Learn what’s new on Prisma® Cloud in February 2024.
The Prisma Cloud Darwin Release is now available for Prisma Cloud environments on app.gov. With the Code to Cloud™ intelligence capabilities in this release, your security and development teams can work together to reduce application risks and prevent breaches.
With this change, your tenant will be updated with the new intuitive user interface and rich set of security capabilities.
When you are upgraded to the Darwin release, refer to the Enterprise Edition documentation.
Contact your Prisma Cloud Customer Success team for more details.
View Saved Filters as Saved Views
tt:[Secure the Infrastructure]
tt:[24.2.2]
Saved Filters on Prisma Cloud are now available as Saved Views on the Alerts, Compliance, and Governance pages. Navigate to Home > Alerts/Compliance/Governance > Overview to find your filter combinations available as Saved Views. The following caveats apply:
Views are no longer limited to a maximum of 20.
Saved Views are enabled by default for the persona (Cloud/Runtime/Application Security) you created them in. If you use the Prisma Cloud switcher to try another persona, the view is disabled but you have the option to re-enable it.
All users, except those who were added after the migration to Saved Views will have access to previously saved filter configurations.
You can also create new Saved Views to store select filter combinations and table configurations for a customizable look at your security posture.
OAuth 2.0 support for ServiceNow Integration
tt:[Secure the Infrastructure]
tt:[24.2.2]
tt:[Update] Enhancements
tt:[Secure the Infrastructure]
tt:[24.2.2]
Prisma Cloud includes the following enhancements for config from network
RQL searches and policies:
Significant performance improvement on the Investigate page, with search results now delivered faster on an average.
Support for asset exclusion based on asset name, VPC ID, and tags.
The following enhancements are specific to AWS:
Support for NLB and ALB listener port analysis.
Network path analysis now considers security groups attached to NLB.
Better representation of network path for East-West traffic over a transit gateway.
Better representation of network path for East-West traffic within a single VPC.
The following enhancement is specific to Azure:
Support Amazon Linux 2023
tt:[Secure the Runtime]
tt:[24.2.2]
Enhanced CSV Organization
tt:[Secure the Runtime]
tt:[24.2.2]
Enhanced Compliance Report
tt:[Secure the Runtime]
tt:[24.2.2]
Detect Go Stdlib Vulnerabilities at the Package Level
tt:[Secure the Runtime]
tt:[24.2.2]
Support for Just in Time (JIT) Auto-Provisioning
tt:[Secure the Infrastructure]
tt:[24.2.1]
Support for New Region on GCP
tt:[Secure the Infrastructure]
tt:[24.2.1]
Prisma Cloud now ingests data for resources deployed in the Johannesburg region on GCP.
To review a list of supported regions, select Inventory > Assets, and choose Cloud Region from the filter drop-down.
Added non-default branch scanning
tt:[Secure the Source]
tt:[24.2.1]
AWS Batch
tt:[24.2.2]
aws-batch-job-definition
Additional permission required:
batch:DescribeJobDefinitions
The Security Audit role includes the permission.
AWS CodeBuild
tt:[24.2.2]
aws-code-build-source-credential
Additional permission required:
codebuild:ListSourceCredentials
You must manually add the above permission to the CFT template to enable it.
AWS CodeCommit
tt:[24.2.2]
aws-code-commit-repository
Additional permissions required:
codecommit:ListRepositories
codecommit:GetRepository
The Security Audit Policy role includes the permissions.
AWS CodeCommit
tt:[24.2.2]
aws-code-commit-approval-rule-template
Additional permissions required:
codecommit:ListApprovalRuleTemplates
codecommit:GetApprovalRuleTemplate
The Security Audit Policy role includes the permission for codecommit:ListApprovalRuleTemplates
.
Amazon CodePipeline
tt:[24.2.2]
aws-code-pipeline-webhook
Additional permission required:
codepipeline:ListWebhooks
You must manually add the codepipeline:ListWebhooks
permission to the CFT template to enable it.
AWS Config
tt:[24.2.2]
aws-configservice-aggregator
Additional permission required:
config:DescribeConfigurationAggregators
The Security Audit role includes the permission.
AWS DataSync
tt:[24.2.2]
aws-datasync-agent
Additional permissions required:
datasync:ListAgents
datasync:DescribeAgent
The Security Audit role includes the permissions.
