Tenable Cloud Security 2023 Release Notes
Tenable Cloud Security Tenable One Platform Updates (2023-9-20)

The Workspace page appears when you log in to Tenable. In addition, administrators can change which custom roles can access which Tenable One apps.
-
To set a default app on the Workspace page, click
on the app tile and select Make Default Login. This app now appears when you log in.
-
To remove a default app on the Workspace page, click
on the app tile and select Remove Default Login Page. The Workspace page now appears when you log in.
-
(Tenable One-only) To control which custom roles can access which Tenable One apps, use new role settings. For more information, see Create a Custom Role.
Tenable Cloud Security CLI 2.5 Release Notes (2023-09-13)

-
You can now scan Harbor registries using robot accounts. For more information, see Scan a Harbor Container Registry.
Download the latest CLI from the Tenable Downloads page.
Tenable Cloud Security 2.10 Release Notes (2023-09-07)

You can now export misconfigurations to a CSV report from the Findings > Misconfigurations page. You can do the following to configure your export:
-
Select up to five or all misconfigurations in the exported report.
-
Select the fields you want to include in the report.
-
Schedule the time and frequency for generating the report.
-
Schedule and send emails with a link to download the report to a list of recipients.
For more information, see View Misconfigurations.

-
On the Findings page, you can now filter misconfigurations and vulnerabilities by age using the Last Seen filter. Values can be Within 1 day, Within 7 days, Within 14 days, Within 30 days, or Within 90 days.
-
When you export the list of vulnerabilities, Tenable Cloud Security now retains the filters applied in the exported CSV file.

When you export the Compliance Report, Tenable Cloud Security now retains the filters applied in the exported CSV file.

In the Project page, the link to download the Tenable Cloud Security CLI for scanning your code repositories now directs you to the Tenable Downloads page. For more information about the download location for your operating system, see Install or Upgrade the CLI.

-
New Policies
- Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server (AC_AZURE_0588)
- Ensure 'log_duration' is set for Azure PostgreSQL Configuration (AC_AZURE_0589)
- Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server (AC_AZURE_0590)
- Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server (AC_AZURE_0591)
-
Updated Policies
- Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - azurerm_postgresql_server (AC_AZURE_0397)
- Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server - azurerm_postgresql_server (AC_AZURE_0396)
- Ensure that HTTP(S) access from the Internet is evaluated and restricted (AC_AZURE_0059)
-
Deprecated Policies
- Ensure Web Application Firewall(WAF) is enabled for Azure Application Gateway (AC_AZURE_0189)
- Ensure that a 'Diagnostics Setting' exists (AC_AZURE_0216)
- Ensure that Diagnostic Logs Are Enabled for All Services that Support it (AC_AZURE_0210)
- Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server (AC_AZURE_0412)
- Ensure 'log_duration' is set for Azure PostgreSQL Configuration (AC_AZURE_0411)
- Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server - azurerm_postgresql_configuration (AC_AZURE_0413)
- Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server - azurerm_postgresql_configuration (AC_AZURE_0414)
- Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server (AC_AZURE_0409)

Select a default app to appear when you sign in to Tenable, replacing the Workspace page. Or, remove your current default app.
This feature is for Tenable One customers only.
-
To select a default app, on the Workspace page and the app tile, click
and select Make Default Login.
-
To remove a default app, on the Workspace page and the app tile, click
and select Remove Default Login Page instead.

The following APIs now include Container Security changes:

Bug Fix |
---|
Fixed an issue with incorrect policy compliance shown for the Ensure locks are enabled for Azure Container Registry (AC_AZURE_0185) policy. |
Fixed an issue with incorrect policy compliance shown for the Ensure Known internal web port (TCP:8000) is not exposed to entire internet for Azure Network Security Rule (AC_AZURE_0529) policy. |
Fixed an issue with incorrect policy compliance shown for the Ensure that 'Data encryption' is set to 'On' on a SQL Database (AC_AZURE_0241) policy. |
Fixed an issue with incorrect policy compliance shown for multiple policies related to PostgreSQL configuration. |
Tenable Cloud Security CLI 2.4 Release Notes (2023-08-31)

-
You can now discover all repositories and tags in your container registry and generate a CSV report. The tcs consec registry command now includes the --mode option that allows you to list the repositories and generate a CSV report. For more information, see Generate a Report of Images in a Container Registry.
Download the latest CLI from the Tenable Downloads page.
Tenable Cloud Security CLI 2.3 Release Notes (2023-08-09)

-
Tenable Cloud Security now supports scanning Azure Container Registry either using a service principal or a managed entity. Download the latest CLI from the Tenable Downloads page.
For more information about scanning an Azure Container Registry, see Scan an Azure Container Registry.
Tenable Cloud Security 2.9 Release Notes (2023-08-03)

You can now group the Compliance Report by Benchmark or Resource Type.

