ZPC allows you to configure ignore rules to exclude irrelevant compliance findings. ZPC does not display any ignore compliance findings on the compliance dashboards or reports. Using compliance ignore filters can affect ZPC's compliance score evaluation. When you ignore or include an asset or policy on ZPC, the compliance score might change.

You can configure compliance ignore rules based on a combination of policies, asset types, regions, and accounts.

See image.

To learn more, see Configuring an Automatic Compliance Ignore Filter.

The following security policies are available for cloud service providers:

• Kubernetes

  Security Policy Title
  EKS CIS - Avoid use of system:masters group
  EKS CIS - Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster [Role]
  EKS CIS - Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider
  AKS CIS - Restrict Access to the Control Plane Endpoint
  AKS CIS - Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled
  AKS CIS - Use Azure RBAC for Kubernetes Authorization
  GKE CIS - Manage Kubernetes RBAC users with Google Groups for GKE
  GKE CIS - Ensure Kubernetes Web UI is Disabled
  K8s CIS - Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster [ClusterRole]
  K8s CIS - Ensure that all Namespaces have Network Policies defined
  K8s CIS - Minimize access to create pods through Cluster Role
  K8s CIS - Minimize access to secrets through Cluster Role
  K8s CIS - Minimize access to secrets through Role
  K8s CIS - Ensure that Service Account Tokens are only mounted where necessary for Service Account
  K8s CIS - Ensure that default service accounts are not actively used
  K8s CIS - Minimize access to create pods through Role
  K8s CIS - Minimize wildcard use in ClusterRoles
  K8s CIS - Minimize wildcard use in Roles
  K8s CIS - Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture

  Close

To learn more, see About Security Policies.

ZPC allows you to create and upload a list of trusted IP addresses used by your organization to access the public environment. ZPC excludes these trusted IPs when examining assets or identities that are publicly exposed and eliminates false alerts generated for IPs.

The trusted IP list helps identify public exposure scenarios and distinguishes between either an exposure that serves a legitimate business purpose or one that poses a security risk.

See image.

To learn more, see About Trusted IPs.

You can selectively ignore compliance security policies or assets on your cloud deployment from being evaluated by ZPC. You can use the compliance ignore filters to perform actions such as:

• Ignore specific compliance security policies for all AWS S3 buckets in your cloud deployment because you use S3 buckets exclusively for internal testing.
• Ignore non-production EC2 instances for specific compliance security policies.

Using compliance ignore filters can affect ZPC's compliance score evaluation. When you ignore or include an asset or policy on ZPC, the compliance score might change.

To learn more, see Configuring a Compliance Ignore Filter.

Cloud and IaC alert payloads that are sent from ZPC to ITSM (Jira and ServiceNow) are enhanced to include additional attributes: Audit Procedure, Remediation, and Resource Metadata.

See image.

To learn more, see About Alerts and Adding Alert Rules.

You can view all activities of a cloud alert, the timestamp for when the alert was created and when the alert status was updated, and the ZPC user who performed the action on the alert.

See image.

To learn more, see Viewing Alert Details.

ZPC offers authentication information such as access keys, passwords, or certificates for all AWS local identities. ZPC supports AWS local identities in the investigation and custom policy query creator. You can use AWS local identity predicates for queries such as:

• Find all active identities that have an access key that expired last month.
• Find all identities that have set up both password-based authentication and have access keys.

See image.

To learn more, see Viewing Cloud Identity Details and Creating a New Investigation.

You can select additional attributes to export for cloud alerts along with the alerts table to an Excel file and download the report.

See image.

To learn more, see About Alerts and Downloading Reports.

View IaC Errors and Remediation in Code Repositories

ZPC performs IaC scans of templates in code repositories and displays the IaC errors and remediation steps within the code, allowing developers to investigate the issues immediately.

See image.

To learn more, see About IaC Integrations.

IaC Scanning Support for Amazon Linux 2

ZPC provides support for IaC CI/CD scanning on Amazon Linux 2 operating systems.

To learn more, see Supported OS Versions for IaC Scanning.

The following enhancements are available for Vulnerability Scanning:

Default Weekly Schedule for Vulnerability Scanning

The default scan schedule is set to weekly for cloud workloads. The scan schedule can be switched to daily if required.

See image.

To learn more, see Adding a Vulnerability Scanning Rule for Cloud Workloads.

Detailed Error Messages for Failed Scans

Comprehensive error messages are displayed for failed vulnerability scans.

See image.

To learn more, see Viewing the Cloud Workload Details.

You can schedule executive reports for regular distribution to specified recipients at the specified frequency.

See image.

To learn more, see Scheduling Executive Reports and Managing Scheduled Executive Reports.

The following security policies are available for cloud service providers:

• AWS

  Security Policy Title
  Minimize user access to Amazon ECR
  Abnormal Unused Permissions

  Close
• Microsoft Azure

  Security Policy Title
  Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
  Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
  Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
  Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads)
  Ensure that Public IP addresses are Evaluated on a Periodic Basis
  Ensure that ‘Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to ‘enabled’
  Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server

  Close
• GCP

  Security Policy Title
  Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects
  Ensure 'Access Transparency' is 'Enabled'
  Ensure Secrets are Not Stored in Cloud Functions Environment Variables by Using Secret Manager
  Ensure Essential Contacts is Configured for Organization