Amazon EC2
tt:[24.2.2]
aws-ec2-vpc-endpoint-service
Additional permission required:
ec2:DescribeVpcEndpointServices
The Security Audit Policy role includes the permission.
aws-ecr-image
Prisma Cloud updated the aws-ecr-image
API to exclude the lastRecordedPullTime
field from the JSON because it changes frequently causing too many resource snapshots.
tt:[Update] OCI APIs
tt:[24.2.2]
Prisma Cloud updated oci-compute-instance
, oci-cloudguard-security-zone
, and oci-apimanagement-apigateway-deployment
APIs to prevent the ingestion of deleted resources from Oracle Cloud Service Provider.
oci-cloudguard-security-zone
will be enhanced to ingest resources from multiple compartments, extending beyond the home region.
Amazon EC2 Image Builder
tt:[24.2.1]
aws-imagebuilder-component
Additional permissions required:
imagebuilder:ListComponents
imagebuilder:GetComponent
You must manually add the above permissions to the CFT template to enable them.
Amazon EC2 Image Builder
tt:[24.2.1]
aws-imagebuilder-image-recipe
Additional permissions required:
imagebuilder:ListImageRecipes
imagebuilder:GetImageRecipe
You must manually add the above permissions to the CFT template to enable them.
Amazon EC2 Image Builder
tt:[24.2.1]
aws-imagebuilder-image-pipeline
Additional permissions required:
imagebuilder:ListImagePipelines
imagebuilder:GetImagePipeline
You must manually add the above permissions to the CFT template to enable them.
Amazon EC2 Image Builder
tt:[24.2.1]
aws-imagebuilder-infrastructure-configuration
Additional permissions required:
imagebuilder:ListInfrastructureConfigurations
imagebuilder:GetInfrastructureConfiguration
You must manually add the above permissions to the CFT template to enable them.
AWS Elastic Disaster Recovery
tt:[24.2.1]
aws-drs-job
Additional permission required:
drs:DescribeJobs
You must manually add the above permission to the CFT template to enable it.
AWS Elastic Disaster Recovery
tt:[24.2.1]
aws-drs-replication-configuration
Additional permissions required:
drs:DescribeSourceServers
drs:GetReplicationConfiguration
You must manually add the above permissions to the CFT template to enable them.
AWS Elastic Disaster Recovery
tt:[24.2.1]
aws-drs-source-server
Additional permission required:
drs:DescribeSourceServers
You must manually add the above permission to the CFT template to enable it.
Google Cloud VMware Engine
tt:[24.2.1]
gcloud-vmware-engine-network
Additional permissions required:
vmwareengine.locations.list
vmwareengine.vmwareEngineNetworks.list
The Viewer role includes the permissions.
Google Cloud VMware Engine
tt:[24.2.1]
gcloud-vmware-engine-network-policy
Additional permissions required:
vmwareengine.locations.list
vmwareengine.networkPolicies.list
The Viewer role includes the permissions.
Google Vertex AI AIPlatform
tt:[24.2.1]
gcloud-vertex-ai-aiplatform-dataset
Additional permission required:
aiplatform.datasets.list
The Viewer role includes the permission.
Google Vertex AI AIPlatform
tt:[24.2.1]
gcloud-vertex-ai-aiplatform-hyperparameter-tuning-job
Additional permission required:
aiplatform.hyperparameterTuningJobs.list
The Viewer role includes the permission.
Google Vertex AI AIPlatform
tt:[24.2.1]
gcloud-vertex-ai-aiplatform-index
Additional permission required:
aiplatform.indexes.list
The Viewer role includes the permission.
Google Vertex AI AIPlatform
tt:[24.2.1]
gcloud-vertex-ai-aiplatform-feature-store-entity-type
Additional permissions required:
aiplatform.featurestores.list
aiplatform.entityTypes.list
aiplatform.entityTypes.getIamPolicy
The Viewer role includes the permissions.
tt:[Update] Google Cloud Firestore
tt:[24.2.1]
gcloud-cloud-firestore-native-database
Prisma Cloud updated the gcloud-cloud-firestore-native-database
API to exclude the earliestVersionTime
field from the resource configuration because it changes frequently causing too many resource snapshots.
tt:[Update] Google Compute Engine (GCE)
tt:[24.2.1]
gcloud-compute-autoscaler
Prisma Cloud updated the gcloud-compute-autoscaler
API to exclude the recommendedSize
field from the resource configuration because it changes frequently causing too many resource snapshots.
Azure Batch Account configured with overly permissive network access
tt:[24.2.2]
This policy identifies Batch Accounts configured with overly permissive network access. By default, Batch accounts are accessible from the all networks. With an Account access IP firewall, you can restrict it further to only a set of IPv4 addresses or IPv4 address ranges. With Private access Virtual Networks, the network traffic path is secured on both ends. It is recommended to configure the Batch account with an IP firewall or by Virtual Network, so that the Batch account is accessible only to restricted entities.
