permission required: + +* `lightsail:GetDisks` + +The Security Audit role includes the above permission. + +|*Amazon MemoryDB* + +tt:[24.12.1] + +//RLP-153172 +|*aws-memorydb-subnet-group* + +Additional permissions required: + +* `memorydb:DescribeSubnetGroups` +* `memorydb:ListTags` + +The Security Audit role does not include the above permissions. You must manually update the CFT template to enable them. + +|*Amazon MemoryDB* + +tt:[24.12.1] + +//RLP-153171 +|*aws-memorydb-snapshot* + +Additional permissions required: + +* `memorydb:DescribeSnapshots` +* `memorydb:ListTags` + +The Security Audit role does not include the above permissions. You must manually update the CFT template to enable them. + +|*AWS Application Migration Service* + +tt:[24.12.1] + +//RLP-152978 +|*aws-mgn-source-server* + +Additional permission required: + +* `mgn:DescribeSourceServers` + +The Security Audit role does not include the above permission. You must manually update the CFT template to enable it. + +|*AWS Fault Injection Service* + +tt:[24.12.1] + +//RLP-149977 + +|*aws-fis-experiment-template* + +Additional permissions required: + +* `fis:ListExperimentTemplates` +* `fis:GetExperimentTemplate` + +The Security Audit role does not include the above permissions. You must manually update the CFT template to enable them. + + +|*AWS Network Manager* + +tt:[24.12.1] + +//RLP-153173 + +|*aws-network-manager-global-network-site* + +Additional permissions required: + +* `networkmanager:DescribeGlobalNetworks` +* `networkmanager:GetSites` + +The Security Audit role only includes `networkmanager:DescribeGlobalNetworks` permission. + +You must manually include `networkmanager:GetSites` permission in the CFT template to enable it. + +|*Amazon Recycle Bin* + +tt:[24.12.1] + +//RLP-153169 + +|*aws-recycle-bin-ebs-snapshot-rule* + +Additional permissions required: + +* `rbin:ListRules` +* `rbin:GetRule` +* `rbin:ListTagsForResource` + +The Security Audit role does not include the above permissions. You must manually update the CFT template to enable them. + + +|*Amazon SageMaker* + +tt:[24.12.1] + +//RLP-152567 + +|*aws-sagemaker-notebook-instance-lifecycle-config* + +Additional permissions required: + +* `sagemaker:ListNotebookInstanceLifecycleConfigs` +* `sagemaker:DescribeNotebookInstanceLifecycleConfig` + +The Security Audit role includes the above permissions. + +|*Amazon S3* + +tt:[24.12.1] + +//RLP-152559 + +|*aws-s3-multi-region-access-point* + +Additional permission required: + +* `s3:ListMultiRegionAccessPoints` + +The Security Audit role includes the above permission. + +|*Amazon Transcribe* + +tt:[24.12.1] + +//RLP-152594 + +|*aws-transcribe-transcription-job* + +Additional permissions required: + +* `transcribe:ListTranscriptionJobs` +* `transcribe:GetTranscriptionJob` + +The Security Audit role only includes `transcribe:ListTranscriptionJobs` permission. + +You must manually include `transcribe:GetTranscriptionJob` permission in the CFT template to enable it. + + +|*Azure Active Directory* + +tt:[24.12.1] + +//RLP-152710 + +|*azure-active-directory-role-assignment-schedules* + +Additional permission required: + +* `RoleAssignmentSchedule.Read.Directory` + +The Reader role includes the above permission. + + +|*Azure Application Insights* + +tt:[24.12.1] + +//RLP-152944 + +|*azure-application-insights-workbooks* + +Additional permission required: + +* `Microsoft.Insights/Workbooks/Read` + +The Reader role includes the above permission. + +|*Azure API Management* + +tt:[24.12.1] + +//RLP-152712 + +|*azure-api-management-service-subscriptions* + +Additional permissions required: + +* `Microsoft.ApiManagement/service/read` +* `Microsoft.ApiManagement/service/subscriptions/read` + +The Reader role includes the above permissions. + +|*Azure App Service* + +tt:[24.12.1] + +//RLP-152983 + +|*azure-app-service-connections* + +Additional permissions required: + +* `Microsoft.Web/connections/Read` +* `Microsoft.Resources/subscriptions/resourceGroups/read` + +The Reader role includes the above permissions. + + +|*Azure Automation Accounts* + +tt:[24.12.1] + +//RLP-152714 + +|*azure-automation-account-hybrid-runbook-workers* + +Additional permissions required: + +* `Microsoft.Automation/automationAccounts/read` +* `Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/hybridRunbookWorkers/read` + +The Reader role includes the above permissions. + + +|*Azure Compute* + +tt:[24.12.1] + +//RLP-152979 + +|*azure-compute-restore-point-collections* + +Additional permission required: + +* `Microsoft.Compute/restorePointCollections/read` + +The Reader role includes the above permission. + +|*Azure Compute* + +tt:[24.12.1] + +//RLP-152976 + +|*azure-compute-proximity-placement-groups* + +Additional permission required: + +* `Microsoft.Compute/proximityPlacementGroups/read` + +The Reader role includes the above permission. + +|*Azure Machine Learning* + +tt:[24.12.1] + +//RLP-152705 + +|*azure-machine-learning-workspace-diagnostic-settings* + +Additional permissions required: + +* `Microsoft.MachineLearningServices/workspaces/read` +* `Microsoft.Insights/DiagnosticSettings/Read` + +The Reader role includes the above permissions. + + +|*Azure Virtual WAN* + +tt:[24.12.1] + +//RLP-152956 + +|*azure-virtual-wan-virtual-hubs* + +Additional permission required: + +* `Microsoft.Network/virtualHubs/read` + +The Reader role includes the above permission. + + +|*Google App Engine* + +tt:[24.12.1] + +//RLP-152631 + +|*gcloud-app-engine-service-version* + +Additional permissions required: + +* `appengine.services.list` +* `appengine.versions.list` + +The Viewer role includes the above permissions. + +|*Google App Engine* + +tt:[24.12.1] + +//RLP-152630 + +|*gcloud-app-engine-service* + +Additional permission required: + +* `appengine.services.list` + +The Viewer role includes the above permission. + + +|*Google App Engine* + +tt:[24.12.1] + +//RLP-152628 + +|*gcloud-app-engine-domain-mapping* + +Additional permission required: + +* `appengine.applications.get` + +The Viewer role includes the above permission. + +|*Google Bigquery Data Policy* + +tt:[24.12.1] + +//RLP-152706 + +|*gcloud-bigquery-data-policy* + +Additional permissions required: + +* `bigquery.dataPolicies.list` +* `bigquery.dataPolicies.getIamPolicy` + +The Viewer role includes the above permissions. + + +|*Google Integration Connectors* + +tt:[24.12.1] + +//RLP-152611 + +|*gcloud-integration-connectors-endpoint-attachment* + +Additional permission required: + +* `connectors.endpointAttachments.list` + +The Viewer role includes the above permission. + +|*Google Integration Connectors* + +tt:[24.12.1] + +//RLP-151553 + +|*gcloud-integration-connectors-custom-connector-version* + +Additional permissions required: + +* `connectors.customConnectors.list` +* `connectors.customConnectorVersions.list` + +The Viewer role includes the above permissions. + +|*Google Integration Connectors* + +tt:[24.12.1] + +//RLP-151552 + +|*gcloud-integration-connectors-custom-connector* + +Additional permission required: + +* `connectors.customConnectors.list` + +The Viewer role includes the above permission. + +|*OCI Vaults* + +tt:[24.12.1] + +//RLP-149812 + +|*oci-vault-secret-versions* + +Additional permissions required: + +* `SECRET_INSPECT` +* `SECRET_VERSION_INSPECT` + +The Reader role includes the above permissions. + +|=== + +[#new-policies] +=== New Policies + +[cols="40%a,60%a"] +|=== +|*Policies* +|*Description* + +|*Alibaba Cloud VPC flow log not enabled* + +tt:[24.12.1] +//RLP-153196 + +|This policy identifies Virtual Private Clouds (VPCs) where flow logs are not enabled. + +VPC flow logs capture information about the traffic entering and exiting network interfaces in the VPC. Without VPC flow logs, there is limited visibility into network traffic, making it challenging to detect and investigate suspicious activities, potential data breaches, or security policy violations. Enabling VPC flow logs enhances network monitoring, improves threat detection, and supports compliance requirements. + +As a security best practice, it is recommended to enable VPC flow logs. + +*Policy Severity—* Informational + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'alibaba_cloud' and api.name = 'alibaba-cloud-vpc' AND json.rule = vpcFlowLogs[*].flowLogId does not exist and status equal ignore case Available +---- + +|*Alibaba Cloud OSS bucket logging not enabled* + +tt:[24.12.1] +//RLP-153239 + +|This policy identifies Alibaba Cloud Object Storage Service (OSS) buckets that do not have logging enabled. + +Enabling logging for OSS buckets helps capture access and operation events, which are critical for security monitoring, troubleshooting, and auditing. Without logging, you lack visibility into who accesses and interacts with your bucket, potentially missing unauthorized access or suspicious behaviour. + +As a security best practice, it is recommended to enable logging for OSS buckets. + +*Policy Severity—* Informational + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'alibaba_cloud' and api.name = 'alibaba-cloud-oss-bucket-info' AND json.rule = bucket.logging.targetBucket does not exist +---- + +|*AWS ECR private repository with cross-account access* + +tt:[24.12.1] +//RLP-153409 + +|This policy identifies AWS ECR private repository that are configured with cross-account access. + +An ECR repository is a storage location within Amazon Elastic Container Registry (ECR) where Docker container images are stored and managed. Granting cross-account access to an ECR repository risks unauthorized access and data exposure, requiring strict policy controls and monitoring. + +It is recommended to implement strict access controls and allow only trusted entities to access to an ECR repository to mitigate security risks. + +*Policy Severity—* Low + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ecr-get-repository-policy' AND json.rule = policy.Statement[?any(Effect equals Allow and (Principal.AWS does not equal * and Principal does not equal * and Principal.AWS contains arn and Principal.AWS does not contain $.registryId))] exists +---- + +|*AWS CloudWatch Log groups not encrypted by Customer Managed Key (CMK)* + +tt:[24.12.1] +//RLP-153310 + +|This policy identifies AWS CloudWatch Log groups that are encrypted using the default KMS key instead of CMK (Customer Managed Key) or using a CMK that is disabled. + +A CloudWatch Log Group is a collection of log streams that share the same retention, monitoring, and access control settings. Encrypting with a Customer Managed Key (CMK) provides additional control over key rotation, management, and access policies compared to the default encryption. + +As a security best practice, using CMK to encrypt your CloudWatch Log Groups is advisable as it gives you full control over the encrypted data. + +*Policy Severity—* Low + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where api.name = 'aws-cloudwatch-log-group' as X; config from cloud.resource where api.name = 'aws-kms-get-key-rotation-status' AND json.rule = keyMetadata.keyManager does not equal CUSTOMER or (keyMetadata.keyManager equals CUSTOMER and keyMetadata.keyState equals Disabled) as Y; filter '($.X.kmsKeyId does not exist ) or ($.X.kmsKeyId exists and $.X.kmsKeyId equals $.Y.keyMetadata.arn)'; show X; +---- + +|*AWS MSK cluster public access is enabled* + +tt:[24.12.1] +//RLP-153260 + +|This policy identifies the Amazon Managed Streaming for Apache Kafka (Amazon MSK) Cluster is configured with public access enabled. + +Amazon MSK gives you the option to turn on public access to the brokers of MSK clusters. When the AWS MSK Cluster is public there could be posibility that the data can be exposed publicly. + +It is recommended to disable the public access on the AWS MSK cluster to prevent unathourized access and complaince requirements. + +*Policy Severity—* Low + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-msk-cluster' AND json.rule = brokerNodeGroupInfo.connectivityInfo.publicAccess.type does not equal "DISABLED" +---- + +|*AWS FSX Windows filesystem is not configured with file access auditing* + +tt:[24.12.1] +//RLP-153253 + +|This policy identifies the AWS FSX Windows filesystem not configured FileAccessAuditLogLevel and FileShareAccessAuditLogLevel. + +Amazon FSx for Windows File Server supports auditing of end-user access to files, folders, and file shares. FileAccessAuditLogLevel and FileShareAccessAuditLogLevel Both settings can be configured to log successful events, failed events, both, or neither, depending on your auditing requirements. Not configuring these audit logs can lead to undetected unauthorized access and non-compliance with security regulations. + +It is recommended to configure both log access to files and folders and access to file shares according to your business requirements to ensure comprehensive logging, providing visibility, accountability, and compliance, and enabling effective monitoring and incident response capabilities. + +*Policy Severity—* Informational + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where api.name = 'aws-fsx-file-system' AND json.rule = FileSystemType equals "WINDOWS" and ( WindowsConfiguration.AuditLogConfiguration.FileAccessAuditLogLevel equals "DISABLED" AND  WindowsConfiguration.AuditLogConfiguration.FileShareAccessAuditLogLevel equals "DISABLED") +---- + +|*AWS EMR cluster is not enabled with termination protection* + +tt:[24.12.1] +//RLP-153170 + +|This policy identifies the AWS EMR Cluster that is not enabled with termination protection. + +Termination protection protects your clusters from accidental termination, When termination protection is enabled, any attempt to terminate the cluster through the AWS Management Console, CLI, or API will be blocked unless the protection is explicitly disabled first. Termination protection useful for long-running or critical clusters where accidental termination could result in data loss or significant downtime. + +It recommended to enable Termination protection on AWS EMR clusters from accidental termination. + +*Policy Severity—* Informational + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-emr-describe-cluster' AND json.rule = status.state does not contain TERMINATING and terminationProtected is false +---- + +|*AWS Lightsail Instance does not restrict traffic on admin ports* + +tt:[24.12.1] +//RLP-152878 + +|This policy identifies the AWS Lightsail instance having network rule with unrestricted access ("0.0.0.0/0" or "::/0") on port 22 or 3389. + +The firewall in Amazon Lightsail manages inbound traffic permitted to connect to your instance via its public IP address, controlling access to specific IPs and ports. Leaving administrative ports open to unrestricted access increases the risk of unauthorized access, such as brute-force attacks, which can compromise the instance and expose sensitive data. + +It is recommended to *limit* access to specific IP addresses in the firewall rules to reduce unauthorized access attempts. + +*Policy Severity—* Low + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where api.name = 'aws-lightsail-instance' AND json.rule = state.name contains "running" and networking.ports[?any( accessDirection equals inbound and (cidrs contains "0.0.0.0/0" or ipv6Cidrs contains "::/0") and (((toPort == 22 or fromPort == 22) or (toPort > 22 and fromPort < 22)) or ((toPort == 3389 or fromPort == 3389) or (toPort > 3389 and fromPort < 3389))))] exists +---- + +|*AWS Security Group allows all ingress traffic on CIFS port (445)* + +tt:[24.12.1] +//RLP-152814 + +|This policy identifies Security groups that allow all traffic on port 445 used by Common Internet File System (CIFS). + +Common Internet File System (CIFS) is a network file-sharing protocol that allows systems to share files over a network. unrestricted CIFS access can expose your data to unauthorized users, leading to potential security risks. + +It is recommended to restrict CIFS port 445 access to only trusted networks to prevent unauthorized access and data breaches. + +*Policy Severity—* Informational + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'aws' AND api.name= 'aws-ec2-describe-security-groups' AND json.rule = isShared is false and (ipPermissions[?any((ipRanges[*] contains 0.0.0.0/0 or ipv6Ranges[*].cidrIpv6 contains ::/0) and ((toPort == 445 or fromPort == 445) or (toPort > 445 and fromPort < 445)))] exists) +---- + +|*AWS Route53 Domain transfer lock is not enabled* + +tt:[24.12.1] +//RLP-152812 + +|This policy identifies the AWS Route53 domain which is not enabled with transfer lock. + +Route 53 Domain Transfer Lock is a security feature that prevents unauthorised domain transfers by locking the domain at the registrar level. The feature sets the "clientTransferProhibited" flag, which is a registry setting enabled by the registrar to force all transfer requests to be rejected automatically. If Route 53 Domain Transfer Lock is disabled, your domain is vulnerable to unauthorized transfers, which can lead to service disruptions, data breaches, reputational damage, and financial loss. + +It is recommended to enable Route 53 Domain Transfer Lock to prevent unauthorized domain transfers and protect your domain from potential security threats and disruptions. + +*Policy Severity—* Low + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-route53-domain' AND json.rule = statusList[*] does not contain "clientTransferProhibited" +---- + +|*Azure Microsoft Entra ID account lockout threshold greater than 10* + +tt:[24.12.1] +//RLP-152708 + +|This policy identifies if the account lockout threshold for Microsoft Entra ID (formerly Azure AD) accounts is configured to allow more than 10 failed login attempts before the account is locked out. + +A high lockout threshold (greater than 10) increases the risk of brute-force or password spray attacks, where attackers can attempt multiple passwords over time without triggering account