-
If you have applied filters on the Findings > Misconfigurations page when exporting the data to CSV, Tenable Cloud Security exports the filtered data.
-
The Misconfigurations export now includes the policy URL on the Tenable Cloud Security Policies portal instead of remediation text.

-
Cloud account onboarding: The cloud onboarding workflow for all cloud providers now includes a Choose Prerequisites section. You must now confirm that you have met all prerequisites for onboarding a cloud account, including providing permissions to Tenable Cloud Security for scanning and creating snapshots for Agentless Assessment.
-
Filter improvements: The user interface for filters on the Policies tab is now consistent with other pages.
-
Alert Rules: The Manage Alerts button in the Alerts >Alert Rules tab is now renamed to Manage Notifications.
-
Vulnerabilities: The Findings > Vulnerabilities tab includes the following changes:
-
The Resources view for impacted resources in the Vulnerabilities plane is now removed. You can only view the list of impacted resources.
-
The Vulnerabilities tab KPI now shows the total count of vulnerabilities instead of 200+, when the count is greater 200.
-

-
New and updated policies to support CIS Microsoft Azure Foundations Benchmark 2.0.0
-
New and updated policies to support CIS Amazon Elastic Kubernetes EKS 1.3.0
-
New and updated policies to support CIS Azure Kubernetes AKS 1.3.0
-
New Policy
-
Ensure access to Azure SQL Servers is restricted within Azure Infrastructure via Azure SQL Firewall Rule (AC_AZURE_0580).
-
-
Updated Content in Policies
-
Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible (AC_AZURE_0232).
-
Ensure that 'Public access level' is disabled for storage accounts with blob containers (AC_AZURE_0366).
-
Ensure public access is not enabled for Azure Storage Account (AC_AZURE_0370).
-
-
Deprecated Policies
-
Ensure IAM password policy requires minimum length of 14 or greater (AC_AWS_0136).
-
Ensure that IAM policy does not exceed the identity policy quota for AWS IAM Policy (AC_AWS_0499).
-
Ensure IAM Policies were not configured with versions in AWS IAM Policy (AC_AWS_0496).
-
Ensure access to Azure SQL Servers is restricted within Azure Infrastructure via Azure SQL Firewall Rule (AC_AZURE_0381).
-
Ensure a log metric filter and alarm exist for unauthorized API calls (AC_AWS_0586).
-
Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (AC_AWS_0558).
-
Ensure a log metric filter and alarm exist for usage of 'root' account (AC_AWS_0587).
-
Ensure a log metric filter and alarm exist for IAM policy changes (AC_AWS_0561).
-
Ensure a log metric filter and alarm exist for CloudTrail configuration changes (AC_AWS_0562).
-
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (AC_AWS_0588).
-
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (AC_AWS_0564).
-
Ensure a log metric filter and alarm exist for S3 bucket policy changes (AC_AWS_0565).
-
Ensure a log metric filter and alarm exist for AWS Config configuration changes (AC_AWS_0566).
-
Ensure a log metric filter and alarm exist for security group changes (AC_AWS_0567).
-
Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (AC_AWS_0568).
-
Ensure a log metric filter and alarm exist for changes to network gateways (AC_AWS_0569).
-
Ensure a log metric filter and alarm exist for route table changes (AC_AWS_0570).
-
Ensure a log metric filter and alarm exist for VPC changes (AC_AWS_0571).
-
Ensure a log metric filter and alarm exists for AWS Organizations changes (AC_AWS_0572).
-
Ensure a log metric filter and alarm exist for AWS NAT Gateways (AC_AWS_0150).
-

Bug Fix |
---|
Fixed an issue with configuring Azure Cloud Account. |
Fixed an issue with mismatch in the misconfigurations count in the Projects and Findings > Misconfigurations tabs. |
Fixed an issue with mismatch in misconfigurations count between the Project and Misconfigurations page. |
Fixed an issue with scans failing for Azure resources. |
Fixed an issue with incorrect policy compliance shown for the AC_AWS_0151 policy. |
Fixed the following Tenable Cloud Security APIs:
|
Fixed policy compliance issues with Neptune clusters. |
Fixed issues with ignoring misconfigurations. |
Fixed the misconfigurations report when exported with filters. |
Fixed the mismatch in count between Misconfigurations dashboard and Findings page. |
Fixed policy compliance issues with the following policies:
|
Tenable Cloud Security 2.8.1 Release Notes (2023-07-11)