Policy Severity— High
Policy Type— Config
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-batch-account' AND json.rule = properties.provisioningState equal ignore case Succeeded and properties.networkProfile.accountAccess.defaultAction equal ignore case Allow and properties.publicNetworkAccess equal ignore case Enabled
Azure Storage Account storing Machine Learning workspace high business impact data is publicly accessible
tt:[24.2.2]
This policy identifies Azure Storage Accounts storing Machine Learning workspace high business impact data that are publicly accessible. Azure Storage account stores machine learning artifacts such as job logs. By default, this storage account is used when you upload data to the workspace. The attacker could exploit publicly accessible storage account to get machine learning workspace high business impact data logs and could breach in to the system by leveraging data exposed. It is recommended to restrict storage account access to only to the machine learning services as per business requirement.
Policy Severity— High
Policy Type— Config
config from cloud.resource where api.name = 'azure-machine-learning-workspace' AND json.rule = 'properties.provisioningState equal ignore case Succeeded and properties.hbiWorkspace is true and properties.storageAccount exists' as X; config from cloud.resource where api.name = 'azure-storage-account-list' AND json.rule = 'totalPublicContainers > 0 and (properties.allowBlobPublicAccess is true or properties.allowBlobPublicAccess does not exist)' as Y; filter '$.X.properties.storageAccount contains $.Y.id'; show Y;
AWS account security contact information is not set
tt:[24.2.2]
This policy identifies the AWS account which has not set security contact information. Providing dedicated contact information for security specific, AWS can directly communicate security advisories to the team responsible for handling security-related issues. Failure to specify security contact info in AWS risks missing critical advisories, leading to delayed incident response and increased vulnerability exposure. It is recommended to set security contact information to receive notifications.
Policy Severity— Information
Policy Type— Config
config from cloud.resource where api.name = 'aws-account-management-alternate-contact' group by account as X; filter ' AlternateContactType is not member of ("SECURITY") ' ;
Azure Cognitive Services account configured with local authentication
tt:[24.2.2]
This policy identifies Azure Cognitive Services accounts that are configured with local authentication methods instead of AD identity. Local authentication allows users to access the service using a local account and password, rather than an Azure Active Directory (Azure AD) account. Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Active Directory identities exclusively for authentication. It is recommended to disable local authentication methods on your Cognitive Services account, instead use Azure Active Directory identities.
Policy Severity— Low
Policy Type— Config
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-cognitive-services-account' AND json.rule = properties.provisioningState equal ignore case Succeeded and (properties.disableLocalAuth does not exist or properties.disableLocalAuth is false)
Azure Machine learning workspace is not configured with private endpoint
tt:[24.2.2]
This policy identifies Azure Machine learning workspaces that are not configured with private endpoint. Private endpoints in workspace resources allow clients on a virtual network to securely access data over Azure Private Link. Configuring a private endpoint enables access to traffic coming from only known networks and prevents access from malicious or unknown IP addresses which includes IP addresses within Azure. It is recommended to create private endpoint for secure communication for your Machine learning workspaces.
Policy Severity— Medium
Policy Type— Config
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-machine-learning-workspace' AND json.rule = properties.provisioningState equal ignore case Succeeded and (properties.privateEndpointConnections[*] does not exist or properties.privateEndpointConnections[*] is empty or (properties.privateEndpointConnections[*] exists and properties.privateEndpointConnections[*].properties.privateLinkServiceConnectionState.status does not equal ignore case Approved))
AWS Systems Manager EC2 instance having NON_COMPLIANT patch compliance status
tt:[24.2.2]
This policy identifies if the AWS Systems Manager patch compliance status is "NON_COMPLIANT" with critical or high severity for managed instances. Instances labeled non-compliant might lack essential patches for security, stability, or meeting standards. Non-compliant instances pose security risks because attackers often target unpatched systems to exploit known weaknesses. As a security best practice, it’s recommended to apply any missing patches to the affected instances.
Policy Severity— High
Policy Type— Config
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ssm-resource-compliance-summary' AND json.rule = Status equals "NON_COMPLIANT" and ComplianceType contains "Patch" and ResourceType contains "ManagedInstance" and (NonCompliantSummary.SeveritySummary.CriticalCount greater than 0 or NonCompliantSummary.SeveritySummary.HighCount greater than 0)
Azure Microsoft Defender for Cloud set to Off for Databases
tt:[24.2.2]
This policy identifies Azure Microsoft Defender for Cloud which has defender setting for Databases set to Off. Enabling Azure Defender for Cloud provides advanced security capabilities like threat intelligence, anomaly detection, and behaviour analytics. Defender for Databases in Microsoft Defender for Cloud allows you to protect your entire database estate with attack detection and threat response for the most popular database types in Azure. It is highly recommended to enable Azure Defender for Databases.