  Close
• Kubernetes

  Security Policy Title
  Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes or Upgrade to AWS CLI v1.16.156 or greater
  Ensure clusters are created with Private Nodes
  Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled
  [AKS CIS] Enable audit Logs
  [GKE CIS] Ensure use of Binary Authorization
  [GKE CIS] Ensure Legacy Authorization (ABAC) is Disabled
  [GKE CIS] Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled
  [GKE CIS] Ensure clusters are created with Private Nodes
  [GKE CIS] Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled
  [GKE CIS] Ensure Master Authorized Networks is Enabled
  [GKE CIS] Ensure use of VPC-native clusters
  [GKE CIS] Enable VPC Flow Logs and Intranode Visibility
  [GKE CIS] Ensure Shielded GKE Nodes are Enabled
  [GKE CIS] When creating New Clusters - Automate GKE version management using Release Channels
  [GKE CIS] Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS
  [GKE CIS] Ensure Secure Boot for Shielded GKE Nodes is Enabled
  [GKE CIS] Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled
  [GKE CIS] Ensure Node Auto-Upgrade is enabled for GKE nodes
  [GKE CIS] Ensure Node Auto-Repair is enabled for GKE nodes
  [GKE CIS] Ensure Container-Optimized OS (cos_containerd) is used for GKE node images
  [GKE CIS] Ensure legacy Compute Engine instance metadata APIs are Disabled
  [GKE CIS] Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD)
  [GKE CIS] Ensure GKE clusters are not running using the Compute Engine default service account

  Close
• OCI

  Security Policy Title
  Ensure user auth tokens rotate within 90 days or less
  Ensure user customer secret keys rotate within 90 days or less
  Ensure user API keys rotate within 90 days or less

  Close

To learn more, see About Security Policies.

Information about vulnerability scan errors related to insufficient privileges or missing cloud resources are displayed on the Notification Center page in the ZPC Admin Portal.

See image.

To learn more, see About System Notifications.

The Executive Report provides insight into the assets deployed in your cloud accounts, risks and vulnerabilities associated with the asset, policy violations and misconfigurations associated with the accounts, and much more. You can customize the report and share the report in PDF format.

See image.

To learn more, see About the Executive Report and Managing Executive Reports.

The following improvements are available for the Ignore filter:

• The Add Ignore filter action is now available by default to the Administrator and Security Operations (SecOps) role. All other ZPC users have view-only permission. You can enable the Add Ignore Filter action for other ZPC users by adding or modifying Ignore Rules permissions in Global Modules using custom roles.
• The Cloud Accounts attribute on the Filter Scope page is optional. You can select any one of the attributes on the Filter Scope page to define the filter.

  See image.

  

  Close

To learn more, see Adding Ignore Filters and Adding a Custom Role.

ZPC now offers security posture for the following services for cloud service providers:

• Microsoft Azure

  Service Name
  Microsoft.Security/assessments
  Microsoft.Compute/virtualMachineScaleSets/virtualMachines

  Close
• GCP

  Service Name
  CloudBuild - WorkerPool
  CloudBuild - Build
  CloudBuild - Trigger
  VertexAI - SpecialistPool
  VertexAI - MetadataStore
  VertexAI - Model
  VertexAI - Dataset

  Close

To learn more, see About Cloud Asset Types and Asset Categories.

ZPC supports the asset property predicate which offers the ability to investigate AWS assets based on any key-value pair in the asset metadata. ZPC accommodates for array, multiple, and partial value matching.

See image.

To learn more, see Creating a New Investigation.

Four new remediation attributes and filters are added to the Cloud Alerts table: Supports Remediation, Remediation Allowed, Remediation Status, and Remediation Initiated By. You can see these in the main Alerts table.

See image.

To learn more, see About Alerts and Using Filters.

Security advisories are notifications about significant new trends or developments related to threats impacting the information systems of an organization. These advisories are typically the early stages of common vulnerabilities and exposures (CVEs). ZPC scans your cloud assets and provides more information on detected security advisories along with accessible links to understand in detail about the threat methods and associated risks.

See image.

To learn more, see About Vulnerability Management.

The following security policies are available for cloud service providers:

• Microsoft Azure

  Security Policy Title
  Ensure an Azure Bastion Host Exists
  Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
  Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
  Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
  Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
  Ensure Azure Database for MariaDB servers enable encryption in transit

  Close
• Kubernetes

  Security Policy Title
  Ensure that Service Account Tokens are only mounted where necessary for Statefulset
  Ensure that Service Account Tokens are only mounted where necessary for DaemonSet
  Ensure that Service Account Tokens are only mounted where necessary for CronJob
  Ensure that Service Account Tokens are only mounted where necessary for Job
  Ensure that Service Account Tokens are only mounted where necessary for Deployment
  Ensure that Service Account Tokens are only mounted where necessary for Pod
  Ensure that a limit is set on pod PIDs
  Ensure that the RotateKubeletServerCertificate argument is set to true
  Ensure that the --make-iptables-util-chains argument is set to true
  Ensure that the --protect-kernel-defaults argument is set to true
  Ensure that the --authorization-mode argument is not set to AlwaysAllow
  Ensure that the --anonymous-auth argument is set to false

  Close

To learn more, see About Security Policies.

ZPC provides additional information by displaying the last login time of each administrator on the Administrators page. The login time indicates the time they last logged in to the ZPC Admin Portal.

See image.

To learn more, see About Administrators.

Alerts sent from ZPC to the cloud storage service (Amazon S3, Azure Blob Storage, Splunk, or AWS Security Lake) are enhanced to include the following attributes: Audit Procedure, Remediation, and Resource Metadata.

See image.

To learn more, see About Third-Party Integrations and Adding Cloud Alert Rules.

See image.

The following enhancements are available for ZPC's Cloud Identities:

• The Cloud Identities page now offers complete metadata, power score, authentication methods, and open alert count.
• Clicking the open alert count directly opens the alert drawer showing all open alerts for a particular identity.

See image.

To learn more, see About Cloud Identities.