lockouts, leaving accounts vulnerable to unauthorized access. Setting the lockout threshold to a reasonable value (e.g., less than or equal to 10) balances usability and security by limiting the number of login attempts before an account is locked, reducing exposure to attacks while preventing frequent unnecessary lockouts for legitimate users. + +As a security best practice, it is recommended to configure the account lockout threshold to less than or equal to 10. + +*Policy Severity—* High + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'azure' and api.name = 'azure-active-directory-group-settings' and json.rule = values[?any( name equals LockoutThreshold and (value greater than 10 or value does not exist))] exists +---- + +|*Azure Microsoft Entra ID account lockout duration less than 60 seconds* + +tt:[24.12.1] +//RLP-152755 + +|This policy identifies if the account lockout duration for Microsoft Entra ID (formerly Azure AD) accounts is configured to be less than 60 seconds. The lockout duration determines how long the account remains locked after exceeding the lockout threshold. + +A lockout duration of less than 60 seconds increases the risk of brute-force or password spray attacks. Malicious actors can exploit a short lockout period to attempt multiple logins more frequently, increasing the likelihood of gaining unauthorized access. Configuring the lockout duration to be at least 60 seconds helps reduce the frequency of repeated login attempts during a brute-force attack, improving protection against such attacks while ensuring a reasonable delay for legitimate users after exceeding the threshold. + +As a security best practice, it is recommended to configure the account lockout duration to greater than or equal to 60 seconds. + +*Policy Severity—* High + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'azure' and api.name = 'azure-active-directory-group-settings' and json.rule = values[?any(name equals LockoutDurationInSeconds and (value less than 60 or value does not exist))] exists +---- + +|*Azure disk data access authentication mode not enabled* + +tt:[24.12.1] +//RLP-152757 + +|This policy identifies if the Data Access Authentication Mode for Azure disks is disabled. This mode is crucial for controlling how users upload or export Virtual Machine Disks by requiring an Azure Entra ID role to authorize such operations. + +Without enabling this mode, users can create SAS tokens to export disks without stringent identity-based restrictions. This increases the risk of unauthorized disk access or data exposure, especially in environments handling sensitive data. Enabling the Data Access Authentication Mode ensures that only users with the appropriate Data Operator for Managed Disk role in Azure Entra ID can export or manage disks. This enhances data security by preventing unauthorized disk exports and restricting access to secure download URLs. + +As a security best practice, it is recommended to enable data access authentication mode for Azure disks. + +*Policy Severity—* Medium + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'azure' and api.name = 'azure-disk-list' AND json.rule = dataAccessAuthMode does not equal ignore case AzureActiveDirectory and managedBy contains virtualMachines and provisioningState equal ignore case Succeeded +---- + +|*Azure App Service basic authentication enabled* + +tt:[24.12.1] +//RLP-152759 + +|This policy identifies Azure App Services which have basic authentication enabled. + +Basic Authentication allows local identity management for App Services without using a centralized identity provider like Azure Entra ID, posing a security risk by creating isolated identity systems that lack centralized control and are vulnerable to credential compromise and unauthorized access. Disabling Basic Authentication and integrating with a centralized solution like Azure Entra ID enhances security with stronger authentication, improved access management, and reduced attack risks. + +As a security best practice, it is recommended to disable basic authentication for Azure App Services. + +*Policy Severity—* Medium + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where api.name = 'azure-app-service-basic-publishing-credentials-policies' AND json.rule = properties.allow is true as X; config from cloud.resource where api.name = 'azure-app-service' AND json.rule = properties.state equal ignore case Running as Y; filter '$.X.id contains $.Y.id'; show Y; +---- + +|*GCP Cloud Run function is using default service account with editor role* + +tt:[24.12.1] +//RLP-152780 + +|This policy identifies GCP Cloud Run functions that are using the default service account with the editor role. + +GCP Compute Engine Default service account is automatically created upon enabling the Compute Engine API. This service account is granted the IAM basic Editor role by default, unless explicitly disabled. Assigning default service account with the editor role to cloud run functions could lead to privilege escalation. Granting minimal access rights helps in promoting a better security posture. + +*Policy Severity—* Medium + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'gcp' and api.name = 'gcloud-projects-get-iam-user' AND json.rule = user contains "compute@developer.gserviceaccount.com" and roles[*] contains "roles/editor" as X; config from cloud.resource where api.name = 'gcloud-cloud-function-v2' AND json.rule = status equals ACTIVE and serviceConfig.serviceAccountEmail contains "compute@developer.gserviceaccount.com" as Y; filter ' $.X.user equals $.Y.serviceConfig.serviceAccountEmail '; show Y; +---- + +|*GCP Spanner Databases not encrypted with CMEK* + +tt:[24.12.1] +//RLP-152783 + +|This policy identifies GCP Spanner databases that are not encrypted with a Customer-Managed Encryption Key (CMEK). + +Google Cloud Spanner is a scalable, globally distributed, and strongly consistent database service. By using CMEK with Spanner, you retain complete control over the