Policy Severity— Information
Policy Type— Config
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any((name equals SqlServers and properties.pricingTier does not equal Standard) or (name equals CosmosDbs and properties.pricingTier does not equal Standard) or (name equals OpenSourceRelationalDatabases and properties.pricingTier does not equal Standard) or (name equals SqlServerVirtualMachines and properties.pricingTier does not equal Standard))] exists
Azure Microsoft Defender for Cloud set to Off for Open-Source Relational Databases
tt:[24.2.2]
This policy identifies Azure Microsoft Defender for Cloud which has defender setting for Open-Source Relational Databases set to Off. Enabling Azure Defender for cloud provides advanced security capabilities like threat intelligence, anomaly detection, and behaviour analytics. Microsoft Defender for Cloud detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. It is highly recommended to enable Azure Defender for Open-Source Relational Databases.
Policy Severity— Information
Policy Type— Config
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any(name equals OpenSourceRelationalDatabases and properties.pricingTier does not equal Standard)] exists
Azure Microsoft Defender for Cloud set to Off for Cosmos DB
tt:[24.2.2]
This policy identifies Azure Microsoft Defender for Cloud which has defender setting for Cosmos DB set to Off. Enabling Azure Defender for the cloud provides advanced security capabilities like threat intelligence, anomaly detection, and behaviour analytics. Microsoft Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitation of your database through compromised identities, or malicious insiders. It is highly recommended to enable Azure Defender for Cosmos DB.
Policy Severity— Information
Policy Type— Config
config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-security-center-settings' AND json.rule = pricings[?any(name equals CosmosDbs and properties.pricingTier does not equal Standard)] exists
New to Configuration Build Policies
tt:[24.2.2]
Starting with 23.12.1 196 new Config policies of subtype Build are added in GA on Prisma Cloud platform. See Application Security Policy Reference Guide for more details.
Here are the list of policies:
Open API Policies
The list of policies with High policy severity:
Operation object uses 'password' flow in OAuth2 authentication
Security definitions uses basic auth
Operation Objects Uses Basic Auth
Global schemes use 'httpa' protocol instead of 'https'
API keys transmitted over cleartext
The path scheme is supports unencrypted HTTP connections
API spec includes a 'password' flow in OAuth2 authentication
Operation object uses 'password' flow in OAuth2 authentication
The list of policies with Medium policy severity:
Security definition uses the deprecated implicit flow on OAuth2
Operation Objects Uses 'Implicit' Flow
Operation objects for PUT, POST, and PATCH operations do not have a 'consumes' field defined
The global security scope is not defined in the securityDefinitions
Array does not have a maximum number of items
Security scopes of operations are not defined in securityDefinition
The list of policies with Low policy severity:
AWS General Policies
The list of policies with High policy severity:
Comprehend Entity Recognizer’s model is not encrypted by KMS using a customer managed Key (CMK)
Comprehend Entity Recognizer’s volume is not encrypted by KMS using a customer managed Key (CMK)
The Connect Instance S3 Storage Configuration utilizes Customer Managed Key
DynamoDB table replica does not use CMK KMS encryption
AWS Lambda function is not configured to validate code-signing
MemoryDB snapshot is not encrypted by KMS using a customer managed Key (CMK)
Neptune snapshot is not securely encrypted
Neptune snapshot is encrypted by KMS using a customer managed Key (CMK)
RedShift snapshot copy is not encrypted by KMS using a customer managed Key (CMK)
Redshift Serverless namespace is not encrypted by KMS using a customer managed key (CMK)
DocDB Global Cluster is not encrypted at rest
DataSync Location Object Storage exposes secrets
DMS endpoint is not using a Customer Managed Key (CMK)
EventBridge Scheduler Schedule is not using a Customer Managed Key (CMK)
The DMS S3 does not use a Customer Managed Key (CMK)
Secrets Manager secrets are not rotated within 90 days
API Gateway method setting is not set to encrypted caching
CodeBuild S3 logs are not encrypted
Elastic Beanstalk environments do not have enhanced health reporting enabled
EFS Access Points are not enforcing a root directory
ECS containers are not limited to read-only access to root filesystems
SSM parameters are not utilizing KMS CMK
Elastic Beanstalk managed platform updates are not enabled
Amazon Redshift clusters do not have automatic snapshots enabled
Network firewalls do not have deletion protection enabled
Network firewall encryption does not use a CMK
Network Firewall Policy does not define an encryption configuration that uses a CMK
Neptune is not encrypted with KMS using a customer managed Key (CMK)
Security configuration of the EMR Cluster does not ensure the encryption of EBS disks
RDS Performance Insights are not encrypted using KMS CMKs
Transfer server does not force secure protocols.