You can define a default filter to view customized data in the ZPC Admin Portal. You can also select a saved filter as the default filter. Default filters are retained so you can view customized data every time you revisit the page or when you log out and log back in to the ZPC Admin Portal.

To learn more, see Using Filters.

ZPC now offers security posture for the following services for cloud service providers:

• AWS

  Service Name
  AWS::DocumentDB::DBCluster
  AWS::Neptune::DBCluster
  AWS::Neptune::DBInstance
  AWS::GuardDuty::Detector
  AWS::ServerlessRepo::Applications
  Amazon SageMaker Ground Truth
  AWS::WAF::IPSet
  AWS::WAF::RuleGroup
  AWS::WAFv2::IPSet
  AWS::WAFRegional::Rule
  AWS::WAFRegional::WebACL
  AWS::WAFRegional::IPSet
  AWS::WAFRegional::RuleGroup

  Close
• Microsoft Azure

  Service Name
  Object Anchors
  Microsoft Energy Data Services
  Project Bonsai
  Remote Rendering
  Spatial Anchors

  Close
• GCP

  Service Name
  CertificateAuthorityService - CertificateRevocationList
  CertificateAuthorityService - Certificate
  CertificateAuthorityService - CaPool
  CertificateAuthorityService - Certificate Authority
  FileStoreInstance - Backup
  Secret Manager - SecretVersion

  Close
• OCI

  Service Name
  OCI WAF
  OCI Streaming
  OCI Service Connector Hub
  OCI Network Load Balance
  OCI Logging Management
  OCI File Storage
  OCI Networking
  OCI VNIC
  OCI ONS Topic
  OCI Event Rule

  Close

To learn more, see About Cloud Asset Types and Asset Categories.

ZPC supports all cloud service provider supported tags in the investigation and custom policy query creator. You can use tag-based predicates for queries such as:

• Display all EC2 instances that do not contain specific mandatory tags.
• Set up an alert when an EC2 instance is running in production is detected with specific missing set of tags.

To learn more, see Creating a New Investigation.

ZPC supports manual remediation of AWS alerts. You can remediate single alerts, bulk alerts, or all alerts generated by a specific policy.

See image.

To learn more, see Remediating Alerts.

The following security policies are available for cloud service providers:

• Microsoft Azure

  Security Policy Title
  Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
  Ensure Application Gateway redirects HTTP traffic to HTTPS
  Ensure Azure Database for MariaDB servers backups are 'Geo-Redundant'
  Ensure Azure Database for PostgreSQL servers backups are 'Geo-Redundant'
  Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
  Ensure that Activity Log Alert exists for Delete Public IP Address rule
  Ensure Azure Database for MySQL servers backups are 'Geo-Redundant'
  Ensure Azure Database for MySQL servers enable Infrastructure double encryption
  Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
  Ensure That Microsoft Defender for Cosmos DB Is Set To 'On'
  Ensure That Microsoft Defender for DNS Is Set To 'On'
  Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
  Ensure the "Minimum TLS version" for storage accounts is set to "Version 1.2"
  Ensure that logging for Azure AppService 'HTTP logs' is enabled
  Ensure Azure Monitor Log Profile is collecting all activity categories

  Close
• GCP

  Security Policy Title
  GCP Artifact Registry is running an image with critical vulnerabilities
  Ensure Instance IP assignment is set to private
  Internet facing virtual machine potentially exposes a vulnerable service to the internet

  Close
• Oracle Cloud Infrastructure

  Security Policy Title
  Ensure a notification is configured for network security group changes
  Ensure a notification is configured for user changes
  Ensure a notification is configured for changes to network gateways
  Ensure a notification is configured for VCN changes
  Ensure a notification is configured for Identity Provider changes
  Ensure a notification is configured for security list changes
  Ensure a notification is configured for IdP group mapping changes
  Ensure a notification is configured for IAM group changes
  Ensure all OCI IAM user accounts have a valid and current email address
  Ensure a notification is configured for IAM policy changes
  Ensure a notification is configured for changes to route tables

  Close

To learn more, see About Security Policies.

Slack integration is available. You can receive ZPC alert notifications on Slack channels and streamline the mitigation directly into your developer tool.

See image.

To learn more, see Integrating ZPC with Slack.

The following enhancements are available for cloud accounts:

• Exporting cloud account details as an Excel file are now available with the following naming conventions:
  • Cloud Accounts: Cloudaccounts_<timestamp>
  • Organizations: Cloudaccounts_organizations_<timestamp>
  • Kubernetes: Cloudaccount_kubernetes_<timestamp>
• The Cloud Accounts page displays a new column called Onboarded Date for each cloud account.

To learn more, see About Cloud Accounts.

The following enhancements are available for Kubernetes workload investigation:

• ZPC supports additional predicates for investigation queries and custom policies over Kubernetes clusters. You can identify running containers as opposed to idle or stale ones and detect publicly exposed containers.
• Kubernetes container investigation results can now be exported as an Excel file.

To learn more, see About Investigation.

ZPC now offers security posture for the following services for cloud service providers:

• AWS

  Service Name
  AWS Glue
  AWS Personalize
  AWS CodeArtifact

  Close
• Microsoft Azure

  Service Name
  Azure Static Sites
  Virtual WAN
  Microsoft Genomics
  Azure Media Services
  Azure Maps
  Azure Web PubSub
  Azure Virtual Network Manager
  Azure Video Indexer
  Azure Time Series Insights
  Azure Spring Apps
  Azure Resource Mover
  Azure Resource Manager templates

  Close
• GCP

  Service Name
  Compute Engine - VpnGateway
  Network Intelligence Center - ConnectivityTest
  Compute Engine - NodeGroup
  NetworkConnectivity: Spoke
  NetworkConnectivity: Hub
  Run - Service
  Compute - HealthCheck
  Compute - InstanceTemplate
  Compute Engine - Address
  Compute Engine - Autoscaler

  Close

To learn more, see About Cloud Asset Types and Asset Categories.

