Tenable Cloud Security 2023 Release Notes
Tenable Cloud Security 2.7 Release Notes (2023-05-26)

You can now delete cloud accounts from the Cloud accounts tab on the Projects and Connections tab. For more information about deleting cloud accounts and viewing deleted accounts, see Delete Cloud Accounts.

- On the Policies page, the Delete option is no longer available from the Policy panel for custom policies.
To delete a custom policy, in the row for the policy that you want to delete, click
> Delete.
- You can now ignore all impacted resources for a non-compliant policy from the Findings > Misconfigurations and Policies pages. For more information, see Ignore Misconfigurations.
- You can now view or edit other scan profiles of a project when the cloud scan is running with one of the scan profiles.
- The order of Severity in the Custom Policy dialog box has changed.
- The Change History link is no longer available in the Project panel.
- A project name can now have a maximum of 25 characters.
- The Self-Heal policy mode option is no longer available in the Create Policy Group page.
- The Cloud accounts tab now has improved performance when loading the accounts.
-
Improvements to the Integrations > API tokens page to show additional details.
-
You can now search by plugin name on the Findings > Vulnerabilities tab.
- The Projects, Repositories, and K8s clusters tabs now show the check box selection counts.
-
Compliance Reports
-
Displays a bar chart for Failed checks.
-
Includes a Clear Filters option for the Benchmark filter.
-

You can now download inventory data for resources that support Agentless Assessment.

-
AMI Templates
-
Azure MsSql servers

- Improvements to the embedded hyperlinks in the Policy remediation content.
- Formatting of lists and capitalization for Azure Activity Log policies.
- Updates to the Ensure CloudTrail is enabled in all regions policy.

Bug Fix |
---|
Fixed an issue with associating cloud accounts to a project. |
Fixed incorrect alerts generated to upgrade on-premises code scanner. |
Fixed issues with assessing AWS Elastic File System resource types. |
Fixed an issue with the count of ignored resources. |
Fixed issues with resources reported in the Critical Security Insights section.1 |
Fixed an issue with incorrect policy compliance shown for the Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password policy. |
Fixed issues in detecting the Ensure hardware MFA is enabled for the root user account policy. |
Resource criticality is now removed for AWS resources in Tenable Vulnerability Management. |
Resource criticality is now removed for Azure resources in Tenable Vulnerability Management. |
Fixed an issue with AWS CloudTrail integration. |
Update policy and remediation for the Ensure permissions are tightly controlled for Amazon Elastic Container Registry (Amazon ECR policy. |
Integration with JIRA now shows additional details in the JIRA ticket. |
Fixed an issue with incorrect policy compliance shown for the Ensure deletion window for Customer Managed Keys (CMK) is enabled for AWS Key Management Service (KMS) policy. |
Tenable Cloud Security 2.6.5 Release Notes (2023-05-04)

-
Re-assess failed scans — You can now rescan a project with the scan status of Completed with errors. Re-assess is only available for the most recent scan completed with exceptions. Tenable Cloud Security rescans only the failed resources.
To re-assess or rescan a project:
-
In the Projects tab, click the
icon on the Status column.
The Exceptions dialog box appears and displays the failed resources grouped by Account ID.
-
Click Re-assess to rescan the failed resources in the selected cloud account or Re-assess all to rescan the failed resources in all the cloud accounts.
Re-assessing scans the following if the scan has exceptions across these parameters:
-
Accounts, projects, and subscriptions
-
Resource type
-
Regions or Resource group
For more information, see Projects and Connections in the Tenable Cloud Security User Guide.
-
-

Bug Fix |
---|
Resolved an issue with the loading of the Findings page. |
Tenable Cloud Security 2.6.4 Release Notes (2023-04-27)

-
Scan status verbiage is changed from Success to Completed.
-
You can now view the details of scan errors for misconfigurations with the status Completed with errors.
Click the
icon on the Status column. The Exceptions dialog box appears and displays the failed resources grouped by Account ID. You can view and sort the exceptions in each cloud account by Failed resource type, Resource group (for Azure), Region (for AWS), and Resource count.

The language for the following policy has been updated:
AC_AWS_0376: Ensure server side encryption (SSE) is using a customer-managed KMS Key for AWS DynamoDB tables.