The list of policies with Medium policy severity:
Connect Instance Kinesis Video Stream Storage Config is not using CMK for encryption
AWS database instances do not have deletion protection enabled
S3 lifecycle configuration does not set a period for aborting failed uploads
AWS RDS snapshots are accessible to public
AWS SSM documents are public
AWS CloudFront distributions does not have a default root object configured
CloudFront distributions do not have origin failover configured
EC2 Auto Scaling groups are not utilizing EC2 launch templates
AWS CodeBuild project environment privileged mode is enabled
Elasticsearch domains are not configured with a minimum of three dedicated master nodes
CloudWatch alarm actions are not enabled
Redshift clusters are not using the default database name
Redshift clusters are not using enhanced VPC routing
ElastiCache for Redis cache clusters do not have auto minor version upgrades enabled
RDS Aurora Clusters do not have backtracking enabled
User identity should be enforced by EFS access points
ECS Fargate services are not ensured to run on the latest Fargate platform version
AWS ECS task definition elevated privileges enabled
ECS task definitions have their own unique process namespace or share the host’s process namespace
AWS Auto Scaling group launch configuration configured with Instance Metadata Service hop count greater than 1
Backup retention period for DocDB is inadequate
Neptune DB cluster does not have automated backups enabled with adequate retention
Runtime of Lambda is deprecated
The list of policies with Low policy severity:
AWS API Gateway endpoints without client certificate authentication
AWS API gateway request parameter is not validated
AWS Secret Manager Automatic Key Rotation is not enabled
AWS Elasticsearch domain has Dedicated master set to disabled
AWS Lambda Function resource-based policy is overly permissive
RDS cluster is not configured to copy tags to snapshots
AWS Transit Gateway auto accept vpc attachment is enabled
WAF rule does not have any actions
AWS EMR cluster is not enabled with local disk encryption
AWS EMR cluster is not enabled with data encryption in transit
Clusters of Neptune DB do not replicate tags to snapshots
The list of policies with Informational policy severity:
AWS EMR cluster is not configured with security configuration
AWS Neptune cluster deletion protection is disabled
AWS RDS instance with copy tags to snapshots disabled
AWS CloudTrail logs are not encrypted using Customer Master Keys (CMKs)
AWS SageMaker notebook instance with root access enabled
AWS RDS DB cluster is encrypted using default KMS key instead of CMK
AWS IAM Policies
The list of policies with High policy severity:
The AWS Managed IAMFullAccess IAM policy should not be used
AWS AdministratorAccess policy is used by IAM roles, users, or groups
IAM policy uses the AWS AdministratorAccess policy
IAM Policy Document Allows All or Any AWS Principal Permissions to Resources
IAM policies allow privilege escalation
IAM policies allow exposure of credentials
IAM policies allow data exfiltration
IAM policies allow permissions management or resource exposure without constraints
IAM policies allow write access without constraints
AWS Access key enabled on root account
IAM policy document allows "*" as a resource for any action that can be restricted
Permissions delegated to AWS services for AWS Lambda functions are not limited by SourceArn or SourceAccount
The list of policies with Medium policy severity:
AWS IAM policy allows full administrative privileges
A Policy is not Defined for KMS Key
Authorization type for API GatewayV2 routes is not specified
AWS IAM policy allows full administrative privileges
The list of policies with Low policy severity:
AWS OpenSearch Fine-grained access control is disabled
Access is not controlled through Single Sign-On (SSO)
AWS Neptune Cluster not configured with IAM authentication
AWS Kubernetes Policies
The list of policies with High policy severity:
AWS Logging Policies
The list of policies with Medium policy severity:
An S3 bucket must have a lifecycle configuration
Execution history logging is not enabled on the State Machine
Elasticsearch Domain Audit Logging is disabled
RDS Cluster log capture is disabled
CloudWatch log groups must retain logs for a minimum duration of one year
The list of policies with Low policy severity:
Domain Name System (DNS) query logging is not enabled for Amazon Route 53 hosted zones
S3 buckets do not have event notifications enabled
Network Firewall Logging Configuration is not Defined
Data Trace is not enabled in the API Gateway Method Settings
State machine does not have X-ray tracing enabled
CodeBuild project environments do not have a logging configuration
RDS Cluster audit logging for MySQL engine is disabled
AWS ECS services have automatic public IP address assignment enabled
RDS instances have performance insights disabled
AWS Networking Policies
The list of policies with High policy severity:
Domain Name System Security Extensions (DNSSEC) signing is not enabled for Amazon Route 53 public hosted zones
MSK nodes are not private
ALB is not configured with the defensive or strictest desync mitigation mode
NACL ingress allows all ports
The list of policies with Medium policy severity:
The list of policies with Low policy severity:
The list of policies with Informational policy severity:
Azure General Policies
The list of policies with High policy severity:
Backend of the API management system does not utilize HTTPS
Event Hub Namespace not using TLS 1.2 or greater
The list of policies with Medium policy severity:
Azure Automation account configured with overly permissive network access
Azure PostgreSQL database flexible server configured with overly permissive network access
Azure ACR HTTPS not enabled for webhook
Azure Storage account is not configured with private endpoint connection
Azure Application gateways listener that allow connection requests over HTTP
The list of policies with Low policy severity:
Azure SQL database Transparent Data Encryption (TDE) encryption disabled
Azure Virtual Network subnet is not configured with a Network Security Group
Azure Key vault Private endpoint connection is not configured
Azure MariaDB database server not using latest TLS version
Azure Storage account soft delete is disabled
Azure Application Gateway is configured with SSL policy having TLS version 1.1 or lower
The list of policies with Informational policy severity:
Azure AKS cluster Azure CNI networking not enabled
Azure Container Instance not configured with the managed identity
Azure IAM Policies
Azure Storage account configured with Shared Key authorization
Azure Storage account not configured with SAS expiration policy
The list of policies with Informational policy severity:
Azure Recovery Services vault is not configured with managed identity
Azure Automation account is not configured with managed identity
Azure Kubernets Policies
The list of policies with High policy severity:
AKS cluster not encrypting temp disks, caches, and data flows
Non-Critical System Pods Run on System Nodes
The policy with Medium policy severity:
Azure Logging Policies
The policy with Medium policy severity:
Azure Networking Policies
The list of policies with High policy severity:
DenyIntelMode for Azure Firewalls is not set to Deny
Firewall policy does not have IDPS mode set to deny
The list of policies with Medium policy severity:
Azure Spring Cloud service is not configured with virtual network
Azure Firewall does not define a firewall policy
The policy with Low policy severity:
The list of policies with Informational policy severity:
Azure Storage Policies
The list of policies with High policy severity:
Azure SQL Database Namespace is not zone redundant
Standard Replication is not enabled
The list of policies with Medium policy severity:
App Service Plan is not zone redundant
Azure Event Hub Namespace is not zone redundant
App Service Environment is not zone redundant
Docker Policies
The policy with Medium policy severity:
Google Cloud General Policies
The list of policies with High policy severity:
Spanner Database does not have drop protection enabled
GCP Storage buckets has public access to all authenticated users
The list of policies with Medium policy severity:
GCP Cloud Function is publicly accessible
Deletion protection for Spanner Database is disabled
BigQuery tables do not have deletion protection enabled
Big Table Instances do not have deletion protection enabled
Google Cloud IAM Policies
The list of policies with High policy severity:
KMS policy allows public access
IAM policy defines public access
Basic roles utilized at the organization level
Project level utilization of basic roles
IAM workload identity pool provider is not restricted
The policy with Medium policy severity:
Google Cloud Kubernetes Policies
The policy with Informational policy severity:
Google Cloud Networking Policies
The policy with Medium policy severity:
Google Cloud Storage GCS Policies
The policy with Low policy severity:
Logging Policies
The policy with Medium policy severity:
The list of policies with Low policy severity:
PostgreSQL database flag 'log_duration' is not set to 'on'
PostgreSQL database flag 'log_executor_stats' is not set to 'off'
PostgreSQL database flag 'log_parser_stats' is not set to 'off'
PostgreSQL database flag 'log_planner_stats' is not set to 'off'
PostgreSQL database flag 'log_statement_stats' is not set to 'off'
Log levels of the GCP PostgreSQL database are not set to ERROR or lower
pgAudit is disabled for your GCP PostgreSQL database
The policy with Informational policy severity:
OCI General Policies
The policy with Medium policy severity:
The list of policies with Low policy severity:
OCI Kubernetes Engine Cluster boot volume is not configured with in-transit data encryption
OCI Kubernetes Engine Cluster pod security policy not enforced
OCI IAM Policies
The policy with Medium policy severity:
OCI Networking Policies
The list of policies with Informational policy severity:
OCI Network Security Group allows all traffic on RDP port (3389)
OCI Kubernetes Engine Cluster endpoint is not configured with Network Security Groups
Impact- You will view policy violations for these policies on Prisma Cloud switcher Application Security > Projects in IaC Misconfigurations code category. Enforcement levels for IaC Misconfigurations will now be applied to pipelines with these findings. You may enable additional subscriptions on Application Security > Settings to view violations and alerts for these policies.