In addition to AKS clusters authenticated by Azure RBAC and Kubernetes RBAC, ZPC supports onboarding AKS clusters with local authentication.

To learn more, see Onboarding AKS clusters with Local Authentication.

The following security policies are available for cloud service providers:

• AWS

  Security Policy Title
  High privileged identity with access keys
  Amazon ECR is running an image with critical vulnerabilities

  Close
• Microsoft Azure

  Security Policy Title
  Ensure private endpoints are used to access storage accounts

  Close
• GCP

  Security Policy Title
  High privileged identity with access keys
  GCP Container Registry is running an image with critical vulnerabilities

  Close
• Kubernetes

  Security Policy Title
  CIS EKS - Ensure Network Policy is Enabled and set as appropriate
  CIS AKS - Ensure Network Policy is Enabled and set as appropriate
  CIS GKE - Ensure Network Policy is Enabled and set as appropriate
  Manage Kubernetes RBAC users with Azure AD
  Ensure Kubernetes Secrets are encrypted
  Verify that admission controllers are working as expected
  Ensure clusters are created with Private Nodes
  Prefer using secrets as files over secrets as environment variables [DEAMONSETS]
  Prefer using secrets as files over secrets as environment variables [STATEFULSETS]
  Prefer using secrets as files over secrets as environment variables [DEPLOYMENTS]
  Prefer using secrets as files over secrets as environment variables [CRONJOBS]
  Prefer using secrets as files over secrets as environment variables [JOBS]
  Apply Security Context to Your Pods and Containers associated with STATEFULSETS
  Apply Security Context to Your Pods and Containers associated with Deployments
  Apply Security Context to Your Pods and Containers associated with CRONJOBS
  Apply Security Context to Your Pods and Containers associated with JOBS

  Close

To learn more, see About Security Policies.

You can easily differentiate between active and non-active containers. ZPC displays the status of the containers in the Containers tab on the Vulnerability Management page. You can also apply the Running Status filter to view either the active or non-active containers.

See image.

To learn more, see Viewing the Containers Tab.

You can view the list of cloud workloads that are publicly exposed on the Vulnerability Management page. You can also apply the filter to see the list of publicly exposed workloads. This allows you to prioritize these workloads and fix the vulnerabilities.

See image.

The Vulnerability Dashboard for cloud workloads shows the summary of the top publicly exposed cloud workloads with vulnerabilities.

See image.

To learn more, see Viewing the Cloud Workloads Tab and About the Vulnerability Dashboard.

ZPC detects vulnerabilities in the same package and version that is located in different locations. You can view the file path of packages and take the necessary action.

See image.

To learn more, see Viewing the Cloud Workload Details.

You can view the repository details of the image that is scanned for vulnerabilities. Knowing the repository in which the image resides allows you to easily locate the image and fix vulnerabilities.

See image.

To learn more, see Viewing the Container Details.

ZPC supports the detection of vulnerabilities present in cloud workloads having Ubuntu 23.04 (Lunar Lobster) OS version.

See image.

To learn more, see About Vulnerability Management.

See image.

ZPC extends its public cloud support with coverage for OCI services:

• Onboard your OCI cloud accounts on ZPC.
• Gain visibility of your OCI infrastructure's security posture on the Cloud Asset Inventory.

To learn more, see Onboarding an Oracle Cloud Infrastructure (OCI) Tenant.

Cloud and IaC alert payloads that are sent from ZPC to cloud storage services (AWS S3, Azure Blob, and AWS Security Lake) are enhanced to include additional attributes: Audit Procedure and Remediation.

See image.

To learn more, see About Alert Rules, Adding Cloud Alert Rules, and Adding IaC Alert Rules.

ZPC introduces you to container workloads investigation by offering you to investigate Kubernetes workloads and gain insight into your container workload security posture without creating alerts or filtering dashboards. You can create investigations based on Kubernetes asset properties and images used by AWS EKS workloads.

See image.

To learn more, see About Investigation.

The common filter Accounts now displays both the cloud account name and cloud account ID.

See image.

To learn more, see Using Filters.

You can export the security policy catalog to an Excel file from the Policies page on the ZPC Admin Portal.

See image.

To learn more, see About Security Policies.

Alert Ignore filters can now filter on Kubernetes clusters and namespaces.

See image.

ZPC now offers security posture for the following services for cloud service providers:

• AWS

  Service Name
  S3 Glacier
  Amazon Connect
  IoT SiteWise
  AWS IoT Events
  AWS IoT Core
  AWS IoT Analytics
  AWS AppFlow
  AWS Trusted Advisor
  AWS Backup
  AWS SageMaker

  Close
• Microsoft Azure

  Service Name
  Azure Red Hat OpenShift Cluster
  Azure Private Link
  Azure Kubernetes Fleet Manager
  Azure Deployment Environments
  Azure Digital Twins
  Azure Confidential Ledger
  Azure Communication Services
  Azure Cognitice Search
  Azure Virtual Machine Extensions
  Azure Automation Account Runbook
  Azure Resource Manager Templates
  Policy Definition
  Smart Alert Rules
  Azure Server Farms
  Azure SQL Virtual Mahcine
  Azure Network Watcher
  Azure Private Link
  Azure Devtest Lab Schedules
  Azure DNS
  Azure Files

  Close
• GCP

  Service Name
  DataMigration - Migration Job
  DataMigration - Connection Profile
  Dataplex - Zone
  Healthcare - Dataset
  Datastream - Stream
  Datastream - Connection Profile
  Dataplex - Lake
  Dataplex - Assets
  Cloud Scheduler - Jobs
  Cloud CDN - Backend Bucket

  Close

To learn more, see About Cloud Asset Types and Asset Categories.