Tenable Cloud Security now supports container image and container registry scans for detecting vulnerabilities and enforcing policies. You can scan container images securely without sending the images outside your organization's network.
-
Scan images in registries: Continuously monitor and scan registries to detect new vulnerabilities that may have been introduced over time.
-
Integrate with CI/CD pipelines: Incorporate security scans, policy enforcement, and compliance seamlessly into pipeline stages by integrating with popular CI/CD tools.
-
Scan local images: The container security feature enables developers to identify and address potential vulnerabilities and security issues early in the development lifecycle by scanning local images.
-
Create comprehensive container security policies: Allow security teams to write complex policies leveraging the Tenable Cloud Security no-code Rego policy editor. The container security feature empowers security teams to create complex Rego-based policies effortlessly using our built-in no-code policy editor without the need for extensive coding knowledge. These policies can then be enforced in the DevOps pipelines to provide enhanced security guardrails. For more information, see Create a Custom Policy.
-
Unified and comprehensive view of cloud security: With the addition of container security, you can now have an all-encompassing perspective on vulnerabilities within your containerized environments.
Scan images and registry using Tenable Cloud Security CLI
Scan any OCI-compliant Docker image using the Tenable Cloud Security CLI. To run container image and registry scans, download and install Tenable Cloud Security CLI v2.2.0. After your scan completes, you can view the scan results in the Tenable Cloud Security Console. Tenable Cloud Security also provides key insights about the container scans on the Containers and Vulnerabilities dashboards.
For more information about container security, see Container Security with Tenable Cloud Security.

-
The Vulnerabilities dashboard now includes data for images along with cloud.
-
You can now filter the dashboard by the source of vulnerabilities — Cloud or Image.
- The Key insights provide a quick overview of the following actionable metrics:
Total vulnerabilities in cloud.
Total vulnerabilities in registry.
Critical vulnerabilities.
Resources with critical vulnerabilities.
- The dashboard now includes the following new widgets:
- Vulnerabilities accessible from 0.0.0.0/0: Displays the number of vulnerabilities, organized by its severity, with public IP addresses.
- Top 5 OS / Hosts with critical & high vulnerabilities: Lists the top five operating systems or hosts affected with the maximum number of critical and high severity vulnerabilities. Tenable recommends that you remediate these vulnerabilities first.
- Vulnerability distribution by asset type: Lists the different asset types and their vulnerabilities distributed by VPR score.

-
You can use the Data Lifecycle Manager (DLM) service to automate the creation of snapshots from EC2 instances according to a schedule. To get you started, an example is provided to deploy DLM automatically on Tenable GitHub.
-
To automate Azure Virtual Machine snapshot creation, an automated solution is provided on Tenable GitHub.
Tenable Cloud Security 2.8 Release Notes (2023-06-30)

-
On the Policies > Policy Groups page, the Policy Group panel for each policy group now includes details of all benchmarks. You can also filter the policies in the policy group by benchmark.
To view the Policy Group panel, click any policy group in the Policies > Policy Groups page.
-
Improved filtering and sorting on the Alert, Alert Rules, and Remediate pages.
-
Filter improvements:
-
The filters applied on pages persist until you clear it explicitly or the filter criteria changes due to drilling down from other pages.
-
The filter component is now scroll friendly.
-

Tenable Cloud Security now supports the following API endpoints for bulk onboarding:
-
POST /cns/discovery/v1/account/create — Accepts one or more cloud account details and creates the corresponding records in Tenable Cloud Security.
-
POST /cns/discovery/v1/account/configure — Configures the cloud accounts with credentials and associates them with projects.
-
POST /cns/discovery/v1/account/fetch — Returns the cloud account details.
-
PUT /discovery/v1/account/update — Updates the cloud account credentials.

- Policy Updates:
- Policies now include supported Terraform and Provider version.
- Support for the aws_s3_bucket_lifecycle_configuration cloud resource.
- Deprecated Policies
- Ensure bucket policy is enforced with least privileges for all AWS S3 buckets.
- Ensure bucket policy is enforced with least privileges for all AWS S3 buckets - Terraform Version 1.x.
- Ensure latest generation of instance classes is used by Amazon Relational Database Service (Amazon RDS) instances.
- Ensure latest version of Azure Kubernetes Cluster is in use.

Tenable Cloud Security now supports Amazon Quantum Ledger Database (Amazon QLDB).