AWS Log metric filter and alarm does not exist for AWS Organization changes
tt:[24.2.1]
Identifies the AWS regions that do not have a log metric filter and alarm for AWS Organizations changes. Monitoring changes to AWS Organizations will help to ensure any unwanted, accidental, or intentional modifications that may lead to unauthorized access or other security breaches within the AWS account. It is recommended that a metric filter and alarm be established for detecting changes to AWS Organization’s configurations.
This policy will trigger an alert if you have at least one Cloudtrail with the multi trial enabled, Logs all management events in your account, and is not set with a specific log metric filter and alarm.
Policy Severity— Information
Policy Type— Config
config from cloud.resource where api.name = 'aws-logs-describe-metric-filters' as X; config from cloud.resource where api.name = 'aws-cloudwatch-describe-alarms' as Y; config from cloud.resource where api.name = 'aws-cloudtrail-describe-trails' as Z; filter '(($.Z.cloudWatchLogsLogGroupArn is not empty and $.Z.cloudWatchLogsLogGroupArn contains $.X.logGroupName and $.Z.isMultiRegionTrail is true and $.Z.includeGlobalServiceEvents is true) and (($.X.filterPattern contains "eventName=" or $.X.filterPattern contains "eventName =") and ($.X.filterPattern does not contain "eventName!=" and $.X.filterPattern does not contain "eventName !=") and ($.X.filterPattern contains "eventSource=" or $.X.filterPattern contains "eventSource =") and ($.X.filterPattern does not contain "eventSource!=" and $.X.filterPattern does not contain "eventSource !=") and $.X.filterPattern contains organizations.amazonaws.com and $.X.filterPattern contains AcceptHandshake and $.X.filterPattern contains AttachPolicy and $.X.filterPattern contains CreateAccount and $.X.filterPattern contains CreateOrganizationalUnit and $.X.filterPattern contains CreatePolicy and $.X.filterPattern contains DeclineHandshake and $.X.filterPattern contains DeleteOrganization and $.X.filterPattern contains DeleteOrganizationalUnit and $.X.filterPattern contains DeletePolicy and $.X.filterPattern contains DetachPolicy and $.X.filterPattern contains DisablePolicyType and $.X.filterPattern contains EnablePolicyType and $.X.filterPattern contains InviteAccountToOrganization and $.X.filterPattern contains LeaveOrganization and $.X.filterPattern contains MoveAccount and $.X.filterPattern contains RemoveAccountFromOrganization and $.X.filterPattern contains UpdatePolicy and $.X.filterPattern contains UpdateOrganizationalUnit) and ($.X.metricTransformations[*] contains $.Y.metricName))'; show X; count(X) less than 1
AWS Log metric filter and alarm does not exist for usage of root account
tt:[24.2.1]
identifies the AWS regions that do not have a log metric filter and alarm for usage of a root account. Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce its use it. Failure to monitor root account logins may result in a lack of visibility into unauthorized use or attempts to access the root account, posing potential security risks to your AWS environment. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail’s configurations.
This policy will trigger alert if you have at least one Cloudtrail with the multi trial is enabled, Logs all management events in your account and is not set with specific log metric filter and alarm.
Policy Severity— Information
Policy Type— Config
config from cloud.resource where api.name = 'aws-logs-describe-metric-filters' as X; config from cloud.resource where api.name = 'aws-cloudwatch-describe-alarms' as Y; config from cloud.resource where api.name = 'aws-cloudtrail-describe-trails' as Z; filter '(($.Z.cloudWatchLogsLogGroupArn is not empty and $.Z.cloudWatchLogsLogGroupArn contains $.X.logGroupName and $.Z.isMultiRegionTrail is true and $.Z.includeGlobalServiceEvents is true) and ($.X.filterPattern does not contain "userIdentity.type!=" or $.X.filterPattern does not contain "userIdentity.type !=") and ($.X.filterPattern contains "userIdentity.type =" or $.X.filterPattern contains "userIdentity.type=") and ($.X.filterPattern contains "userIdentity.invokedBy NOT EXISTS") and ($.X.filterPattern contains "eventType!=" or $.X.filterPattern contains "eventType !=") and ($.X.filterPattern contains root or $.X.filterPattern contains Root) and ($.X.filterPattern contains AwsServiceEvent) and ($.X.metricTransformations[*] contains $.Y.metricName))'; show X; count(X) less than 1
AWS IAM AWSCloudShellFullAccess policy is attached to IAM roles, users, or IAM groups
tt:[24.2.1]
Identifies the AWSCloudShellFullAccess policy attached to IAM roles, users, or IAM groups. AWS CloudShell is a convenient way of running CLI commands against AWS services. The 'AWSCloudShellFullAccess' IAM policy, providing unrestricted CloudShell access, poses a risk of data exfiltration, allowing malicious admins to exploit file upload/download capabilities for unauthorized data transfer. As a security best practice, it is recommended to grant least privilege access like granting only the permissions required to perform a task, instead of providing excessive permissions.