encryption keys protecting your sensitive data, ensuring that only authorized users with access to these keys can decrypt and access the information. Without CMEK, data is encrypted with Google-managed keys, which may not provide the level of control required for handling sensitive data in certain industries. + +It is recommended to encrypt Spanner database data using a Customer-Managed Encryption Key (CMEK). + +*Policy Severity—* Low + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-cloud-spanner-database' AND json.rule = state equal ignore case ready and encryptionConfig.kmsKeyNames does not exist +---- + +|*GCP Spanner Database drop protection disabled* + +tt:[24.12.1] +//RLP-152786 + +|This policy identifies GCP Spanner Databases with drop protection disabled. + +Google Cloud Spanner is a scalable, globally distributed, and strongly consistent database service. The Spanner database drop protection feature prevents accidental deletion of databases and configurations. Without drop protection enabled, a user error or malicious action could lead to irreversible data loss and service disruption for all applications relying on that Spanner instance. + +It is recommended to enable drop protection on spanner database to prevent from accidental deletion. + +*Policy Severity—* Informational + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'gcp' and api.name = 'gcloud-cloud-spanner-database' AND json.rule = state equal ignore case ready and enableDropProtection does not exist +---- + +|*GCP SQL Instance not encrypted with CMEK* + +tt:[24.12.1] +//RLP-152787 + +|This policy identifies GCP SQL Instances that are not encrypted with Customer Managed Encryption Keys (CMEK). + +Using CMEK for SQL Instances provides greater control over data at rest encryption by allowing key rotation and revocation, which enhances security and helps meet compliance requirements. Encrypting SQL Instances with CMEK ensures better data privacy management. + +It is recommended to use CMEK for SQL Instance encryption. + +*Policy Severity—* Low + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'gcp' and api.name = 'gcloud-sql-instances-list' AND json.rule = state equals "RUNNABLE" and diskEncryptionConfiguration.kmsKeyName does not exist +---- + +|*GCP Vertex AI Workbench Instance has Secure Boot disabled* + +tt:[24.12.1] +//RLP-152825 + +|This policy identifies GCP Vertex AI Workbench instances with Secure Boot disabled. + +Secure Boot is a security feature that ensures only trusted, digitally signed software runs during the boot process, protecting against advanced threats such as rootkits and bootkits. By verifying the integrity of the bootloader and operating system, Secure Boot prevents unauthorized software from compromising the system at startup. Without Secure Boot, instances are vulnerable to persistent malware and unauthorized code that could compromise the system deeply. + +It is recommended to enable Secure Boot for Vertex AI Workbench instances. + +*Policy Severity—* Low + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-vertex-ai-workbench-instance' AND json.rule = state equals "ACTIVE" AND shieldedInstanceConfig.enableSecureBoot is false +---- + +|*GCP Vertex AI Workbench Instance JupyterLab interface access mode set to single user* + +tt:[24.12.1] +//RLP-153015 + +|This policy identifies GCP Vertex AI Workbench Instances with JupyterLab interface access mode set to single user. + +Vertex AI Workbench Instance can be accessed using the web-based JupyterLab interface. Access mode controls the control access to this interface. Allowing access to only a single user could limit collaboration, increase chances of credential sharing, and hinder security audits and reviews of the resource. + +It is recommended to avoid single user access and make use of the service account access mode for workbench instances. + +*Policy Severity—* Informational + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-vertex-ai-workbench-instance' AND json.rule = state equals "ACTIVE" and ( gceSetup.metadata.proxy-mode equals "mail" or gceSetup.metadata.proxy-user-mail exists ) +---- + +|*GCP Vertex AI Workbench Instance auto-upgrade is disabled* + +tt:[24.12.1] +//RLP-153017 + +|This policy identifies GCP Vertex AI Workbench Instances that have auto-upgrade disabled. + +Auto-upgrading Google Cloud Vertex environments ensures timely security updates, bug fixes, and compatibility with APIs and libraries. It reduces security risks associated with outdated software, enhances stability, and enables access to new features and optimizations. + +It is recommended to enable auto-upgrade to minimize maintenance overhead and mitigate security risks. + +*Policy Severity—* Low + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-vertex-ai-workbench-instance' AND json.rule = state equals "ACTIVE" and gceSetup.metadata.notebook-upgrade-schedule does not exist +---- + +|*GCP SQL database instance deletion protection is disabled* + +tt:[24.12.1] +//RLP-153019 + +|This policy identifies GCP SQL database instances that have deletion protection disabled. + +Enabling instance deletion protection on GCP SQL databases is crucial for preventing accidental data loss, especially in production environments where an unintended deletion could disrupt services and impact business continuity. Deletion protection adds an extra safeguard, requiring intentional action to disable the setting before deletion, helping teams avoid costly downtime and ensuring the availability of essential data. + +It is recommended to enable deletion protection on GCP SQL database instances to prevent accidental deletion. + +*Policy Severity—* Informational + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-sql-instances-list' AND json.rule = state equals "RUNNABLE" and deletionProtectionEnabled is false +---- + +|*GCP Secrets Manager secret not encrypted with CMEK* + +tt:[24.12.1] +//RLP-153294 + +|This policy identifies GCP Secrets Manager secrets that