Oxygen Release Notes for July 2021

| Author , tagged in Oxygen™ Release Notes
Cloudticity, L.L.C.

New and Updated Workflows for AWS 

  • o2-asg-invalid-ami -- Checks to see if a Launch Configuration associated with an Auto Scaling Group is using a valid AMI. This workflow will be triggered every 4 Hours
  • o2-aws-service-limit-approaching -- Checks to see if an account and region have reached 80% of allowed use for a service.
  • o2-aws-service-limit-reached -- Checks to see if an account and region have reached 100% of allowed use for a service.
  • o2-ec2-public-subnet -- Checks to see whether and EC2 is deployed in a subnet that is publicly accessible.
  • o2-s3-default-encryption -- Checks whether an S3 bucket has default encryption configured.
  • o2-api-gateway-v1/v2-authorization -- Checks to see if an API Gateway is using an authorizer.
  • o2-ebs-no-default-encryption -- Checks to see if EBS default encryption is enabled for a region.
  • o2-ebs-no-recent-snapshot -- Checks to see if an EBS volume has had a snapshot created within the last 7 days.
  • o2-elasticache-required-tags -- Checks to see if the required o2:phi and o2:environment tags are associated with the resource.
  • o2-emr-required-tags -- Checks to see if the required o2:phi and o2:environment tags are associated with the resource.
  • o2-lambda-latest-runtime -- Checks to see if the Lambda function is using the earliest supported runtime.
  • o2-lambda-valid-iam-role -- Checks to see if the IAM role assigned to a Lambda function is available and not deleted.
  • o2-rds-db-instance-generation -- Checks to see if an RDS db instance is a current generation
  • o2-rds-default-username -- Checks to see if an RDS database is using the default admin username.
  • o2-rds-open-security-group -- Checks to see if an RDS database security group has inbound rules to allow traffic from any IP address.
  • o2-redshift-open-security-group -- Checks to see if a Redshift cluster is using a security group configured for an open IP range.
  • o2-vpc-default-sg-allow-traffic -- Checks to see if the default VPC security group is configured to allow traffic.
  • o2-vpc-no-default-tags -- Checks to see if the required o2:phi and o2:environment tags are associated with the VPC.
  • o2-workspace-encryption-status -- Checks to see if a Workspace has encryption at rest enabled for its root and storage volumes.
  • o2-workspace-operational-state -- Checks to see if a Workspace is in an operational state.
  • o2-ebs-orphaned-volume -- Checks to see if an EBS volume is attached to an instance.
  • o2-iam-user-no-group-assignment -- Checks to see if an IAM user is assigned to the o2-Customer IAM group.
  • o2-iam-unassigned-user -- This workflow has been renamed to 'o2-iam-user-no-group-assignment.
  • o2-ssm-unmanaged-instance -- This workflow has been refactored and renamed to 'o2-ec2-unmanaged-instance'.
  • Workflow Change -- EC2 workflows will only evaluate instances that are in a 'running' state. This is to eliminate false positives and 'bouncing' events caused by instances being stopped off hours.
  • Workflow Change -- We are now ignoring the o2-ebs-unencrypted-volume check for volumes that are not attached to an instance.

 

New and Updated Workflows for Azure

  • o2-automation-account-diagnostic-logs -- Checks to see if diagnostic logs in Azure Automation accounts have been enabled.
  • o2-kubernetes-advanced-threat-detection-check -- Checks to see if Kubernetes advanced threat detection has been deployed.
  • o2-sql-service-tls-check -- Checks to see if the latest TLS version is being used by SQL Server.
  • o2-function-app-managed-identity -- Checks to see if a Function App is using a managed identity.
  • o2-azure-service-cost-increase -- Checks to see if a cost increase of over 10% has been found for a single Azure service.
  • o2-azure-service-limit-reached -- Checks to see if the maximum service usage has been reached.
  • o2-azure-vm-monitor-alerts -- Reports when a virtual machine CPU, Memory, or Filesystem alert threshold has been reached.
  • o2-vnet-ddos-protection-check -- Checks to see if Azure DDoS protection has been enabled for Virtual Networks.

 

New Azure Services

  • Azure Service Limit Monitoring:  Service limit monitoring for Azure has been added to Oxygen.  Service limit monitoring will execute a daily check to see whether the maximum allowed usage a single service has been reached.  Any issues found will trigger the o2-azure-service-limit-reached workflow.
  • Azure Performance Monitoring:  Azure performance monitoring has been added to Oxygen.  Oxygen Performance monitoring for Azure covers Virtual Machines, Kubernetes, SQL Database, and Function Apps.  Out-of-the-box alarming is enabled for virtual machines and covers CPU, Memory, Disk, and Network utilization.

 

Oxygen Updates and Fixes

  • Compliance Dashboard: The Compliance dashboard has been refactored to better represent current account compliance posture for different regulatory frameworks. Control detail information has been added to the downloadable reports including Oxygen inheritance and notes.
  • (Beta) Quicksight Reports: A Quicksight reporting feature has been added in 'Beta' mode with limited availability. Embedded Quicksight reports will be used to provide greater analytics and visualization for Oxygen data collected and stored in S3.
  • (Beta) Backup Configuration: Backup configuration and maintenance screens have been added to Oxygen. This feature has been added in 'Beta' mode with limited availability and provides the ability to configure backups in both AWS and Azure from a central location.  This feature will be available for all users in the next release.
  • Bug Fix for MFA login issues: There was an intermittent issue for new users when first logging in and setting up multi-factor authentication. Users would first receive a permissions error that would clear after a second login attempt.
  • Bug Fix for account listing permissions issue:  View permissions were not allowing users to view all of their accounts in the Configuration -> Accounts listing
  • Bug Fix for missing release notes: Older versions of release notes were not visible in the application due to corrupted data.
  • Bug Fix for framework downloads: A system error would occur when trying to download a framework with no controls mapped to workflows.

Oxygen API Updates

  • As the Oxygen ecosystem continues to grow, we are evolving the architecture of our APIs.  We have added new APIs this release to support current and upcoming features.  These APIs include: 
    • Compliance and frameworks APIs.  Support for compliance dashboards and compliance framework configurations.  These APIs support our new compliance dashboards and framework management.
    • AWS and Azure service count APIs to provide daily counts of services being used in each account.  These APIs will support future dashboard development and customer update messaging
    • Azure event APIs.  Provides support for Azure workflow processing and remediations.
    • Oxygen reporting APIs.  A new set of APIs allowing integration with AWS Quicksight reporting.

TAGGED: Oxygen™ Release Notes

COMMENTS (0)