Before we get into this week’s details I want to thank all our beta testers for the great feedback. One of the harder parts of building a product is anticipating all the ways it might be used and, needless to say, that is sort of impossible. Please keep the feedback coming – even small ideas, like where to move a link or a button, can really improve the user experience.

We have also been getting some great ideas for new Ops. As we drive towards the RSA Conference in a couple of weeks our main goal is to finish up all the CIS Benchmarks, but we are lining up the next round of Ops after that. It looks like tag enforcement is high on a bunch of your lists so if you have specific ways you would like to see that implemented it is definitely something we would love to hear.

And if you are reading this and want to try us out we will be expanding testing soon. Just go ahead and put in a request and we can likely get you added within the next few weeks.

Core Product Features

  • The Inventory search is enhanced with better filtering capabilities for the search bar. Not to spoil things, but we have even more enhancements coming soon to improve your ability to quickly find what you need and even share searches with coworkers.
  • We rolled out a new Op template library with enhanced cards. Hooray for icons and color! There are also now two library tabs:a Featured tab which highlights featured, updated, and new Ops; and the All tab which still shows everything.
    • Op versioning is clearly indicated on the Op card. As are Op tags.
Op Template Library
  • With the Op template library enhancements we also refined searching to help you get to the Ops you need more quickly as our library continues to expand.
  • When you add an Op from within a Policy it prompts you with a searchable list of Ops instead of sending you directly to the template library.
  • Inventory can now track CloudTrail configurations
  • Inventory efficiency and scalability is improved by migrating to SQS to manage resource discovery.
  • Rolled out various internal API updates to support future permissioning and users/groups.

New Ops

  • Find Excessive Security Group Permissions: This is an interesting one that looks for a variety of conditions that tend to cause problems with Security Groups. I requested this one myself due to some consistent problems I’ve seen over the years when assessing different accounts. It will find overly broad source ranges, overly broad port ranges, too many /32 rules (usually a sign of people logging in from different locations), or too many overall rules that could trigger your service limit.
  • Manage Internet Exposed Database Servers: Accidentally exposing a database server is about as bad as it gets. This Op finds both public RDS databases and EC2 instances with common database ports.
  • Manage Internet exposed resources: This Op is a generalized version of our various Ops to find Internet exposures. It currently identifies RDS, ELB, and EC2, Lambda, and Elasticsearch exposures and includes supporting actions to lock them down as appropriate for each resource type.

Coming Soon

  • Dynamic Op configuration is near completion and should be rolling out soon. The first version will support organization-wide settings, such as a list of approved IP addresses, that can be selected in supporting Ops. When you change the dynamic config values that will apply the next time the Ops run without requiring reconfiguration of the Ops. The second version will support policy-level dynamic config items.
  • We are closing in on covering all of the CIS benchmarks and should have full coverage for assessment and actions within the next few weeks.