are not encrypted with a Customer-Managed Encryption Key (CMEK). + +GCP Secret Manager securely stores and controls access to API keys, passwords, certificates, and other sensitive data. By using CMEK with secrets, you retain complete control over the encryption keys protecting your sensitive data, ensuring that only authorized users with access to these keys can decrypt and access the information. Without CMEK, data is encrypted with Google-managed keys, which may not provide the level of control required for handling sensitive data in certain industries. + +It is recommended to encrypt Secrets Manager secrets using a Customer-Managed Encryption Key (CMEK). + +*Policy Severity—* Low + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-secretsmanager-secret' AND json.rule = replication.userManaged.replicas[*].customerManagedEncryption.kmsKeyName does not exist and replication.automatic.customerManagedEncryption.kmsKeyName does not exist +---- + +|*GCP Secrets Manager secret not encrypted with CMEK* + +tt:[24.12.1] +//RLP-153294 + +|This policy identifies GCP Secrets Manager secrets that are not encrypted with a Customer-Managed Encryption Key (CMEK). + +GCP Secret Manager securely stores and controls access to API keys, passwords, certificates, and other sensitive data. By using CMEK with secrets, you retain complete control over the encryption keys protecting your sensitive data, ensuring that only authorized users with access to these keys can decrypt and access the information. Without CMEK, data is encrypted with Google-managed keys, which may not provide the level of control required for handling sensitive data in certain industries. + +It is recommended to encrypt Secrets Manager secrets using a Customer-Managed Encryption Key (CMEK). + +*Policy Severity—* Low + +*Policy Type—* Config + +*RQL—* +---- +config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-secretsmanager-secret' AND json.rule = replication.userManaged.replicas[*].customerManagedEncryption.kmsKeyName does not exist and replication.automatic.customerManagedEncryption.kmsKeyName does not exist +---- + +|=== + + +[#policy-updates] +=== Policy Updates + +[cols="35%a,65%a"] +|=== +|*Policy Updates* +|*Description* + +2+|*Policy Updates—RQL* + +|*AWS EMR cluster is not enabled with local disk encryption* +//RLP-151949 + +tt:[24.12.1] + +|The policy is updated to exclude different `TERMINATED` states of the EMR cluster while triggering alerts to provide more accurate results. + +*Current RQL–* +---- +config from cloud.resource where api.name = 'aws-emr-describe-cluster' as X; config from cloud.resource where api.name = 'aws-emr-security-configuration' as Y; filter '($.X.status.state does not contain TERMINATING) and ($.X.securityConfiguration contains $.Y.name) and ($.Y.EncryptionConfiguration.EnableAtRestEncryption is true) and ($.Y.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration does not exist)' ; show X; +---- + +*Updated RQL–* +---- +config from cloud.resource where api.name = 'aws-emr-describe-cluster' as X; config from cloud.resource where api.name = 'aws-emr-security-configuration' as Y; filter '($.X.status.state does not contain TERMINATING and $.X.status.state does not contain TERMINATED and $.X.status.state does not contain TERMINATED_WITH_ERRORS) and ($.X.securityConfiguration contains $.Y.name) and ($.Y.EncryptionConfiguration.EnableAtRestEncryption is true) and ($.Y.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration does not exist)' ; show X; +---- + +*Policy Type–* Config + +*Policy Severity–* Low + +*Impact–* Low. Existing alerts where the state of the EMR cluster is `TERMINATED` or `TERMINATED_WITH_ERRORS` will be resolved. + + +|*AWS EMR cluster is not enabled with local disk encryption using Custom key provider* +//RLP-152866 + +tt:[24.12.1] + +|The policy RQL is updated to exclude different `TERMINATED` states of the EMR cluster  while triggering alerts to provide more accurate results. + +*Current RQL–* +---- +config from cloud.resource where api.name = 'aws-emr-describe-cluster' as X; config from cloud.resource where api.name = 'aws-emr-security-configuration' as Y; filter '($.X.status.state does not contain TERMINATING) and ($.X.securityConfiguration equals $.Y.name) and ($.Y.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration exists and $.Y.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType does not equal Custom)' ; show X; +---- + +*Updated RQL–* +---- +config from cloud.resource where api.name = 'aws-emr-describe-cluster' as X; config from cloud.resource where api.name = 'aws-emr-security-configuration' as Y; filter '($.X.status.state does not contain TERMINATING and $.X.status.state does not contain TERMINATED and $.X.status.state does not contain TERMINATED_WITH_ERRORS) and ($.X.securityConfiguration equals $.Y.name) and ($.Y.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration exists and $.Y.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType does not equal Custom)'; show X; +---- + +*Policy Type–* Config + +*Policy Severity–* Low + +*Impact–* Low. Existing alerts where the state of the EMR cluster is `TERMINATED` or `TERMINATED_WITH_ERRORS` will be resolved. + + +|*GCP PostgreSQL instance database flag log_hostname is not set to off* +//RLP-153056 + +tt:[24.12.1] + +|The policy RQL is updated to not generate false positive alerts in case the `log_hostname` is not set by default. + +*Current RQL–* +---- +config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-sql-instances-list' AND json.rule = "state equals RUNNABLE and databaseVersion contains POSTGRES and (settings.databaseFlags[*].name does not contain log_hostname or settings.databaseFlags[?any(name contains log_hostname and value contains on)] exists)" +---- + +*Updated RQL–* +---- +config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-sql-instances-list' AND json.rule = "state equals RUNNABLE and databaseVersion contains POSTGRES and settings.databaseFlags[?any(name