Bug Fix |
---|
Resolved an issue with filtering using various levels of Benchmark filters. |
Fixed an issue with incorrect policy compliance shown for the AC_AWS_0376 policy. |
Fixed an issue with impacted S3 buckets grayed out when viewing and showing as Unknown. |
Resolved an issue with AWS account onboarding failing with AWS Security Token Service (STS) error. |
Resolved an issue with AWS account onboarding failing with an unknown error. |
Tenable Cloud Security 2.6.3 Release Notes (2023-04-13)

The following policies are added and updated to support the CIS Microsoft Azure Foundations Benchmark 1.5.0:
Policy Name |
Severity |
Resource |
Change Description |
---|---|---|---|
Ensure That No Custom Subscription Owner Roles Are Created |
MEDIUM |
azurerm_role_definition |
PolicyReference Updated |
Ensure That 'All users with the following roles' is set to 'Owner' |
MEDIUM |
azurerm_security_center_contact |
New Rego |
Ensure 'Additional email addresses' is Configured with a Security Contact Email |
MEDIUM |
azurerm_global |
New Rego |
Ensure That 'Notify about alerts with the following severity' is Set to 'High' |
MEDIUM |
azurerm_security_center_contact |
Rule.json Added |
Ensure that 'Secure transfer required' is set to 'Enabled' |
HIGH |
azurerm_storage_account |
PolicyReference Updated |
Ensure Default Network Access Rule for Storage Accounts is Set to Deny |
MEDIUM |
azurerm_storage_account |
PolicyReference Updated |
Ensure Soft Delete is Enabled for Azure Containers and Blob Storage |
MEDIUM |
azurerm_storage_account |
Rule.json Added |
Ensure the "Minimum TLS version" is set to "Version 1.2" |
MEDIUM |
azurerm_storage_account |
PolicyReference Updated |
Ensure that 'Auditing' is set to 'On' |
MEDIUM |
azurerm_sql_server |
PolicyReference Updated |
Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP) |
MEDIUM |
azurerm_sql_firewall_rule |
Rule.json Added |
Ensure that Azure Active Directory Admin is configured |
HIGH |
azurerm_sql_server |
Rule.json Added |
Ensure that 'Data encryption' is set to 'On' on a SQL Database |
MEDIUM |
azurerm_mssql_server |
New Rego |
Ensure that 'Auditing' Retention is 'greater than 90 days' |
LOW |
azurerm_sql_server |
PolicyReference Updated |
Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server |
MEDIUM |
azurerm_sql_server |
Rule.json Added |
Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server |
HIGH |
azurerm_postgresql_server |
PolicyReference Updated |
Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server |
MEDIUM |
azurerm_postgresql_configuration |
PolicyReference Updated |
Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server |
MEDIUM |
azurerm_postgresql_server |
PolicyReference Updated |
Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server |
MEDIUM |
azurerm_postgresql_configuration |
PolicyReference Updated |
Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server |
LOW |
azurerm_postgresql_server |
PolicyReference Updated |
Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server |
MEDIUM |
azurerm_postgresql_configuration |
PolicyReference Updated |
Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled' |
MEDIUM |
azurerm_mysql_server |
PolicyReference Updated |
Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server |
HIGH |
azurerm_mysql_server |
PolicyReference Updated |
Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server |
MEDIUM |
azurerm_mysql_server |
PolicyReference Updated |
Ensure Diagnostic Setting captures appropriate categories |
MEDIUM |
azurerm_monitor_diagnostic_setting |
PolicyReference Updated |
Ensure the storage container storing the activity logs is not publicly accessible |
HIGH |
azurerm_storage_container |
PolicyReference Updated |
Ensure that logging for Azure Key Vault is 'Enabled' |
HIGH |
azurerm_key_vault |
Rule.json Added |
Ensure that Activity Log Alert exists for Create Policy Assignment |
MEDIUM |
azurerm_monitor_activity_log_alert |
PolicyReference Updated |
Ensure that Activity Log Alert exists for Delete Policy Assignment |
MEDIUM |
azurerm_monitor_activity_log_alert |
PolicyReference Updated |
Ensure that Activity Log Alert exists for Create or Update Network Security Group |
MEDIUM |
azurerm_monitor_activity_log_alert |
