v0.2.1

Release v0.2.1

What's Changed

Enhancement

• Enhanced multi-tenant architecture with tenant-isolated whitelists, improved OpenAPI authentication, and optimized tenant management UX. by @jietian-sts in #71

Bug Fixes

• fix:remove goroutine by @j3ttt in #70
• fix: resource id would be empty when jsonPath get the wrong way by @j3ttt in #72

Full Changelog: v0.2.0...v0.2.1

v0.2.0

Release v0.2.0

In this release, we are excited to announce that CloudRec now supports multiple major cloud providers, including Amazon Web Services (AWS), Alibaba Cloud, and Kingsoft Cloud. A significant number of security compliance rules have been added and optimized, greatly enhancing the platform's detection capabilities. Furthermore, we have comprehensively optimized the frontend interaction and user interface, and introduced Docker containerization support to significantly improve deployment flexibility and user experience.

What's Changed

Cloud Resource Supports

• Kingsoft Cloud (KSYUN):Added FULL SUPPORT for Kingsoft Cloud (KSYUN) (#10 by @lhy0726)
• AWS Cloud Supports:Added support for Amazon Web Services (AWS) with 27 serivces (#61 by @j3ttt), full supported service list can be found here.
  • Cognito
  • KMS
  • SNS
  • SQS
  • FMS
  • ECS
  • EKS
  • Lambda
  • CloudTrail
  • Config
  • CloudWatch
  • CloudFormation
  • DynamoDB
  • Inspector2
  • Macie
  • GuardDuty
  • AccessAnalyzer
  • AppStream
  • API Gateway V2
  • Network Firewall
  • OpenSearch
  • ACM, SecurityHub
  • Account
  • Auto Scaling
  • VPC Endpoint Service
  • Flow Log
  • Network Interface
• Alibaba Cloud Enhancements: Added support for Alibaba Cloud with enhanced resource collection (#60 #67 by @j3ttt)；Added support for Alibaba Cloud ENS edge network service (#58 by @tianmu2023)；Integrated Alibaba Cloud asset management for cloud asset counting (#29 by @jietian-sts)
• Added support for Alibaba Cloud with 19 serivces, full supported service list can be found here.
  • ECS Images
  • ECS Snapshots
  • API Gateway
  • SWAS (Simple Application Server)
  • VPN Connection
  • Bastionhost
  • DTS (Data Transmission Service)
  • ECI (Elastic Container Instance)
  • GA Accelerator
  • Elastic Cloud Phone (ECP) Instance
  • ONS Instance
  • EFLO Node
  • Cloud Storage Gateway and its Storage Bundles
  • DCDN Domains (standard and IPA)
  • Live Domains
  • VOD Domains
  • SMS Templates
  • API Gateway Apps
  • ARMS Prometheus
  • Elasticsearch Logstash

Security Rule Updates

This release introduces a significant number of new security compliance rules for Alibaba Cloud, while also optimizing existing ones for better accuracy and removing redundant checks. (#68 by @j3ttt). Full supported rule list can be found here.

19 New Rules

• ACK: Added check for publicly exposed Cluster APIs.
• NAT Gateway: Added check for DNAT rule configurations.
• CloudFirewall:
  • Added check for missing log configurations.
  • Added check for cloud firewall openings on non-standard ports (not 80/443).
• ECI: Added check for publicly exposed Container Groups.
• ECS:
  • Added check for shared custom images.
  • Added check for instances not using IMDSv2.
  • Added check for instances not running in a VPC.
  • Added check for unencrypted data disks.
• Elasticsearch: Added check for unencrypted data nodes on cloud disks.
• ENS:
  • Added check for instances with any port open to the internet via security groups.
  • Added check for NAT Gateway instances with any port open to the internet via ACLs.
• FC: Added check for anonymous access via HTTP Triggers.
• MongoDB:
  • Added check for disabled audit logs.
  • Added check for instances not running in a VPC.
• OSS: Added check for server-side encryption on OSS buckets.
• PolarDB: Added check for disabled audit logs.
• RDS: Added check for disabled SSL encryption.
• Redis: Added check for instances not running in a VPC.
• SLS: Added check for anonymous access via Project Policy.