Bug Fix |
---|
Fixed performance issues with the List Projects API endpoint. |
Fixed issues with running the List Repositories API endpoint. |
Fixed an issue with incorrect policy compliance shown for the Ensure that request initiated from all ports (*) for all destination ports (*) is restricted from the internet for Azure Network Security Rule policy. |
Fixed an issue with incorrect policy compliance shown for the Ensure IAM Users Receive Permissions Only Through Groups policy. |
Fixed a performance issue when loading the Repositories page. |
Fixed issues with IAM-based policies. |
Fixed an issue integrating with AWS CloudTrail. |
Fixed an issue when onboarding an AWS Code Commit repository. |
Resolved an authentication issue with IaC scanner. |
Updated RDS instance class policy. |
Updated Azure policy names. |
Fixed an issue with incorrect AWS resource counts. |
Fixed an issue with the Last Assessed date on the Policies page. |
Fixed issues with stale resources for AWS, Azure, GCP, and Kubernetes in Tenable Cloud Security. |
Fixed issues with re-assessment of policies so that findings are up to date. |
Tenable Cloud Security 2.7 Release Notes (2023-05-26)

You can now delete cloud accounts from the Cloud accounts tab on the Projects and Connections tab. For more information about deleting cloud accounts and viewing deleted accounts, see Delete Cloud Accounts.

- On the Policies page, the Delete option is no longer available from the Policy panel for custom policies.
To delete a custom policy, in the row for the policy that you want to delete, click
> Delete.
- You can now ignore all impacted resources for a non-compliant policy from the Findings > Misconfigurations and Policies pages. For more information, see Ignore Misconfigurations.
- You can now view or edit other scan profiles of a project when the cloud scan is running with one of the scan profiles.
- The order of Severity in the Custom Policy dialog box has changed.
- The Change History link is no longer available in the Project panel.
- A project name can now have a maximum of 25 characters.
- The Self-Heal policy mode option is no longer available in the Create Policy Group page.
- The Cloud accounts tab now has improved performance when loading the accounts.
-
Improvements to the Integrations > API tokens page to show additional details.
-
You can now search by plugin name on the Findings > Vulnerabilities tab.
- The Projects, Repositories, and K8s clusters tabs now show the check box selection counts.
-
Compliance Reports
-
Displays a bar chart for Failed checks.
-
Includes a Clear Filters option for the Benchmark filter.
-

You can now download inventory data for resources that support Agentless Assessment.

-
AMI Templates
-
Azure MsSql servers

- Improvements to the embedded hyperlinks in the Policy remediation content.
- Formatting of lists and capitalization for Azure Activity Log policies.
- Updates to the Ensure CloudTrail is enabled in all regions policy.

Bug Fix |
---|
Fixed an issue with associating cloud accounts to a project. |
Fixed incorrect alerts generated to upgrade on-premises code scanner. |
Fixed issues with assessing AWS Elastic File System resource types. |
Fixed an issue with the count of ignored resources. |
Fixed issues with resources reported in the Critical Security Insights section.1 |
Fixed an issue with incorrect policy compliance shown for the Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password policy. |
Fixed issues in detecting the Ensure hardware MFA is enabled for the root user account policy. |
Resource criticality is now removed for AWS resources in Tenable Vulnerability Management. |
Resource criticality is now removed for Azure resources in Tenable Vulnerability Management. |
Fixed an issue with AWS CloudTrail integration. |
Update policy and remediation for the Ensure permissions are tightly controlled for Amazon Elastic Container Registry (Amazon ECR policy. |
Integration with JIRA now shows additional details in the JIRA ticket. |
Fixed an issue with incorrect policy compliance shown for the Ensure deletion window for Customer Managed Keys (CMK) is enabled for AWS Key Management Service (KMS) policy. |
Tenable Cloud Security 2.6.5 Release Notes (2023-05-04)

-
Re-assess failed scans — You can now rescan a project with the scan status of Completed with errors. Re-assess is only available for the most recent scan completed with exceptions. Tenable Cloud Security rescans only the failed resources.
To re-assess or rescan a project:
-
In the Projects tab, click the
icon on the Status column.
The Exceptions dialog box appears and displays the failed resources grouped by Account ID.
-
Click Re-assess to rescan the failed resources in the selected cloud account or Re-assess all to rescan the failed resources in all the cloud accounts.
Re-assessing scans the following if the scan has exceptions across these parameters:
-
Accounts, projects, and subscriptions
-
Resource type
-
Regions or Resource group
For more information, see Projects and Connections in the Tenable Cloud Security User Guide.
-
-

Bug Fix |
---|
Resolved an issue with the loading of the Findings page. |
Tenable Cloud Security 2.6.4 Release Notes (2023-04-27)

-
Scan status verbiage is changed from Success to Completed.
-
You can now view the details of scan errors for misconfigurations with the status Completed with errors.
Click the
icon on the Status column. The Exceptions dialog box appears and displays the failed resources grouped by Account ID. You can view and sort the exceptions in each cloud account by Failed resource type, Resource group (for Azure), Region (for AWS), and Resource count.

