2023.3.13

Integrations

  • The AWS integration can now discover AWS Cognito Identity Pools (federated identities), used to grant temporary privileges to other AWS services.

    • Additional permissions are needed to connect to AWS Cognito:

      • cognito-identity:ListIdentityPools

      • cognito-identity:DescribeIdentityPool

      • cognito-identity:GetIdentityPoolRoles

    • Added new saved queries AWS Cognito Identity Pools that allow unauthenticated identities and AWS IAM Roles that can be assumed by AWS Cognito Identity Pool identities.

  • Integrations on the Configurations page now indicate the running sync or parse job status (such as "Waiting for Parsing"). Integration status details now show the completed and current job steps (such as "Gathering Users" or "Gathering Roles"), and the total number of gathered entities.

  • Early Access A new Veza-built integration for ServiceNow enables the discovery of Users, Groups, ACL Rules, and Roles from ServiceNow SaaS deployments.

Monitoring

  • Early Access Rule conditions can now apply to Overprovisioned Score (OPS) changes for individual query results. Alerts for these rules will show details for the changed entity, including the OPS changes.

Search and Insights

  • The Access Search > Saved Queries page now offers query search by keyword, label, or integration. You can now mark any saved query as a violation using the improved Actions dropdown menu.

  • For better visualization of resource-type entities acting as principals, AWS EC2 Instances are now shown on the left when searching relationships to other resource entity types (such as AWS S3 Bucket) in Authorization Graph.

  • You can now pick from related entity types in the Query Builder Relates to dropdown after selecting a primary entity type to search. Before, you needed to start typing into the Relates to field to see possible options.

  • Early Access Advanced search options now include toggles to show or hide graph relationships that involve hierarchical or nested entity types such as IAM Roles and local Groups.

    • For example, when searching for entity types such as AWS IAM Role to Redshift Postgres Database, you can now opt to show or hide relationships that involve an assumed IAM Role. Hiding assumed roles will show only paths where roles grant permissions directly to the resource, instead of by assuming a secondary role.

    • Similarly, for User > Local Group searches, hiding assumed groups will conceal any groups that are members of groups the user is a direct member of. If a user belongs to a Local Group whose members include other Local Groups, hiding assumed groups will only show paths where users are directly assigned to groups, rather than all paths including indirect assignments and nested groups.

Bug Fixes

  • Fixed an issue where the On Premises Sync attribute was blank (instead of False) for AzureAD-only users not synced with on-premises AD.

  • Fixed an issue where policy conditions were ignored when evaluating trusted principals for AWS IAM Roles.

  • Fixed an issue where test emails for Notifications were not delivered.

Last updated