contains log_hostname and value contains on)] exists" +---- + +*Policy Type–* Config + +*Policy Severity–* Informational + +*Impact–* Low. Existing alerts where the `log_hostname` flag is not set will be resolved. + +|*GCP GKE unsupported node version* +//RLP-152864 + +tt:[24.12.1] + +|The policy RQL is updated to provide accurate results. + +*Current RQL–* +---- +config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = NOT ( currentNodeVersion starts with "1.27." or currentNodeVersion starts with "1.28." or currentNodeVersion starts with "1.29." or currentNodeVersion starts with "1.30." or currentNodeVersion starts with "1.31.") +---- + +*Updated RQL–* +---- +config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = isNodeVersionSupported exists AND isNodeVersionSupported does not equal "true" +---- + +*Policy Type–* Config + +*Policy Severity–* Medium + +*Impact–* Medium. New alerts may be triggered when the GKE version is not supported since the policy RQL is updated to check for the complete version. + +|*GCP GKE unsupported Master node version* +//RLP-151935 + +tt:[24.12.1] + +|The policy RQL is updated to provide accurate results. + +*Current RQL–* +---- +config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = NOT ( currentNodeVersion starts with "1.27." or currentNodeVersion starts with "1.28." or currentNodeVersion starts with "1.29." or currentNodeVersion starts with "1.30." or currentNodeVersion starts with "1.31.") +---- + +*Updated RQL–* +---- +config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-container-describe-clusters' AND json.rule = isMasterVersionSupported exists AND isMasterVersionSupported does not equal "true" +---- + +*Policy Type–* Config + +*Policy Severity–* Medium + +*Impact–* Medium. New alerts may be generated when the GKE version is not supported since the policy RQL is updated to check for the complete version. + +|*GCP VM instance with the external IP address* +//RLP-153319 + +tt:[24.12.1] + +|The policy description and recommendation steps are updated to provide better context. The policy RQL is updated to consider public IPv6 addresses assigned to GCP VM instances. + +*Current Description–* + +This policy identifies the VM instances with the external IP address associated. To reduce your attack surface, VM instances should not have public/external IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet. + +NOTE: This policy will not report instances created by GKE because some of them have external IP addresses and cannot be changed by editing the instance settings. Instances created by GKE should be excluded. These instances have names that start with 'gke-' and contains 'default-pool'. + +*Updated Description–* + +This policy identifies GCP VM instances that are assigned a public IP. + +Using a public IP with a GCP VM exposes it directly to the internet, increasing the risk of unauthorized access and attacks. This makes the VM vulnerable to threats such as brute force attempts, DDoS attacks, and other malicious activities. To mitigate these risks, it is safer to use private IPs and secure access methods like VPNs or load balancers. + +It is recommended to avoid assigning public IPs to VM instances. + + +*Current RQL–* +---- +config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-instances-list' AND json.rule = status equals RUNNING and networkInterfaces[*].accessConfigs exists and (name does not start with gke- and name does not contain default-pool) +---- + +*Updated RQL–* +---- +config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-compute-instances-list' AND json.rule = name does not start with "gke-" and status equals RUNNING and (networkInterfaces[*].accessConfigs exists or networkInterfaces.ipv6AccessConfigs exists) +---- + +*Policy Type–* Config + +*Policy Severity–* Low + +*Impact–* None. New alerts will be generated for the failing resources. This will cover the resources where a public IPv6 address is assigned to a VM. + + +2+|*Policy Delete* + +|*GCP VM instance is assigned with public IP* +//RLP-152838 + +tt:[24.12.1] + +|This policy is deleted and combined with *GCP VM instance with the external IP address* as a single policy. + +*Impact–* Low. Existing alerts will be resolved as *POLICY_DELETED*. + +|=== + +[#iam-policy-update] +=== IAM Policy Update +//RLP-153086 + +The remediation steps for the following IAM policies have been updated in 24.12.1 release. + +* GCP Users and Machine Identities with IAM Metadata Write permissions are unused for 90 days +* GCP Users and Machine Identities with IAM Metadata Read permissions are unused for 90 days +* GCP Users and Machine Identities with IAM Data Write permissions are unused for 90 days +* GCP Users and Machine Identities with IAM Data Read permissions are unused for 90 daysGCP Groups and Service Accounts with IAM Metadata Write permissions are unused for 90 days +* GCP Groups and Service Accounts with IAM Metadata Read permissions are unused for 90 days +* GCP Groups and Service Accounts with IAM Data Write permissions are unused for 90 days +* GCP Groups and Service Accounts with IAM Data Read permissions are unused for 90 daysGCP Administrators with IAM permissions are unused for 90 daysGCP Users and Machine Identities with Administrative Permissions +* GCP Groups and Service Accounts with Administrative Permissions + + +[#new-compliance-benchmarks-and-updates] +=== New Compliance Benchmarks and Updates +[cols="30%a,70%a"] +|=== +|*Compliance Benchmark* +|*Description* + +|*PCI DSS v4.0.1* + +tt:[24.12.1] +//RLP-153448 + +|Prisma Cloud now supports the latest version of PCI DSS v4.0.1 compliance framework. This latest revision emphasizes a risk-based approach, incorporating new requirements that address evolving threats such as phishing and e-skimming attacks. Notably, the updated standard mandates stricter multi-factor authentication measures, increased password complexity, and enhanced controls for managing client-side scripts to safeguard