The language for the following policy has been updated:
AC_AWS_0376: Ensure server side encryption (SSE) is using a customer-managed KMS Key for AWS DynamoDB tables.

Bug Fix |
---|
Resolved an issue with filtering using various levels of Benchmark filters. |
Fixed an issue with incorrect policy compliance shown for the AC_AWS_0376 policy. |
Fixed an issue with impacted S3 buckets grayed out when viewing and showing as Unknown. |
Resolved an issue with AWS account onboarding failing with AWS Security Token Service (STS) error. |
Resolved an issue with AWS account onboarding failing with an unknown error. |
Tenable Cloud Security 2.6.3 Release Notes (2023-04-13)

The following policies are added and updated to support the CIS Microsoft Azure Foundations Benchmark 1.5.0:
Policy Name |
Severity |
Resource |
Change Description |
---|---|---|---|
Ensure That No Custom Subscription Owner Roles Are Created |
MEDIUM |
azurerm_role_definition |
PolicyReference Updated |
Ensure That 'All users with the following roles' is set to 'Owner' |
MEDIUM |
azurerm_security_center_contact |
New Rego |
Ensure 'Additional email addresses' is Configured with a Security Contact Email |
MEDIUM |
azurerm_global |
New Rego |
Ensure That 'Notify about alerts with the following severity' is Set to 'High' |
MEDIUM |
azurerm_security_center_contact |
Rule.json Added |
Ensure that 'Secure transfer required' is set to 'Enabled' |
HIGH |
azurerm_storage_account |
PolicyReference Updated |
Ensure Default Network Access Rule for Storage Accounts is Set to Deny |
MEDIUM |
azurerm_storage_account |
PolicyReference Updated |
Ensure Soft Delete is Enabled for Azure Containers and Blob Storage |
MEDIUM |
azurerm_storage_account |
Rule.json Added |
Ensure the "Minimum TLS version" is set to "Version 1.2" |
MEDIUM |
azurerm_storage_account |
PolicyReference Updated |
Ensure that 'Auditing' is set to 'On' |
MEDIUM |
azurerm_sql_server |
PolicyReference Updated |
Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) |
MEDIUM |
azurerm_sql_firewall_rule |
Rule.json Added |
Ensure that Azure Active Directory Admin is configured |
HIGH |
azurerm_sql_server |
Rule.json Added |
Ensure that 'Data encryption' is set to 'On' on a SQL Database |
MEDIUM |
azurerm_mssql_server |
New Rego |
Ensure that 'Auditing' Retention is 'greater than 90 days' |
LOW |
azurerm_sql_server |
PolicyReference Updated |
Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server |
MEDIUM |
azurerm_sql_server |
Rule.json Added |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
HIGH |
azurerm_postgresql_server |
PolicyReference Updated |
Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server |
MEDIUM |
azurerm_postgresql_configuration |
PolicyReference Updated |
Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server |
MEDIUM |
azurerm_postgresql_server |
PolicyReference Updated |
Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server |
MEDIUM |
azurerm_postgresql_configuration |
PolicyReference Updated |
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server |
LOW |
azurerm_postgresql_server |
PolicyReference Updated |
Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server |
MEDIUM |
azurerm_postgresql_configuration |
PolicyReference Updated |
Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' |
MEDIUM |
azurerm_mysql_server |
PolicyReference Updated |
Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server |
HIGH |
azurerm_mysql_server |
PolicyReference Updated |
Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server |
MEDIUM |
azurerm_mysql_server |
PolicyReference Updated |
Ensure Diagnostic Setting captures appropriate categories |
MEDIUM |
azurerm_monitor_diagnostic_setting |
PolicyReference Updated |
Ensure the storage container storing the activity logs is not publicly accessible |
HIGH |
azurerm_storage_container |
PolicyReference Updated |
Ensure that logging for Azure Key Vault is 'Enabled' |
HIGH |
azurerm_key_vault |
Rule.json Added |
Ensure that Activity Log Alert exists for Create Policy Assignment |
MEDIUM |
azurerm_monitor_activity_log_alert |
PolicyReference Updated |
Ensure that Activity Log Alert exists for Delete Policy Assignment |
MEDIUM |
azurerm_monitor_activity_log_alert |
PolicyReference Updated |
