Tenable Cloud Security 2023 Release Notes

You can now delete cloud accounts from the Cloud accounts tab on the Projects and Connections tab. For more information about deleting cloud accounts and viewing deleted accounts, see Delete Cloud Accounts.

• On the Policies page, the Delete option is no longer available from the Policy panel for custom policies.

  To delete a custom policy, in the row for the policy that you want to delete, click > Delete.

• You can now ignore all impacted resources for a non-compliant policy from the Findings > Misconfigurations and Policies pages. For more information, see Ignore Misconfigurations.
• You can now view or edit other scan profiles of a project when the cloud scan is running with one of the scan profiles.
• The order of Severity in the Custom Policy dialog box has changed.
• The Change History link is no longer available in the Project panel.
• A project name can now have a maximum of 25 characters.
• The Self-Heal policy mode option is no longer available in the Create Policy Group page.
• The Cloud accounts tab now has improved performance when loading the accounts.

• Improvements to the Integrations > API tokens page to show additional details.

• You can now search by plugin name on the Findings > Vulnerabilities tab.

• The Projects, Repositories, and K8s clusters tabs now show the check box selection counts.

• Compliance Reports

  • Displays a bar chart for Failed checks.

  • Includes a Clear Filters option for the Benchmark filter.

You can now download inventory data for resources that support Agentless Assessment.

• AMI Templates

• Azure MsSql servers

• Improvements to the embedded hyperlinks in the Policy remediation content.
• Formatting of lists and capitalization for Azure Activity Log policies.
• Updates to the Ensure CloudTrail is enabled in all regions policy.

• Re-assess failed scans — You can now rescan a project with the scan status of Completed with errors. Re-assess is only available for the most recent scan completed with exceptions. Tenable Cloud Security rescans only the failed resources.

  To re-assess or rescan a project:

  1. In the Projects tab, click the icon on the Status column.

     The Exceptions dialog box appears and displays the failed resources grouped by Account ID.

  2. Click Re-assess to rescan the failed resources in the selected cloud account or Re-assess all to rescan the failed resources in all the cloud accounts.

     Re-assessing scans the following if the scan has exceptions across these parameters:

     • Accounts, projects, and subscriptions

     • Resource type

     • Regions or Resource group

     For more information, see Projects and Connections in the Tenable Cloud Security User Guide.

• Scan status verbiage is changed from Success to Completed.

• You can now view the details of scan errors for misconfigurations with the status Completed with errors.

  Click the icon on the Status column. The Exceptions dialog box appears and displays the failed resources grouped by Account ID. You can view and sort the exceptions in each cloud account by Failed resource type, Resource group (for Azure), Region (for AWS), and Resource count.

The language for the following policy has been updated:

AC_AWS_0376: Ensure server side encryption (SSE) is using a customer-managed KMS Key for AWS DynamoDB tables.

The following policies are added and updated to support the CIS Microsoft Azure Foundations Benchmark 1.5.0:

Tenable Cloud Security now supports agentless scanning for Azure virtual machines. Agentless Assessment scans Azure virtual machines for vulnerabilities without installing any agents into your run-time infrastructure. It securely scans your resources inside your own environment. For more information, see Agentless Assessment.

• Tenable Cloud Security now shows data loading indicators in various tabs.

• Additional improvements when loading the Projects page.

Deprecated Policies

• Ensure the security best practices configuration is followed for Amazon Relational Database Service (Amazon RDS) Instances
• Ensure that every AWS account has a first login password reset policy for AWS IAM User Login Profile.
• Ensure IAM instance roles are used for AWS resource access from instances
• Ensure redundant resources are not used for AWS IAM Policy
• Ensure notifications are enabled for AWS CloudFormation stacks
• Ensure valid account number format is used in AWS IAM Policy
• Ensure correct key format is used for condition in AWS IAM Policy
• Ensure there is no IAM policy with invalid region used for resource ARN

Updated Policies

• Ensure principal element is not empty in AWS IAM Policy
• Ensure transit encryption is enabled for AWS ECS Task Definition
• Ensure no security groups allow ingress from ::/0 to remote server administration ports
• Ensure 'allow get actions from all principals' is disabled for AWS S3 Buckets
• Ensure 'allow list actions from all principals' is disabled for AWS S3 Buckets

As per Terraform update, the resource azurerm_sql_server is renamed to azurerm_mssql_server resource. For more information, see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server. Tenable Cloud Security includes the following user interface updates to accommodate this resource name change:

• The Resources page now includes the Mssql Server resource type.

• Tenable Cloud Security continues to display the existing resources and misconfigurations for the SQL Server resource.

• The Misconfiguration Report now includes IP Address, DNS, and Cloud Tags when exporting to CSV.

• The Benchmark option is now available in the Filters drop-down in the Misconfigurations page.