PolicyReference Updated |
Ensure that Activity Log Alert exists for Delete Network Security Group |
MEDIUM |
azurerm_monitor_activity_log_alert |
PolicyReference Updated |
Ensure that Activity Log Alert exists for Create or Update Security Solution |
MEDIUM |
azurerm_monitor_activity_log_alert |
PolicyReference Updated |
Ensure that Activity Log Alert exists for Delete Security Solution |
MEDIUM |
azurerm_monitor_activity_log_alert |
PolicyReference Updated |
Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule |
MEDIUM |
azurerm_monitor_activity_log_alert |
Rule.json Added |
Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule |
MEDIUM |
azurerm_monitor_activity_log_alert |
Rule.json Added |
Ensure that Activity Log Alert exists for Create or Update Public IP Address rule |
MEDIUM |
azurerm_monitor_activity_log_alert |
Rule.json Added |
Ensure that Activity Log Alert exists for Delete Public IP Address rule |
MEDIUM |
azurerm_monitor_activity_log_alert |
Rule.json Added |
Ensure that RDP access from the Internet is evaluated and restricted |
HIGH |
azurerm_network_security_rule |
Rule.json Added |
Ensure that SSH access from the Internet is evaluated and restricted |
HIGH |
azurerm_network_security_rule |
Rule.json Added |
Ensure that UDP access from the Internet is evaluated and restricted |
HIGH |
azurerm_network_security_rule |
Rule.json Added |
Ensure that HTTP(S) access from the Internet is evaluated and restricted |
LOW |
azurerm_network_security_rule |
Rule.json Added |
Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults |
HIGH |
azurerm_key_vault_key |
PolicyReference Updated |
Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. |
HIGH |
azurerm_key_vault_key |
Rule.json Added |
Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults |
HIGH |
azurerm_key_vault_secret |
PolicyReference Updated |
Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults |
HIGH |
azurerm_key_vault_secret |
Rule.json Added |
Ensure the key vault is recoverable |
MEDIUM |
azurerm_key_vault |
PolicyReference Updated |
Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service |
MEDIUM |
azurerm_app_service |
PolicyReference Updated |
Ensure Web App is using the latest version of TLS encryption |
MEDIUM |
azurerm_app_service |
PolicyReference Updated |
Ensure that Register with Azure Active Directory is enabled on App Service |
MEDIUM |
azurerm_app_service |
PolicyReference Updated |
Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App |
MEDIUM |
azurerm_app_service |
PolicyReference Updated |
Ensure FTP deployments are Disabled |
MEDIUM |
azurerm_windows_function_app |
PolicyReference Updated |
Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' |
MEDIUM |
azurerm_security_center_auto_provisioning |
Rule.json Added |
Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access |
HIGH |
azurerm_storage_account |
Rule.json Added |
Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key |
MEDIUM |
azurerm_mssql_server |
New Rego |
Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers |
HIGH |
azurerm_postgresql_server |
Rule.json Added |
Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account |
MEDIUM |
azurerm_sql_server |
PolicyReference Updated |
Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server |
MEDIUM |
azurerm_sql_server |
Rule.json Added |
Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server |
MEDIUM |
azurerm_sql_server |
Rule.json Added |
Ensure the storage account containing the container with activity logs is encrypted with Customer-Managed Key |
MEDIUM |
azurerm_storage_account |
Rule.json Added |
Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' |
MEDIUM |
azurerm_network_watcher_flow_log |
Rule.json Added |
Ensure that 'OS and Data' disks are encrypted with Customer-Managed Key (CMK) |
MEDIUM |
azurerm_windows_virtual_machine_scale_set |
PolicyReference Updated |
Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) |
MEDIUM |
azurerm_managed_disk |
Rule.json Added |
Ensure App Service Authentication is set up for apps in Azure App Service |
MEDIUM |
azurerm_app_service |
Rule.json Added |
Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On' |
MEDIUM |
azurerm_app_service |
Rule.json Added |