Assets that are publicly exposed carry higher risk. ZPC now shares a visual indication for publicly exposed assets in the Assets drawer and the Assets table, and includes a filter to search for such assets.

See image.

The following security policies are available for cloud service providers:

• AWS

  Security Policy Title
  EC2 Instance contains sensitive data
  EC2 Instance is running an image with critical vulnerabilities
  Ensure Amazon EFS file systems data is encrypted with KMS Customer Managed Keys (CMKs)
  Ensure Auto Renew is enabled for Route 53 domain
  Ensure Classic Load Balancer's listeners use secure protocols
  Ensure DNSSEC signing is enabled for Route 53 hosted zone
  Ensure Load Balancer's listeners use secure protocols
  Ensure Privacy Protection is enabled for Route 53 domain
  Ensure RDS DB clusters 'auto minor version upgrade' is set to 'Enabled'
  Ensure RDS DB clusters 'deletion protection' is set to 'Enabled'
  Ensure RDS DB clusters encryption is set to 'Enabled'
  Ensure RDS DB instance automated backup feature is enabled
  Ensure RDS DB instances 'auto minor version upgrade' is set to 'Enabled'
  Ensure RDS DB instances 'deletion protection' is set to 'Enabled'
  Ensure RDS DB instances are encrypted with KMS Customer Managed Keys (CMKs)
  Ensure RDS DB instances encryption is set to 'Enabled'
  Ensure SNS topica server-side encryption at rest use an up to date key
  Ensure Transfer Lock is enabled for Route 53 domain
  Ensure access logs are enabled for Classic Load Balancer
  Ensure access logs are enabled for Load Balancer
  Ensure query logging is enabled for Route 53 hosted zone
  External account can access EC2 instance contains sensitive data
  Publicly exposed EC2 instance contains sensitive data
  RDS Snapshot is shared with an external account
  Route 53 domain has expired
  Route 53 domain is about to expire in 30 days or less
  User without MFA can access EC2 instance that contains sensitive data
  Vulnerable publicly exposed EC2 instance contains sensitive data

  Close
• Microsoft Azure

  Security Policy Title
  Ensure Application Gateway uses WAF
  Ensure Azure API Management APIs uses HTTPS rather than HTTP
  Ensure Azure SQL servers are encrypted with customer-managed keys
  Ensure Azure SQL servers are not publicly accessible
  Ensure access logs are enabled for Application Gateway
  Ensure audit logging is enabled for Azure SQL servers
  Ensure firewall logs are enabled for Application Gateway
  Ensure private endpoint is configured for Azure Key Vault Vaults
  Ensure transparent data encryption is enabled for Azure SQL databases
  Function application with a risky role combination is open to the internet
  Old Credentials for Privileged Service Principal
  Old Credentials for Service Principal
  Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
  Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vault
  Ensure that 'Enable infrastructure encryption' for each Storage Accounts in Azure Storage is set to 'Enabled'
  Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
  Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults

  Close
• GCP

  Security Policy Title
  Ensure that Cloud Storage bucket is not anonymously or publicly accessible
  Critical virtual machine instance allows login with project level SSH keys enabled
  Ensure HTTP/S Load Balancer uses HTTPS rather than HTTP
  Ensure cloud functions do not have admin privileges
  Ensure logging is enabled for HTTP/S Load Balancing backend services
  Ensure to use Cloud Armor security policies for HTTP/S Load Balancing backend services
  Identity without MFA can elevate privileges by delegating as service accounts
  Non-human identity can create keys for service accounts
  Virtual machine instance with access to stale data snapshots is exposed to the public internet

  Close

To learn more, see About Security Policies.

ZPC supports system notifications that provide information about any possible errors or failures related to configurations or functionality in your cloud infrastructure. Currently, ZPC displays system notifications for cloud account onboarding and data collection failures. These notifications allow you to easily track and resolve the issues immediately.

See image.

ZPC already provides support for the CVE scanning of Amazon Elastic Kubernetes Service (EKS) containers. You can now view a detailed dashboard of the container vulnerabilities that ZPC discovered in monitored EKS deployments. Use the filters to view vulnerabilities related to specific Kubernetes clusters.

See image.

To learn more, see About the Vulnerability Dashboard.

ZPC provides support for scanning IaC files in the Bitbucket repositories. You can use Zscaler IaC Scan to scan the IaC files, view the scan results in Bitbucket, and view alerts for IaC policy violations in the ZPC Admin Portal.

See image.

To learn more, see Configuring IaC Scan for Bitbucket.

