Known Limitations

See Onboarding Alibaba Cloud Accounts.

• You cannot apply Organizational Units actions to Alibaba Cloud Cloud computing platform that provides cloud computing services to online businesses and Alibaba's own e-commerce ecosystem. accounts.

• Automatic Remediation with CloudBots for Alibaba Cloud does not exist, so active remediation can be limited.

• Some Alibaba Cloud assets are not supported.

• Some dashboard widgets (see Dashboards) can fail to show Alibaba Cloud account data.

• Alibaba Cloud accounts have three tabs:

  • Protected Assets

  • Compliance Policies

  • Assessment History

See Applying a CloudBot immediately (Fix it).

The Fix it option is not applicable to GCP Google® Cloud Platform - a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail, Google Drive, and YouTube. environments.

AWS

See Onboarding AWS Environments to Intelligence

• AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. allows you to set only one event notification on a specific prefix with a specific event type. You cannot onboard an S3 bucket if the bucket has the event notifications set, and one of the notifications meets two conditions below:

  • The notification has an empty prefix filter set (that is, all of the bucket) or an explicit AWS log-prefix set.

  • The event type is PutObject or all object-created events.

• For Intelligence, you can onboard an S3 bucket through one SNS topic only.

• Intelligence cannot analyze the involved IAM Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. policies: S3 bucket policy, existing SNS topic policy, and policies of the CloudGuard IAM trust role. Therefore, permission-related issues can occur when you create the onboarding stack.

• You cannot onboard an account to Intelligence if you use an encrypted SNS topic.

Kubernetes

See Intelligence for Kubernetes Containers

• Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. Intelligence takes about 5 minutes to start the traffic visualization in the CloudGuard portal. For new assets, the process can take 10 minutes, and while it is in progress, you can see assets by their IP addresses and not the names.

  • CloudGuard receives Flow Logs every half a minute, while inventory update occurs each 5 minutes. This is why the traffic of the new assets can be seen as traffic that originated from an IP address (not enriched) and not from a Pod (enriched).

  • It takes time for CloudGuard to handle (enrich/store) the data.

• The CloudGuard portal does not show traffic for pods in the host networks. Therefore, for example, Flow Logs agent pods cannot be seen on the Graph.

• Kubernetes Intelligence agents support Linux kernel v4.1 and higher.

• Kubernetes Intelligence does not identify the connection's direction and treats each connection as bidirectional.

• Kubernetes Intelligence categorizes IP addresses as Private IP based on RFC-1918.

  The applicable ranges are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

  This means that a workload that uses one of the IP addresses is considered a Private IP, even if it is external to the cluster.

AWS EKS Support

See Image Assurance on AWS Fargate

CloudGuard supports Posture Management, Image Assurance, and Admission Control on AWS Fargate clusters.

To use Runtime Protection and Threat Intelligence with AWS EKS Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes service that makes it easy for you to run Kubernetes on AWS and on-premises., install them on your non-Fargate clusters.

Note - For Runtime Protection and Threat Intelligence, CloudGuard does not support mixed (EC2 Amazon EC2 - A web service for launching and managing Linux/UNIX and Windows Server instances in Amazon data centers. and Fargate compute) clusters.

GKE Autopilot

Runtime Protection is not supported on Autopilot clusters.

Runtime Protection

Kubernetes Runtime Protection agents support Linux kernel v4.1 and higher.

Images

See Images.

• Images used by short-lived pods may not be visible to Image Assurance.

• The Request Scan usage is limited to 200 requests in an hour.

• Requests for a scan of inactive images are not available.

• On-demand scanning is not supported for ShiftLeft The ShiftLeft tool scans source code, containers and serverless functions, looking for vulnerabilities including those associated with the Log4j tool. This tool alerts the security and DevOps teams if any vulnerabilities are detected in the pre-build phase, ensuring that vulnerable code is not deployed. images and environments.

Container Registry Scanning

See Onboarding Container Registries and Container Registry Scanning.

• By default, CloudGuard adds to Protected Assets and scans only 10 recent images of each repository. You can change the default value with the API call (maximal number is 1000 for a JFrog Artifactory and Sonatype Nexus). For more information, see the API Reference Guide.

• Scanning Windows container images is not supported.

• For JFrog Artifactory, it can take about 20 minutes that the images start to show for the first time.

• For JFrog Artifactory and Sonatype Nexus, the maximal number of tags per repository is 1000. Container A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. images from the repositories with more than 1000 tags are neither shown as protected assets, nor scanned. The number is limited due to extensive API calls and performance considerations.

ImageScan Findings

See Image Scan Findings.

• Sometimes, the ImageScan category is not available in the filter when you create a notification. This happens with newly onboarded environments where CloudGuard has not finished yet to scan images for the first time. Wait approximately 5-10 minutes to let it finish and try again.

• The remediation length is limited to 25,600 symbols. The remediation that exceeds this length is truncated to 25,600 symbols.

For a detailed list of limitations, see Known Limitations.

CloudGuard was integrated with the Infinity Portal, and some features existing in the standalone version are not supported, as of this writing.

• Managed Service Providers (MSP) are not available.

• Usernames do not allow aliases such as johndow+demo@mycompany.com.

• SSO Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. is limited to IDPs that integrate with the Infinity Portal.

• The Singapore Data Center is not available in the Infinity Portal.