Bug Fix |
---|
Fixed an issue with missing virtual machines resources after cloud autodiscovery for Azure subscriptions. |
Fixed an issue with impacted S3 buckets grayed out when viewing and showing as Unknown. |
Fixed issues with AWS CloudTrail integration. |
Tenable Cloud Security 2.6.2 Release Notes (2023-03-30)

Tenable Cloud Security now supports agentless scanning for Azure virtual machines. Agentless Assessment scans Azure virtual machines for vulnerabilities without installing any agents into your run-time infrastructure. It securely scans your resources inside your own environment. For more information, see Agentless Assessment.

-
Tenable Cloud Security now shows data loading indicators in various tabs.
-
Additional improvements when loading the Projects page.

Deprecated Policies
- Ensure the security best practices configuration is followed for Amazon Relational Database Service (Amazon RDS) Instances
- Ensure that every AWS account has a first login password reset policy for AWS IAM User Login Profile.
- Ensure IAM instance roles are used for AWS resource access from instances
- Ensure redundant resources are not used for AWS IAM Policy
- Ensure notifications are enabled for AWS CloudFormation stacks
- Ensure valid account number format is used in AWS IAM Policy
- Ensure correct key format is used for condition in AWS IAM Policy
- Ensure there is no IAM policy with invalid region used for resource ARN
Updated Policies
- Ensure principal element is not empty in AWS IAM Policy
- Ensure transit encryption is enabled for AWS ECS Task Definition
- Ensure no security groups allow ingress from ::/0 to remote server administration ports
- Ensure 'allow get actions from all principals' is disabled for AWS S3 Buckets
- Ensure 'allow list actions from all principals' is disabled for AWS S3 Buckets

Bug Fixes |
---|
Fixed an issue with onboarding member accounts of an AWS organization by deploying a stackset. |
Fixed an issue with setting up a read-only IAM role for AWS S3 buckets. |
Fixed an issue with loading the Projects page. |
Fixed an issue with external ID not working for the IAM role. |
Fixed an issue with loading the Findings page. |
Updated RDS policy remediation instructions and checks. |
Fixed issues with the Ensure 'allow *** actions from all principals' is disabled for AWS S3 Buckets policies |
Fixed an issue with the data shown in the Vulnerabilities page. |
Fixed issues with incorrect results shown for several AWS IAM policies. |
Fixed an issue with IPv4 findings being displayed for IPv6 configurations. |
Fixed issues with GCP scan failing without errors. |
Updated the permissions required by Tenable Cloud Security for AWS KMS. |
Fixed an issue with downloading the on-premises code scanner. |
Fixed an issue with incorrect misconfiguration results shown for Azure resources even after remediation. |
Fixed the mismatch in findings in Tenable Vulnerability Management and Tenable Cloud Security for the same resources with the same filters applied. |
Fixed an issue with mismatch in impacted resources count on the Findings page and the Findings details page. |
Fixed issues with scanning some Azure resources in Tenable Cloud Security. |
Fixed a configuration issue causing errors in the IaC scans. |
Added missing filters on the Misconfigurations dashboard. |
Tenable Cloud Security 2.6.1 Release Notes (2023-03-09)

As per Terraform update, the resource azurerm_sql_server is renamed to azurerm_mssql_server resource. For more information, see https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server. Tenable Cloud Security includes the following user interface updates to accommodate this resource name change:
-
The Resources page now includes the Mssql Server resource type.
-
Tenable Cloud Security continues to display the existing resources and misconfigurations for the SQL Server resource.

Bug Fix |
---|
Fixed an issue with incorrect policy compliance shown for the AC_AZURE_0241 policy. |
Fixed an issue with repeating column headers after every 25000 lines in the CSV exports. |
Fixed an issue with remediation for a cloud resource. |
Tenable Cloud Security 2.6 Release Notes (2023-03-01)

- The Misconfiguration Report now includes IP Address, DNS, and Cloud Tags when exporting to CSV.

-
The Benchmark option is now available in the Filters drop-down in the Misconfigurations page.
-
Improvements to reduce the loading time of the Projects page.

-
Tenable Cloud Security CLI now supports scanning the values files with names other than values.yaml in the Helm directories.

Bug Fix |
---|
Fixed an issue with incorrect policy compliance shown for AC_AZURE_0108 and AC_AZURE_0109 policies. |
Fixed an issue with the NIST-CSF policy group not appearing in the Policy Group filter in the Findings > Misconfigurations page. |
Fixed an issue with incorrect compliance status shown with CloudTrail policy. |
Fixed issues with timeout errors on the Tenable Cloud Security user interface. |
Fixed an issue with cloud scan for CloudTrail resources. |
Fixed an error message when navigating to the Vulnerabilities dashboard. |
Removed policies referring to Terraform Version 1.x for remediation. |
Fixed an issue with Policy Group filter in the Findings > Misconfigurations page. |
Fixed an issue where the scan time is different in the Projects and Manage scan profile pages. |
Tenable Cloud Security 2.5.11 Release Notes (2023-02-21)

Starting with Tenable.cs 2.5.11, Tenable.cs can automatically discover your cloud accounts and onboard them. Tenable Cloud Security provides a new cloud account onboarding flow that supports the following:
-
Single account onboarding — Provide the credentials of an AWS, Azure, or GCP account to onboard the account.
-
Multiple account discovery and onboarding — Tenable Cloud Security can automatically discover the following:
-
AWS: Provide the credentials of the AWS management account and Tenable Cloud Security automatically discovers all member accounts in that AWS organization.
-
Azure: Provide the tenant-level credentials and Tenable Cloud Security automatically discovers all Azure subscriptions in that tenant.
-
GCP: Provide the credentials of the GCP organization account and Tenable Cloud Security automatically discovers all projects in that organization.
-
Tenable Cloud Security schedules a discovery every 24 hours and automatically discovers any new member accounts in the management account. For more information, see Discover Cloud Accounts.