ZPC now offers security posture for the following services for cloud service providers:

• AWS

  Service Name
  Route 53
  AWS Batch
  AWS CodeDeploy
  AWS Step Functions
  AWS SimSpace Weaver
  AWS Serverless Application Repository
  Amazon MemoryDB for Redis
  AWS CodeBuild
  Amazon Inspector
  EC2 Networking - Transit Gateways, VPC Peering and VPNs
  AWS Athena
  AWS Elastic Beanstalk
  AWS Fargate
  Datalake GEN2
  Amazon Kinesis
  AWS DocumentDB

  Close
• Microsoft Azure

  Service Name
  Azure Fluid Relay
  Azure Managed Instance for Apache Cassandra
  Azure Route Server
  Azure Database Migration Service
  Azure IoT Central
  Azure Data Explorer
  Azure Health Data Services
  Azure Managed Grafana
  Azure Chaos Studio
  Container Apps
  Azure HPC Cache
  Azure Health Bot
  Azure Load Testing
  Azure Cloud Services (classic)
  Azure Batch
  Azure Quantum
  Azure Internet Analyzer
  Azure Firewall Manager
  Azure Blueprints
  Azure Analysis Services
  Datalake GEN2

  Close
• GCP

  Service Name
  ApiGateway Gateway
  App Engine
  Cloud Functions
  Cloud Tasks - Queue
  Cloud Tasks - Tasks
  Filestore - Snapshot
  Filestore - Instance
  ApiGateway API Config
  Logging LogBucket
  Cloud Tasks Queue
  Cloud TPU Node
  DataFusion Instance

  Close

To learn more, see About Cloud Asset Types and Asset Categories.

A Tags tab is available in the Alerts drawer. The Tags tab gives quick access to the asset or identity tags that triggered the alert.

See image.

To learn more, see Viewing the Cloud Alert Details.

When creating an Ignore filter, you can select Policy Focus under the Policies dropdown on the Filter Scope screen. The Policy Focus option selects if the Ignore filter focuses on assets, identities, or both.

See image.

To learn more, see Adding Ignore Filters.

You can now view the remediation steps within the JetBrains IDE for policy violations detected in the IaC templates.

See image.

To learn more, see Configuring IaC Scan for JetBrains IDEs.

The vulnerability scanning rules for cloud workloads and containers are consolidated under a single tile to simplify the process for creating vulnerability scan rules.

See image.

To learn more, see Adding a Vulnerability Scanning Rule for Cloud Workloads and Adding a Vulnerability Scanning Rule for Containers.

The following security policies are added for cloud service providers:

• AWS

  Security Policy Title
  EC2 Instance is running an image with critical vulnerabilities
  Ensure that ElastiCache cluster with Replication Group is not listening on the default port
  Ensure that encryption at rest is enabled for ElastiCache Redis cluster with Replication Group
  Ensure Amazon Redshift databases are not using the default port
  Ensure Amazon Redshift clusters are created within a VPC
  Ensure Amazon Redshift clusters 'cross-region snapshot' feature is set to 'Enabled'
  Ensure Amazon Redshift clusters are encrypted with KMS Customer Managed Keys (CMKs)
  Ensure RDS DB clusters are encrypted with KMS Customer Managed Keys (CMKs)
  Ensure RDS DB clusters are not deployed with the default port
  Ensure RDS DB instances are not deployed with the default port
  Ensure RDS DB clusters IAM database authentication is set to 'Enabled'
  AWS - Ensure RDS DB instances IAM database authentication is set to 'Enabled'
  Ensure RDS DB instances are deployed as Multi-AZ
  Ensure RDS DB clusters 'Log exports' feature is configured
  Ensure RDS DB instances 'Log exports' feature is configured
  Ensure RDS DB clusters 'copy tags to snapshots' feature is set to 'Enabled'
  Ensure RDS DB instances 'copy tags to snapshots' feature is set to 'Enabled'
  Ensure Aurora DBs clusters encryption is set to 'Enabled'
  Ensure Aurora DBs 'log exports' feature is set to 'Enabled'.
  Ensure Aurora DB clusters 'copy tags to snapshots' feature is set to 'Enabled'.
  Ensure Aurora 'deletion protection' feature is set to 'Enabled'
  Ensure SNS delivery status logging is enabled
  Ensure SNS topic server-side encryption at rest is enabled
  Ensure that SNS topic does not allow everyone to publish to the SNS topic
  Ensure that SNS topic does not allow everyone to subscribe to the SNS topic
  Ensure Classic Load Balancer's Desync mitigation mode is not set to 'Monitor'
  Ensure Application Load Balancer's Desync mitigation mode is not set to 'Monitor'.
  Ensure Application Load Balancer redirects HTTP traffic to HTTPS.
  Ensure CloudFront distribution uses at least one kind of logs
  Ensure CloudFront distribution standard logging is enabled
  Ensure CloudFront distribution realtime logging is enabled
  Internet facing EC2 instance can elevate to Admin using ec2-instance-connect

  Close
• Microsoft Azure

  Security Policy Title
  Virtual machines with powerful identity
  Ensure that no custom subscription owner roles are created
  Ensure Custom Role is assigned for Administering Resource Locks
  Function App with power identity is open to the internet
  Power identity without MFA
  Internet facing virtual machine potentially exposes a vulnerable service to the internet
  Internet facing virtual machine attached with a powerful managed identity and is running an image with critical vulnerabilities
  Internet facing virtual machine attached with a managed identity is running an image with critical vulnerabilities
  Internet facing virtual machine attached with a powerful managed identity is running a vulnerable image
  Internet facing virtual machine attached with a managed identity is running a vulnerable image
  Virtual machine Instance is running an image with critical vulnerabilities
  Virtual Machine with privileged role assignment is open to the internet
  Function App with privileged role assignment is open to the internet
  Function application with a risky role combination is open to the internet
  Service principal with credentials can access unattached disk from the internet
  Virtual machine with a risky role combination is open to the internet

  Close
• GCP

  Security Policy Title
  New External Keys for privileged service account that already has external keys
  Non-human identity can create keys for service accounts

  Close
• Kubernetes

  Security Policy Title
  Apply Security Context to Your Pods and Containers associated with Deployments

  Close

To learn more, see About Security Policies.

The search option across all tables and pages in the ZPC Admin Portal is enhanced for improved usability.

You can see the following improvements:

• The list of columns that can be searched for.
• The column headings in tables are highlighted for better visualization.
• The search functionality detects all items containing the search strings and displays the results in the table.