Ensure that Activity Log Alert exists for Create or Update Network Security Group |
MEDIUM |
azurerm_monitor_activity_log_alert |
PolicyReference Updated |
Ensure that Activity Log Alert exists for Delete Network Security Group |
MEDIUM |
azurerm_monitor_activity_log_alert |
PolicyReference Updated |
Ensure that Activity Log Alert exists for Create or Update Security Solution |
MEDIUM |
azurerm_monitor_activity_log_alert |
PolicyReference Updated |
Ensure that Activity Log Alert exists for Delete Security Solution |
MEDIUM |
azurerm_monitor_activity_log_alert |
PolicyReference Updated |
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule |
MEDIUM |
azurerm_monitor_activity_log_alert |
Rule.json Added |
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule |
MEDIUM |
azurerm_monitor_activity_log_alert |
Rule.json Added |
Ensure that Activity Log Alert exists for Create or Update Public IP Address rule |
MEDIUM |
azurerm_monitor_activity_log_alert |
Rule.json Added |
Ensure that Activity Log Alert exists for Delete Public IP Address rule |
MEDIUM |
azurerm_monitor_activity_log_alert |
Rule.json Added |
Ensure that RDP access from the Internet is evaluated and restricted |
HIGH |
azurerm_network_security_rule |
Rule.json Added |
Ensure that SSH access from the Internet is evaluated and restricted |
HIGH |
azurerm_network_security_rule |
Rule.json Added |
Ensure that UDP access from the Internet is evaluated and restricted |
HIGH |
azurerm_network_security_rule |
Rule.json Added |
Ensure that HTTP(S) access from the Internet is evaluated and restricted |
LOW |
azurerm_network_security_rule |
Rule.json Added |
Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults |
HIGH |
azurerm_key_vault_key |
PolicyReference Updated |
Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. |
HIGH |
azurerm_key_vault_key |
Rule.json Added |
Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults |
HIGH |
azurerm_key_vault_secret |
PolicyReference Updated |
Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults |
HIGH |
azurerm_key_vault_secret |
Rule.json Added |
Ensure the key vault is recoverable |
MEDIUM |
azurerm_key_vault |
PolicyReference Updated |
Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service |
MEDIUM |
azurerm_app_service |
PolicyReference Updated |
Ensure Web App is using the latest version of TLS encryption |
MEDIUM |
azurerm_app_service |
PolicyReference Updated |
Ensure that Register with Azure Active Directory is enabled on App Service |
MEDIUM |
azurerm_app_service |
PolicyReference Updated |
Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App |
MEDIUM |
azurerm_app_service |
PolicyReference Updated |
Ensure FTP deployments are Disabled |
MEDIUM |
azurerm_windows_function_app |
PolicyReference Updated |
Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' |
MEDIUM |
azurerm_security_center_auto_provisioning |
Rule.json Added |
Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access |
HIGH |
azurerm_storage_account |
Rule.json Added |
Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key |
MEDIUM |
azurerm_mssql_server |
New Rego |
Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers |
HIGH |
azurerm_postgresql_server |
Rule.json Added |
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
MEDIUM |
azurerm_sql_server |
PolicyReference Updated |
Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server |
MEDIUM |
azurerm_sql_server |
Rule.json Added |
Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server |
MEDIUM |
azurerm_sql_server |
Rule.json Added |
Ensure the storage account containing the container with activity logs is encrypted with Customer-Managed Key |
MEDIUM |
azurerm_storage_account |
Rule.json Added |
Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' |
MEDIUM |
azurerm_network_watcher_flow_log |
Rule.json Added |
Ensure that 'OS and Data' disks are encrypted with Customer-Managed Key (CMK) |
MEDIUM |
azurerm_windows_virtual_machine_scale_set |
PolicyReference Updated |
Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) |
MEDIUM |
azurerm_managed_disk |
Rule.json Added |
Ensure App Service Authentication is set up for apps in Azure App Service |
MEDIUM |
azurerm_app_service |
Rule.json Added |
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' |
MEDIUM |
azurerm_app_service |
Rule.json Added |