-
The Public Cloud option is now removed from the onboarding flow for AWS, Azure, and GCP.
-
In the GCP onboarding flow, Tenable Cloud Security validates the JSON file and shows error messages if the uploaded file is not in the JSON format.
-
You can no longer delete cloud accounts, but you can ignore cloud accounts from scanning. For more information, see Ignore a Cloud Account.
-
Enabling the Expand All toggle in the Filter drop-down shows all values within the categories.

Bug Fix |
---|
Fixed issues with loading the Findings page. |
Fixed errors that occur during login and when navigating to the home page from other pages. |
Tenable Cloud Security 2.5.10 Release Notes (2023-02-06)

-
You can now customize a table by adding or removing columns using the
icon in all tabs of the Project and Connections page.
-
In the repository onboarding flow, Tenable Cloud Security no longer supports Application as the IaC engine type.
-
You can now filter by Cloud provider in the Findings > Vulnerabilities tab.

This release provides the following updates to policies:
-
Tenable Cloud Security now supports CIS 1.5 Level 1 and Level 2 benchmark compliance.
-
Improvements in policy descriptions for clarity.
-
Tenable Cloud Security now supports the following policies for AWS Lambda:
Policy ID Policy Severity Terraform resource Remediation Benchmark AC_AWS_0613 Ensure AWS Lambda function is configured with a Dead Letter Queue LOW aws_lambda_function Yes GDPR:32.1.b HIPAA:164.306(a)(1)&164.312(b) NIST-800-171:3.3.1&3.3.2&3.3.3 NIST-800-53:AU-2 NIST-CSF:PR.PT-1
AC_AWS_0614 Ensure AWS Lambda Functions have associated tags LOW aws_lambda_function Yes GDPR:32.1.b NIST-800-171:3.4.2 NIST-800-53:CM-6 NIST-CSF:PR.IP-1 HIPAA:164.306(a)(1)
AC_AWS_0615 Ensure AWS Lambda functions are configured to use provisioned concurrency LOW aws_lambda_function Yes GDPR:32.1.b NIST-800-53:SC-6 HIPAA:164.306(a)(1)
AC_AWS_0616 Ensure Code Signing is enabled for AWS Lambda functions HIGH aws_lambda_function Yes GDPR:32.1.b NIST-800-171:3.4.6&3.4.7 NIST-800-53:CM-7(8) NIST-CSF:PR.DS-6 HIPAA:164.306(a)(1) AC_AWS_0618 Ensure AuthType is set to 'AWS_IAM' for AWS Lambda function URLs MEDIUM aws_lambda_permission Yes GDPR:32.1.b HIPAA:164.306(a)(1)&164.312(a)(1) ISO-27001:A.9.4.1&A.9.4.5 NIST-800-171:3.1.1 NIST-800-53:AC-3 NIST-CSF:PR.AC-4&PR.PT-3 AC_AWS_0619 Ensure AWS Lambda function permissions have a source ARN specified MEDIUM aws_lambda_permission Yes GDPR:32.1.b HIPAA:164.306(a)(1)&164.312(a)(1) ISO-27001:A.9.4.1&A.9.4.5 NIST-800-171:3.1.1 NIST-800-53:AC-3 N

Bug Fix |
---|
Resolved an issue with Tenable Cloud Security user interface timing out in some cases. |
Tenable Cloud Security 2.5.9 Release Notes (2023-01-17)

The AWS Simple Notification Service (SNS) integration page now requires you to provide the Role Name and External ID of the role with permissions to publish to the SNS topic. For more information, see Configure AWS SNS Alerts.

-
The Enable Vulnerability Scan (optional) option for Agentless Assessment is enabled by default for the system default cloud scan profile.
-
The Findings page now has the following changes:
-
You can now view CVSS3 Score on the Vulnerabilities tab.
-
The policy pane on the Misconfigurations tab now has a new resource view.
-
-
The Show All button is now removed from the Policies page.
-
The Reports page now includes tool tips for the compliance report coverage numbers.
-
Pagination is now available for the K8s clusters tab on the Projects and Connections page.
-
You can now add or remove columns in a page using the
icon.

Bug Fix |
---|
Fixed an issue with assigning a custom policy to the project. |
Fixed an issue with mismatch between the severity of vulnerabilities shown in the Findings > Vulnerabilities page and the Vulnerabilities details pane for some plugins. |
Fixed an issue integrating Tenable Cloud Security with AWS SNS. |
Fixed an issue with compliance status set incorrectly for the following policy: Ensure IAM password policy prevents password reuse. |