For example, the following image shows the searchable columns on the Business Units Management page.

See image.

You can install the Zscaler IaC Scan plugin on the JetBrains Integrated Development Environments (IDEs) and scan IaC templates. You can scan individual files and directories for misconfigurations.

See image.

To learn more, see Configuring IaC Scan for JetBrains IDEs.

The date and time formats are now adjusted and displayed using the format that the user has selected for their browser or operating system (OS). For example, the following image shows the date and time format on the Audit Logs page.

See image.

ZPC now supports Microsoft Azure Kubernetes Service (AKS) clusters. You can onboard Microsoft Azure AKS clusters and gain insight into their security posture via the asset inventory.

See image.

To learn more, see Onboarding an Azure Kubernetes Service Cluster.

An Alert Age filter was added to the alert filter capabilities for more granularity and flexibility. The Alert Age allows you to filter based on the Alert Age attribute. By selecting Alert Age from the additional Alert Filter options, you can filter alerts by exact age, alerts older than a specific age, and alerts newer than a specific age. All ages are measured in days.

See image.

To learn more, see Using Filters.

Four new alert attributes are added to the Cloud Alerts table: Cluster Name, Cluster Type, Namespaces, and Associated Cloud. Users can see these in the main Alerts table and the Alert Details Drawer.

You can also search for these alerts using the Alerts Filters.

See image.

To learn more, see About Alerts.

The following security policies are available for cloud service providers:

• AWS

  Security Policy Title
  Internet-facing Lambda function can manage users and permissions
  Internet-facing Lambda function without WAF protection
  Instance accepts inbound internet traffic
  Role can be assumed by anyone
  Ensure that SNS topic does not allow everyone to subscribe to the SNS topic
  Ensure ElastiCache cluster is not listening on the default port
  Ensure Amazon Redshift clusters are not publicly accessible
  Internet facing EC2 instance with role is running vulnerable image
  Internet facing EC2 instance with role is running a vulnerable image and enables IMDVs1
  Internet facing EC2 instance with a powerful role is running a vulnerable image and enables IMDVs1
  Internet facing EC2 instance with a role is running an image with critical vulnerabilities and enables IMDVs1
  Internet facing EC2 instance has a powerful role and is running an image with critical vulnerabilities and enables IMDVs1
  Block-public-access control not enforced on private bucket
  Internet-facing Lambda function with admin privileges requires no authentication
  Internet facing Lambda function with privilege escalation risk with ec2 connect
  Internet-facing Lambda function with privilege escalation risk using PassRole action
  Internet facing EC2 instance can elevate to Admin using ec2-instance-connect
  Lambda Function With Anonymous URL Access is privileged
  EC2 Instance is running a vulnerable image
  Internet facing EC2 instance potentially exposes a vulnerable service to the internet
  Ensure ElastiCache cluster encryption in transit is enabled
  Ensure ElastiCache Redis cluster encryption at rest is enabled
  Ensure that encryption in transit is enabled for Redis ElastiCache cluster with Replication Group
  Ensure Amazon Redshift clusters enable encryption in transit
  Ensure Amazon Redshift clusters 'enhanced vpc routing' feature is set to 'Enabled'
  Ensure Amazon Redshift clusters 'automated snapshot' feature is set to 'Enabled'
  Ensure DynamoDB tables stream is set to 'Enabled'
  Ensure DynamoDB tables are encrypted with KMS Customer Managed Keys

  Close
• Microsoft Azure

  Security Policy Title
  Ensure RBAC is configured for data plane access control in Azure Key Vault vaults
  Ensure private endpoint is configured for Azure Key Vault vaults
  Ensure public access is disabled for Azure Key Vault vaults
  Function app with power identity is open to the internet
  Ensure Purge Protection is enabled for Azure Key Vault vaults
  Power identity without MFA
  Instance is open to all ports and all IP ranges
  Virtual Machine accepts inbound internet traffic
  Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
  Ensure the storage account containing the container with activity logs is encrypted with BYOK
  Ensure RBAC is configured for data plane access control in Azure Key Vault vaults

  Close
• GCP

  Security Policy Title
  Ensure that Separation of duties is enforced while assigning service account related roles to users
  Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
  Ensure that Service Account has no Admin privileges
  Ensure that Separation of duties is enforced while assigning KMS related roles to users

  Close
• Kubernetes

  Security Policy Title
  Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS
  Restrict Access to the Control Plane Endpoint
  Enable audit logs

  Close

To learn more, see About Security Policies.

ZPC supports the scanning of containers deployed to Amazon Elastic Kubernetes Service (EKS) clusters. ZPC identifies all active images used by containers in monitored Kubernetes clusters and scans the images present in elastic container registries (ECR) for vulnerabilities. You can view and download reports, run investigation queries, and set custom policies based on the common vulnerabilities and exposure (CVE) findings.

See image.

To learn more, see About Vulnerability Management.

Vulnerability Scanning Rule for Containers

You can configure vulnerability scanning rules and schedule the scan to run at regular intervals to detect vulnerabilities in container images within the production environment.

See image.

To learn more, see Adding a Vulnerability Scanning Rule for Containers.

A new Alert Age attribute was added to the alert data. The Alert Age is the number of days since the last time the Alert Status was set to Open.

See image.

To learn more, see About Alerts.

ZPC now supports changing business units for multiple cloud accounts.

See image.

To learn more, see Managing Cloud Accounts.

You can export asset package data to an Excel file from the Vulnerabilties tab of the Asset drawer.

See image.

To learn more, see About Cloud Asset Details.

The ZPC proprietary ML algorithm can now determine cloud identity types as human or non-human with more precision.