Policy Severity— Information
Policy Type— Config
config from cloud.resource where api.name = 'aws-iam-get-policy-version' AND json.rule = isAttached is true and policyName contains AWSCloudShellFullAccess and (entities.policyRoles[*].roleName exists or entities.policyUsers[*].userName exists or entities.policyGroups[*].groupName exists)
Changes— The policy RQL will be updated to exclude checking edge security type of policy as pre-built rules (such as cve-canary) cannot be applied to edge security policy.
Severity— Medium
Policy Type— Config
Current RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-armor-security-policy' AND json.rule = rules[*].match.expr.expression does not contain cve-canary or rules[?any(match.expr.expression contains cve-canary and action equals allow)] exists
Updated RQL—
config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-armor-security-policy' AND json.rule = type does not equal ignore case CLOUD_ARMOR_EDGE and (rules[*].match.expr.expression does not contain cve-canary or rules[?any(match.expr.expression contains cve-canary and action equals allow)] exists)
Impact— Low. Existing alerts will be resolved as CLOUD_ARMOR_EDGE
type policies are excluded from the policy RQL.
Changes— The policy is deleted from the Prisma Cloud platform.
Severity— High
Policy Type— Config Build
Impact— You will no longer receive alerts.
tt:[Update] IP Addresses for Runtime Security
tt:[The change to add IPs was first announced in the 23.11.1 look ahead notice is no longer needed.]
Prisma Cloud has determined that since the Runtime Security console will not be migrating to AWS, there is no need to include the following IP addresses in your allowlist. You can now safely remove any related IP addresses you have previously added to your allowlist.
New policy mappings for Azure CIS
tt:[24.2.2]
The following compliance requirements in Azure CIS 1.5 Level 1, Azure CIS 1.5 Level 2 and Azure CIS v2.0.0 Level 2 are updated with new mappings.
Azure CIS 1.5 Level 1 - Database Services, Microsoft Defender, Storage Accounts
Azure CIS 1.5 Level 2 - Database Services, Microsoft Defender
Azure CIS 2.0 Level 2 - Microsoft Defender, Storage Accounts
Impact- As new mappings are introduced, compliance scoring might vary.
Risk Management in Technology includes mappings to support GCP
tt:[24.2.2]
Google Cloud Platform support is added for the Risk Management in Technology(RMiT) compliance standard.
Impact- As new mappings are introduced, compliance scoring might vary.
New incident policies based on traffic observation
tt:[Secure the Runtime]
tt:[24.2.2]
This update adds two new policies that alert you to traffic that includes:
Sensitive data sent through an API endpoint that is exposed to the internet without authentication.
Sensitive data sent through an API endpoint that is exposed to the internet without encryption.
Split Vulnerability and Compliance CSV
tt:[Secure the Runtime]
tt:[24.2.2]
The following APIs include a new parameter, issueType
:
The issueType
parameter can be set to vulnerabilities
or compliance
for downloading vulnerability or compliance issues respectively. If either value is not provided, both vulnerability and compliance issues are downloaded.
Just-In-Time (JIT) Support
tt:[24.2.1]
The following Single Sign-On (SSO) endpoints now support Just-In-Time (JIT) user provisioning:
Enterprise Settings APIs
tt:[24.2.1]
The following APIs have a new boolean field autoEnableAttackPathAndModulePolicies
with false
as default.
Unified Vulnerability Explorer
tt:[24.2.1]
The following new endpoints are now available to get details from the vulnerabilities dashboard:
Get Vulnerability Overview V2
- GET uve/api/v2/dashboard/vulnerabilities/overview
Get Vulnerabilities Burndown
- GET uve/api/v2/dashboard/vulnerabilities/burndown