Bug Fix |
---|
Fixed an issue with missing virtual machines resources after cloud autodiscovery for Azure subscriptions. |
Fixed an issue with impacted S3 buckets grayed out when viewing and showing as Unknown. |
Fixed issues with AWS CloudTrail integration. |
Tenable Cloud Security 2.6.2 Release Notes (2023-03-30)

Tenable Cloud Security now supports agentless scanning for Azure virtual machines. Agentless Assessment scans Azure virtual machines for vulnerabilities without installing any agents into your run-time infrastructure. It securely scans your resources inside your own environment. For more information, see Agentless Assessment.

-
Tenable Cloud Security now shows data loading indicators in various tabs.
-
Additional improvements when loading the Projects page.

Deprecated Policies
- Ensure the security best practices configuration is followed for Amazon Relational Database Service (Amazon RDS) Instances
- Ensure that every AWS account has a first login password reset policy for AWS IAM User Login Profile.
- Ensure IAM instance roles are used for AWS resource access from instances
- Ensure redundant resources are not used for AWS IAM Policy
- Ensure notifications are enabled for AWS CloudFormation stacks
- Ensure valid account number format is used in AWS IAM Policy
- Ensure correct key format is used for condition in AWS IAM Policy
- Ensure there is no IAM policy with invalid region used for resource ARN
Updated Policies
- Ensure principal element is not empty in AWS IAM Policy
- Ensure transit encryption is enabled for AWS ECS Task Definition
- Ensure no security groups allow ingress from ::/0 to remote server administration ports
- Ensure 'allow get actions from all principals' is disabled for AWS S3 Buckets
- Ensure 'allow list actions from all principals' is disabled for AWS S3 Buckets

Bug Fixes |
---|
Fixed an issue with onboarding member accounts of an AWS organization by deploying a stackset. |
Fixed an issue with setting up a read-only IAM role for AWS S3 buckets. |
Fixed an issue with loading the Projects page. |
Fixed an issue with external ID not working for the IAM role. |
Fixed an issue with loading the Findings page. |
Updated RDS policy remediation instructions and checks. |
Fixed issues with the Ensure 'allow *** actions from all principals' is disabled for AWS S3 Buckets policies |
Fixed an issue with the data shown in the Vulnerabilities page. |
Fixed issues with incorrect results shown for several AWS IAM policies. |
Fixed an issue with IPv4 findings being displayed for IPv6 configurations. |
Fixed issues with GCP scan failing without errors. |
Updated the permissions required by Tenable Cloud Security for AWS KMS. |
Fixed an issue with downloading the on-premises code scanner. |
Fixed an issue with incorrect misconfiguration results shown for Azure resources even after remediation. |
Fixed the mismatch in findings in Tenable Vulnerability Management and Tenable Cloud Security for the same resources with the same filters applied. |
Fixed an issue with mismatch in impacted resources count on the Findings page and the Findings details page. |
Fixed issues with scanning some Azure resources in Tenable Cloud Security. |
Fixed a configuration issue causing errors in the IaC scans. |
Added missing filters on the Misconfigurations dashboard. |
Tenable Cloud Security 2.6.1 Release Notes (2023-03-09)

As per Terraform update, the resource azurerm_sql_server is renamed to azurerm_mssql_server resource. For more information, see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server. Tenable Cloud Security includes the following user interface updates to accommodate this resource name change:
-
The Resources page now includes the Mssql Server resource type.
-
Tenable Cloud Security continues to display the existing resources and misconfigurations for the SQL Server resource.

Bug Fix |
---|
Fixed an issue with incorrect policy compliance shown for the AC_AZURE_0241 policy. |
Fixed an issue with repeating column headers after every 25000 lines in the CSV exports. |
Fixed an issue with remediation for a cloud resource. |
Tenable Cloud Security 2.6 Release Notes (2023-03-01)

- The Misconfiguration Report now includes IP Address, DNS, and Cloud Tags when exporting to CSV.

-
The Benchmark option is now available in the Filters drop-down in the Misconfigurations page.
-
Improvements to reduce the loading time of the Projects page.

-
Tenable Cloud Security CLI now supports scanning the values files with names other than values.yaml in the Helm directories.

Bug Fix |
---|
Fixed an issue with incorrect policy compliance shown for AC_AZURE_0108 and AC_AZURE_0109 policies. |
Fixed an issue with the NIST-CSF policy group not appearing in the Policy Group filter in the Findings > Misconfigurations page. |
Fixed an issue with incorrect compliance status shown with CloudTrail policy. |
Fixed issues with timeout errors on the Tenable Cloud Security user interface. |
Fixed an issue with cloud scan for CloudTrail resources. |
Fixed an error message when navigating to the Vulnerabilities dashboard. |
Removed policies referring to Terraform Version 1.x for remediation. |
Fixed an issue with Policy Group filter in the Findings > Misconfigurations page. |
Fixed an issue where the scan time is different in the Projects and Manage scan profile pages. |
Tenable Cloud Security 2.5.11 Release Notes (2023-02-21)

Starting with Tenable Cloud Security 2.5.11, Tenable Cloud Security can automatically discover your cloud accounts and onboard them. Tenable Cloud Security provides a new cloud account onboarding flow that supports the following:
-
Single account onboarding — Provide the credentials of an AWS, Azure, or GCP account to onboard the account.
-
Multiple account discovery and onboarding — Tenable Cloud Security can automatically discover the following:
-
AWS: Provide the credentials of the AWS management account and Tenable Cloud Security automatically discovers all member accounts in that AWS organization.
-
Azure: Provide the tenant-level credentials and Tenable Cloud Security automatically discovers all Azure subscriptions in that tenant.
-
GCP: Provide the credentials of the GCP organization account and Tenable Cloud Security automatically discovers all projects in that organization.
-
Tenable Cloud Security schedules a discovery every 24 hours and automatically discovers any new member accounts in the management account. For more information, see Discover Cloud Accounts.