To learn more, see About Identity Types.

The alert time range filter capabilities are modified and expanded for more granularity and flexibility:

• Cloud alerts have two time range filters: Created Date and Updated Date.

See image.

• IaC alerts have three time range filters: Scan Time, Created Date, and Update Date.

See image.

The Created Date is the first time the misconfiguration is identified on the customer's public cloud. The Update Date is either the most recent occurrence of the misconfiguration or the latest action performed by the ZPC admin on this alert. The Scan Date is the last time the alert was set to open.

The change allows for filtering on the entire alert lifecycle (in which alerts can close and reopen).

To learn more, see Using Filters.

You can now enable or disable a security policy from the policy catalog table. When disabled, the policy is not run against the collected configuration metadata.

See image.

To learn more, see About Security Policies.

ZPC now supports the following query predicates to be entered via text along with selecting from the available drop-down menu:

• Asset Name
• Asset ID
• Asset Type
• Identity Name
• Identity ID
• Permission Set Name
• Allowed Action
• Permission Set Type
• Group Membership
• Account ID
• CVE ID
• Package Name
• Image ID

To learn more, see Creating a New Investigation.

Zscaler IaC Scan supports limited scanning of specific directories within a version control system. You can use regular expression (regex) patterns to specify the file paths that must be included or excluded in IaC scans. The option to include the file path is available under Advanced Settings for GitHub, GitLab, and Azure Repos.

See image.

To learn more, see Configuring IaC Scan for GitHub, Configuring IaC Scan for GitLab, and Configuring IaC Scan for Azure Repos.

Added the following security policies for cloud service providers:

• Microsoft Azure

  Security Policy Title
  Ensure That Microsoft Defender for App Services Is Set To 'On'
  Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
  Ensure That Microsoft Defender for Containers Is Set To 'On'
  Ensure That Microsoft Defender for Key Vault Is Set To 'On'
  Ensure That Microsoft Defender for Servers Is Set to 'On'
  Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
  Ensure That Microsoft Defender for Storage Is Set To 'On'
  Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected
  Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected
  Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
  Ensure 'Additional email addresses' is Configured with a Security Contact Email
  Ensure That 'Notify about alerts with the following severity' is Set to 'High'
  Ensure That 'All users with the following roles' is set to 'Owner'

  Close

To learn more, see About Security Policies.

Customers can run queries on software packages and on threats associated with packages across workloads and container images to help with compliance.

See image.

To learn more, see About Cloud Asset Details.

The following asset types are now supported by ZPC:

• AWS
  • AWS Key Management Service (KMS)
  • Elastic Load Balancing (ELB)

  Close
• Microsoft Azure
  • Azure Bastion
  • Blob Storage
  • App Service
  • Azure Policy
  • Azure Cosmos DB
  • Key Vault
  • LoggingAndMonitoring
  • API Management

  Close
• GCP
  • SQL Server on Google Cloud
  • Cloud Spanner
  • Firestore
  • Resource Manager
  • Cloud Logging
  • Cloud Storage
  • Cloud Functions
  • Cloud Bigtable
  • Cloud Load Balancing
  • Cloud Source Repositories
  • Cloud Composer

  Close
• Kubernetes
  • Service

  Close

To learn more, see Cloud Asset Types and Asset Categories.

The Asset Risk Level shows an asset's risk level based on the number and type of open alerts associated with the asset. The Asset Risk Level is Low, Medium, High, or Critical.

The Asset Risk Level is shown in a column on the Assets page, and users can use the score to filter assets.

See image.

To learn more, see About the Cloud Assets Dashboard.

Error messages are displayed for vulnerability scan failures. Whenever a cloud workload or container image is not scanned due to an internal or permission error, the scan status is displayed as Failed along with the relevant error message on the ZPC Admin Portal. This message enables you to investigate and resolve the issue.

See image.

To learn more, see About Vulnerability Scanning.

You can now define an end date for an Alert's Ignore filter. When the date is passed, the Ignore status is removed from the alert and the alert returns to either Open or Resolved, depending on whether ZPC still detects the misconfiguration.

See image

To learn more, see About Alerts.

ZPC notifies you when an Ignore rule is no longer valid or operational.

An icon indicating the ignore rule is no longer valid appears at the top-level Ignore Rule table, and the rule is automatically disabled.

See image.

The item that invalidates the alert rule is indicated in the Ignore Rule Details view.

See image.

To learn more, see About Alerts.

The following enhancements are implemented in Investigation:

• You can now export investigation data to an Excel file and download the report.

See image.

• You can now investigate all deployed packages on workloads and container images.

To learn more, see Creating a New Investigation.

The Alerts table has new capabilities:

• The left-most and right-most columns are sticky, simplifying alert navigation and actions.
• New indicators appear to show which columns were sorted and filtered in the Alerts table.
• An Ignore End Date filter is available that allows you to sort on the alert end date.

See image.

• You can navigate from the individual alert drawer to the policy drawer to learn more details about the policy that triggered the alert.

See image.

To learn more, see About Alert Rules.

The following security policies are added for cloud service providers:

• Amazon Web Services

  Security Policy Title
  Lambda with Admin Identity
  Internet-facing Lambda function with admin privileges
  Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances
  Ensure that encryption is enabled for EFS file systems
  Ensure that public access is not given to RDS Instance
  Ensure no security groups allow ingress from ::/0 to remote server administration ports (RDP Port: 3389)
  Ensure no security groups allow ingress from ::/0 to remote server administration ports (SSH Port: 22)

  Close
• Google Cloud Platform

  Security Policy Title
  Ensure cloud functions do not have admin privileges

  Close

To learn more, see About Security Policies.