6 Optimized Rules

• ECS (High-Risk Ports): Fixed a false positive in the "high-risk ports open to public" rule caused by incorrect use of object.keys.
• ECS (Any Port Open): Optimized result display to prevent massive outputs (e.g., 65535 lines) for the "any port open to the internet" rule.
• ECS (Subnet Mask): Improved result display for the "inbound rule subnet mask <= 8" rule to include the security group ID for easier identification.
• RAM (Overly Permissive User): Refined the specific permissions being checked to reduce noise.
• SLB (Non-Standard Ports): Improved the detection logic for public-facing SLBs, correctly identifying private SLBs with mounted EIPs as public.
• ECS:Optimized the ALI_CLOUD_ECS_202503071706_485785 rule performance (#23 by @j3ttt)

3 Deleted Rules

• RAM (User Never Used): Removed as it was redundant with the "RAM User unused for over a year" rule.
• RAM (ACL-less User AK Unused): Removed as it was redundant with the "RAM User AK unused for over a year" rule.
• OSS (Public Access Not Blocked): Removed as the check for blocking public access is handled by a different, more appropriate rule.

UI/UX

• Comprehensively optimized frontend interaction experience and interface presentation, including responsive layouts, loading animations, and error notifications (#66 by @jietian-sts)

Performance Improvements

• Improved asset collection timeliness for multi-account scenarios (#66 by @jietian-sts)
• Added collection exception log backflow and manual cloud account-triggered collection tasks (#66 by @jietian-sts)

Bug Fixes

• Resolved multiple critical bugs, including permission validation, data synchronization, and edge case handling (#66 by @jietian-sts)
• Fixed a logic issue in the upsertData global variable that caused false negatives (#64 by @Center-Sun)
• Fixed a logic error for when a ruleCode exists but is not found in the database (#63 by @Center-Sun)
• Fixed ENS network ACL and pager logic (#59 by @tianmu2023)
• Changed the field name for getting Alibaba Cloud RAM user access keys (#48 by @j3ttt)
• Fixed the init.sql database initialization script (#42 by @j3ttt)
• Fixed issues with declared but unused code (#39 by @j3ttt)
• Fixed GCP GCS rules configuration (#24 by @j3ttt)
• Fixed Alibaba Cloud bucket region errors (#11 by @j3ttt)
• Fixed the rule for Alibaba Cloud RocketMQ instances exposed to the public (#4 by @j3ttt)
• Fixed an issue where GCP CloudStorage bucket RowField was taking the wrong value from a JSON path (#2 by @j3ttt)

Chore & CI/CD

• CI/CD:
  • Added a GitHub Actions workflow for automated builds (#13 by @j3ttt)
  • Added a golangci-lint workflow for code quality checks (#40 by @j3ttt)
• Developer Templates:
  • Added a template for adding new cloud providers and cloud resources (#1 by @j3ttt)
  • Added GitHub templates for issues and pull requests (#12 by @j3ttt)
• Dependency Updates:
  • Bumped golang.org/x/crypto from 0.21.0 to 0.35.0 (#20, #22 by @dependabot[bot], @j3ttt)
• Documentation:
  • Refined README documentation and project structure (#24 by @j3ttt)
• Deployment & Configuration:
  • Added Docker containerization support (#5 by @j3ttt)
  • Added Docker Compose deployment configuration (#6 by @j3ttt)
  • Added dynamic environment variable configuration for MySQL and DB passwords (#24 by @j3ttt)

New Contributors

• @j3ttt made their first contribution in #1
• @lhy0726 made their first contribution in #10
• @dependabot[bot] made their first contribution in #20
• @jietian-sts made their first contribution in #29
• @tianmu2023 made their first contribution in #58
• @Center-Sun made their first contribution in #64

Full Changelog: v0.1.0...v0.2.0

---

This discussion was created from the release v0.2.0.

v0.1.0

init CloudRec.

Full Changelog: https://github.com/antgroup/CloudRec/commits/v0.1.0