• Improvements to reduce the loading time of the Projects page.

• Tenable Cloud Security CLI now supports scanning the values files with names other than values.yaml in the Helm directories.

Starting with Tenable.cs 2.5.11, Tenable.cs can automatically discover your cloud accounts and onboard them. Tenable Cloud Security provides a new cloud account onboarding flow that supports the following:

• Single account onboarding — Provide the credentials of an AWS, Azure, or GCP account to onboard the account.

• Multiple account discovery and onboarding — Tenable Cloud Security can automatically discover the following:

  • AWS: Provide the credentials of the AWS management account and Tenable Cloud Security automatically discovers all member accounts in that AWS organization.

  • Azure: Provide the tenant-level credentials and Tenable Cloud Security automatically discovers all Azure subscriptions in that tenant.

  • GCP: Provide the credentials of the GCP organization account and Tenable Cloud Security automatically discovers all projects in that organization.

Tenable Cloud Security schedules a discovery every 24 hours and automatically discovers any new member accounts in the management account. For more information, see Discover Cloud Accounts.

• The Public Cloud option is now removed from the onboarding flow for AWS, Azure, and GCP.

• In the GCP onboarding flow, Tenable Cloud Security validates the JSON file and shows error messages if the uploaded file is not in the JSON format.

• You can no longer delete cloud accounts, but you can ignore cloud accounts from scanning. For more information, see Ignore a Cloud Account.

• Enabling the Expand All toggle in the Filter drop-down shows all values within the categories.

  

• You can now customize a table by adding or removing columns using the icon in all tabs of the Project and Connections page.

• In the repository onboarding flow, Tenable Cloud Security no longer supports Application as the IaC engine type.

• You can now filter by Cloud provider in the Findings > Vulnerabilities tab.

This release provides the following updates to policies:

• Tenable Cloud Security now supports CIS 1.5 Level 1 and Level 2 benchmark compliance.

• Improvements in policy descriptions for clarity.

• Tenable Cloud Security now supports the following policies for AWS Lambda:

  Policy ID	Policy	Severity	Terraform resource	Remediation	Benchmark
  AC_AWS_0613	Ensure AWS Lambda function is configured with a Dead Letter Queue	LOW	aws_lambda_function	Yes	GDPR:32.1.b HIPAA:164.306(a)(1)&164.312(b) NIST-800-171:3.3.1&3.3.2&3.3.3 NIST-800-53:AU-2 NIST-CSF:PR.PT-1
  AC_AWS_0614	Ensure AWS Lambda Functions have associated tags	LOW	aws_lambda_function	Yes	GDPR:32.1.b NIST-800-171:3.4.2 NIST-800-53:CM-6 NIST-CSF:PR.IP-1 HIPAA:164.306(a)(1)
  AC_AWS_0615	Ensure AWS Lambda functions are configured to use provisioned concurrency	LOW	aws_lambda_function	Yes	GDPR:32.1.b NIST-800-53:SC-6 HIPAA:164.306(a)(1)
  AC_AWS_0616	Ensure Code Signing is enabled for AWS Lambda functions	HIGH	aws_lambda_function	Yes	GDPR:32.1.b NIST-800-171:3.4.6&3.4.7 NIST-800-53:CM-7(8) NIST-CSF:PR.DS-6 HIPAA:164.306(a)(1)
  AC_AWS_0618	Ensure AuthType is set to 'AWS_IAM' for AWS Lambda function URLs	MEDIUM	aws_lambda_permission	Yes	GDPR:32.1.b HIPAA:164.306(a)(1)&164.312(a)(1) ISO-27001:A.9.4.1&A.9.4.5 NIST-800-171:3.1.1 NIST-800-53:AC-3 NIST-CSF:PR.AC-4&PR.PT-3
  AC_AWS_0619	Ensure AWS Lambda function permissions have a source ARN specified	MEDIUM	aws_lambda_permission	Yes	GDPR:32.1.b HIPAA:164.306(a)(1)&164.312(a)(1) ISO-27001:A.9.4.1&A.9.4.5 NIST-800-171:3.1.1 NIST-800-53:AC-3 N

The AWS Simple Notification Service (SNS) integration page now requires you to provide the Role Name and External ID of the role with permissions to publish to the SNS topic. For more information, see Configure AWS SNS Alerts.

• The Enable Vulnerability Scan (optional) option for Agentless Assessment is enabled by default for the system default cloud scan profile.

• The Findings page now has the following changes:

  • You can now view CVSS3 Score on the Vulnerabilities tab.

  • The policy pane on the Misconfigurations tab now has a new resource view.

• The Show All button is now removed from the Policies page.

• The Reports page now includes tool tips for the compliance report coverage numbers.

• Pagination is now available for the K8s clusters tab on the Projects and Connections page.

• You can now add or remove columns in a page using the icon.