-
The Public Cloud option is now removed from the onboarding flow for AWS, Azure, and GCP.
-
In the GCP onboarding flow, Tenable Cloud Security validates the JSON file and shows error messages if the uploaded file is not in the JSON format.
-
You can no longer delete cloud accounts, but you can ignore cloud accounts from scanning. For more information, see Ignore a Cloud Account.
-
Enabling the Expand All toggle in the Filter drop-down shows all values within the categories.

Bug Fix |
---|
Fixed issues with loading the Findings page. |
Fixed errors that occur during login and when navigating to the home page from other pages. |
Tenable Cloud Security 2.5.10 Release Notes (2023-02-06)

-
You can now customize a table by adding or removing columns using the
icon in all tabs of the Project and Connections page.
-
In the repository onboarding flow, Tenable Cloud Security no longer supports Application as the IaC engine type.
-
You can now filter by Cloud provider in the Findings > Vulnerabilities tab.

This release provides the following updates to policies:
-
Tenable Cloud Security now supports CIS 1.5 Level 1 and Level 2 benchmark compliance.
-
Improvements in policy descriptions for clarity.
-
Tenable Cloud Security now supports the following policies for AWS Lambda:
Policy ID Policy Severity Terraform resource Remediation Benchmark AC_AWS_0613 Ensure AWS Lambda function is configured with a Dead Letter Queue LOW aws_lambda_function Yes GDPR:32.1.b HIPAA:164.306(a)(1)&164.312(b) NIST-800-171:3.3.1&3.3.2&3.3.3 NIST-800-53:AU-2 NIST-CSF:PR.PT-1
AC_AWS_0614 Ensure AWS Lambda Functions have associated tags LOW aws_lambda_function Yes GDPR:32.1.b NIST-800-171:3.4.2 NIST-800-53:CM-6 NIST-CSF:PR.IP-1 HIPAA:164.306(a)(1)
AC_AWS_0615 Ensure AWS Lambda functions are configured to use provisioned concurrency LOW aws_lambda_function Yes GDPR:32.1.b NIST-800-53:SC-6 HIPAA:164.306(a)(1)
AC_AWS_0616 Ensure Code Signing is enabled for AWS Lambda functions HIGH aws_lambda_function Yes GDPR:32.1.b NIST-800-171:3.4.6&3.4.7 NIST-800-53:CM-7(8) NIST-CSF:PR.DS-6 HIPAA:164.306(a)(1) AC_AWS_0618 Ensure AuthType is set to 'AWS_IAM' for AWS Lambda function URLs MEDIUM aws_lambda_permission Yes GDPR:32.1.b HIPAA:164.306(a)(1)&164.312(a)(1) ISO-27001:A.9.4.1&A.9.4.5 NIST-800-171:3.1.1 NIST-800-53:AC-3 NIST-CSF:PR.AC-4&PR.PT-3 AC_AWS_0619 Ensure AWS Lambda function permissions have a source ARN specified MEDIUM aws_lambda_permission Yes GDPR:32.1.b HIPAA:164.306(a)(1)&164.312(a)(1) ISO-27001:A.9.4.1&A.9.4.5 NIST-800-171:3.1.1 NIST-800-53:AC-3 N

Bug Fix |
---|
Resolved an issue with Tenable Cloud Security user interface timing out in some cases. |
Tenable Cloud Security 2.5.9 Release Notes (2023-01-17)

The AWS Simple Notification Service (SNS) integration page now requires you to provide the Role Name and External ID of the role with permissions to publish to the SNS topic. For more information, see Configure AWS SNS Alerts.

-
The Enable Vulnerability Scan (optional) option for Agentless Assessment is enabled by default for the system default cloud scan profile.
-
The Findings page now has the following changes:
-
You can now view CVSS3 Score on the Vulnerabilities tab.
-
The policy pane on the Misconfigurations tab now has a new resource view.
-
-
The Show All button is now removed from the Policies page.
-
The Reports page now includes tool tips for the compliance report coverage numbers.
-
Pagination is now available for the K8s clusters tab on the Projects and Connections page.
-
You can now add or remove columns in a page using the
icon.

Bug Fix |
---|
Fixed an issue with assigning a custom policy to the project. |
Fixed an issue with mismatch between the severity of vulnerabilities shown in the Findings > Vulnerabilities page and the Vulnerabilities details pane for some plugins. |
Fixed an issue integrating Tenable Cloud Security with AWS SNS. |
Fixed an issue with compliance status set incorrectly for the following policy: Ensure IAM password policy prevents password reuse. |