against unauthorized modifications. + +You can now access this built-in compliance standard and related policies on the *Compliance > Standards* page. Additionally, users can generate reports for immediate viewing or downloading, as well as set up scheduled reports to continuously monitor compliance with the PCI DSS v4.0.1 framework over time. + +|*ACSC Information Security Manual (ISM)* + +tt:[24.12.1] +//RLP-153446 + +|Prisma Cloud now supports the latest version (September 2024) of ACSC Information Security Manual (ISM) compliance framework. This framework provides a structured approach for managing compliance risks, ensuring that sensitive information is safeguarded while adapting to changing regulations. + +You can now access this built-in compliance standard and related policies on the *Compliance > Standards* page. Additionally, users can generate reports for immediate viewing or downloading, as well as set up scheduled reports to continuously monitor compliance with the ACSC Information Security Manual (ISM) framework over time. + +|tt:[Update] *MLPS 2.0, MLPS 2.0 (Level 2) & MLPS 2.0 (Level 3)* + +tt:[24.12.1] +//RLP-153385 + +|New mappings are added for Multi-Level Protection Scheme 2.0 - MLPS 2.0, MLPS 2.0 (Level 2) & MLPS 2.0 (Level 3) compliance standards for enhanced coverage. + +*Impact—* As new mappings are added, compliance score may vary + +|=== + + +[#rest-api-updates] +=== REST API Updates + +[cols="37%a,63%a"] +|=== +|*Change* +|*Description* + +|*Alert Evidence Graph* + +tt:[24.12.1] +//RLP-137594 + +|The Alert API https://pan.dev/prisma-cloud/api/cspm/get-alert-evidence-graph/[Alert Evidence Graph] - `GET /alert/v1/{id}/graph` includes two new properties in the `AlertEvidenceGraph` response object: + +* `CapabilityNode` +* `PrimaryAssetNode{}` + +|*Action Plan Management APIs* + +tt:[24.12.1] +//PCAI-6962 + +|The following new endpoints are available in the Action Plan Management APIs: + +* https://pan.dev/prisma-cloud/api/action-plan/list-action-plans/[List Action Plans] - POST /apm/api/v1/action-plan +* https://pan.dev/prisma-cloud/api/action-plan/update-an-action-plan/[Update Action Plan Status or Assignee] - PATCH /apm/api/v1/action-plan/{action-plan-id}/status-assignee +* https://pan.dev/prisma-cloud/api/action-plan/pdate-an-action-plan-feedback/[Update Action Plan Feedback] - PATCH /apm/api/v1/action-plan/{action-plan-id}/feedback +* https://pan.dev/prisma-cloud/api/action-plan/recommendation-summary-action-plan/[Recommendation Summary] - GET /apm/api/v1/action-plan/{action-plan-id}/recommendation-summary +* https://pan.dev/prisma-cloud/api/action-plan/action-plan-related-alerts[List Related Alerts] - GET /apm/api/v1/action-plan/{action-plan-id}/related-alerts +* https://pan.dev/prisma-cloud/api/action-plan/action-plan-impacted-assets/[List Impacted Assets] - GET /apm/api/v1/action-plan/{action-plan-id}/impacted-assets +* https://pan.dev/prisma-cloud/api/action-plan/action-plan-notification-service/[Send Notification] - POST /apm/api/v1/action-plan/{action-plan-id}/notification/ondemand +* https://pan.dev/prisma-cloud/api/action-plan/get-action-plan-names/[List Action Plan Names] - GET /apm/api/v1/action-plan/names +* https://pan.dev/prisma-cloud/api/action-plan/list-action-plans-names/[Suggest Filters] - POST /apm/api/v1/filter/action-plan/suggest +* https://pan.dev/prisma-cloud/api/action-plan/action-plan-business-criticality-assets/[List Filtered Critical Assets] - POST /apm/api/v1/critical-asset +* https://pan.dev/prisma-cloud/api/action-plan/action-plan-set-asset-criticality/[Set Asset Criticality] - POST /apm/api/v1/asset-criticality +* https://pan.dev/prisma-cloud/api/action-plan/action-plan-check-asset-criticality/[Check Asset Criticality] - GET /apm/api/v1/asset-criticality/{asset-id} +|=== + + +[#deprecation-notice] +=== Deprecation Notice + +[cols="37%a,63%a"] +|=== +|*Change* +|*Description* + +|tt:[*End of support for AWS Polly Voices API*] + +tt:[24.12.1] +//RLP-150335, RLP-152490 + +|`aws-polly-voices` API is planned for deprecation. Due to this change, Prisma Cloud will no longer ingest metadata for the `aws-polly-voices` API. + +In RQL, the key will not be available in the `api.name` attribute auto-completion. + +*Impact*: If you have a saved search based on this API, you must manually delete it. + + + +|=== + diff --git a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/prisma-cloud-release-info.adoc b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/prisma-cloud-release-info.adoc index 2f0e6c4fde..e0fd6b10cc 100644 --- a/docs/en/enterprise-edition/rn/prisma-cloud-release-info/prisma-cloud-release-info.adoc +++ b/docs/en/enterprise-edition/rn/prisma-cloud-release-info/prisma-cloud-release-info.adoc @@ -7,7 +7,7 @@ Prisma Cloud is your code to cloud security platform that provides security at a //Prisma Cloud monitors your resources deployed on the Public cloud environments—AWS, Microsoft Azure, Google Cloud Platform, Oracle Cloud Infrastructure, and Alibaba Cloud—for cloud security and compliance risks. As the service automatically discovers new resources that are deployed in your cloud environment, it enables you to implement policy guardrails to ensure resource configurations adhere to industry standards and integrate configuration change alerts into DevOps and SecOps workflows to automatically resolve issues. This capability streamlines the process of identifying issues, detecting and responding to a list of prioritized risks to maintain an agile development process and operational efficiency. //Prisma Cloud Application Security identifies vulnerabilities, misconfigurations and compliance violations in Infrastructure as Code ( IaC) templates, container images and git repositories. -The current release for Prisma Cloud Security Platform is 24.9.2. +The current release for Prisma Cloud Security Platform is 24.12.1. If you are using Runtime Security, the current version is 32.06. //It will be upgraded to 32.00.xxx on >>>, 2023.