TotalCloud Release 2.24

May 04, 2026

TotalCloud Release 2.24 introduces support for FedRAMP High, expansion of TruRisk™ Insights for Azure, enhancements to cloud inventory tagging, support for OCI exceptions, CDR enhancements, and extensive updates to AWS and Azure compliance controls.

FedRAMP High Support for TotalCloud and CDR

Applicable for: 

With this release, we are excited to announce that TotalCloud now supports FedRAMP High, significantly expanding our capabilities for U.S. federal agencies and organizations with the most stringent security and compliance requirements.

By becoming FedRAMP High compliant, TotalCloud meets rigorous compliance requirements to securely handle highly sensitive data that demands the highest level of protection.

In addition, CDR now supports FedRAMP High for AWS environments, enabling customers operating in AWS GovCloud or FedRAMP High–authorized AWS regions to benefit from elevated security and assurance. Support for FedRAMP High on other cloud providers for CDR will be added in future releases.

Benefits:

• Ability to migrate and operate sensitive workloads with confidence
• Meets requirements for high-impact data and mission-critical systems
• Ensures alignment with federal security guidelines

 This feature is available for the FEDRAMP HIGH Cloud Platform (https://qualysguard.gov1.qualys.us) to ensure the highest level of data security practices is adopted.

• This update does not affect existing configurations or workflows. 
• Support for additional cloud providers for CDR will be delivered in upcoming releases.

Extended TruRisk™ Insights Coverage for Microsoft Azure

Applicable for: 

This release expands coverage of TruRisk™ Insights for Azure. Azure support is now included in the following TruRisk™ insights.

Expanded Cloud Tag Support for AWS Cloud Inventory

Applicable for:   

This release introduces support for cloud tags across all AWS cloud inventory types. Tags are now available through QQL and APIs, and for resources with detailed inventory support, tag information is also displayed in the UI.

This makes it easier to perform:

• Tag-based resource grouping
• Policy evaluations
• Inventory queries
• Compliance reporting

To view the assigned Cloud Tags, click on any resource of any inventory type and select Tags on the left navigation menu.

You can also check the Posture status and Inventory of any resource, using the tokens aws.tag.key or aws.tag.value.

Default Cloud Provider Preferences Across UI

Applicable for: 

You can now set a default Cloud Provider view for the Inventory, Posture, and Responses section. This setting automatically loads your preferred cloud provider when you access these sections, eliminating the need to select it each time.

For example, if you set Azure as your default cloud provider, the Inventory, Posture, and Response pages in the TotalCloud module open with Azure data.

To support this update, we have introduced a new Preferences tab. To view and manage your default cloud provider, navigate to Configure → Preferences.

Manage/Create Exceptions in Oracle Cloud Infrastructure (OCI)

Applicable for:   

This release adds exception support for OCI. You can now create connector-level and resource-level exceptions for OCI controls, using the same workflow available for AWS, Azure, and GCP.

Benefits

You can now create exceptions directly from failed controls or affected resources, without switching between control and resource views.

• You can suppress known or accepted OCI control violations without compromising overall security.
• You can mark approved violations as exceptions to focus only on actionable issues.

To create a new exception for OC, navigate to Policy → Exceptions → New → Basic Details → Provider → OCI. For more details on how to create exceptions, refer to the TotalCloud online help.

You can also create an exception for any resource that failed evaluation directly from the Posture section. Navigate to Posture → Select a Control with failed resources → select Quick Actions for the resource → Create Exception. 

After you set an exception, resources that passed with exceptions will appear with PASS^E status.

Currently, OCI supports only connector-level and resource-level exceptions and does not support tag‑based exceptions.

AWS Connector Permissions Validation and Visibility

Applicable for:   

This release introduces a new "Cloud Permissions" tab for CSPM connectors in TotalCloud's configuration section. You can now easily identify and address missing AWS permissions required for CSPM assessments, including control and inventory permissions.

To view the permissions, navigate to Configure → Select a connector → Connector Summary → Cloud Permissions.

The new cloud permission tab provides deeper visibility into permission-related issues, including:

• Available Permissions – Lists permissions that AWS IAM policy has granted.
  
  
• Unavailable Permissions - Displays missing permissions with the root cause, the number of affected controls, impacted resource types, and recommended remediation steps. It also includes a Validate Permissions button that you can use to trigger a new validation at any time to verify that AWS console updates are reflected immediately.
  
  

A visual indicator () is also displayed before the connector name to show missing permissions, helping you identify them easily without checking each connector individually.

Enhanced Visibility for Azure Virtual Machine Scale Sets

Applicable for:   

Azure Virtual Machine Scale Sets (VMSS) and their instances are now more clearly represented in the inventory. You can easily identify and differentiate scale sets and their associated virtual machines, with clear indicators for deployment modes and improved navigation between related resources.

The key features of this enhancement include:

• Dedicated Inventory Classification
  Virtual Machine Scale Set Instances now serve as a dedicated inventory type designed specifically for VMSS instances deployed using the Uniform orchestration mode.
  
  
  
  You can view all deployed uniform virtual machines (VMs) listed under this inventory type.
  
  
• Improved Instance Identification
  VMSS instances with flexible orchestration mode remain in the Virtual Machines inventory, now with a visual indicator () for easier identification.
  
  
• Clear Deployment Mode Visibility
  For existing Virtual Machine Scale Set (VMSS) resources, each now displays its Name, Resource Group, Orchestration mode (Flexible or Uniform), and operating system for quick reference and understanding of resource configuration.
  
  
• Enhanced navigation, richer resource details and associations
  Inventory item names under VMSS are now clickable, allowing direct access to detailed information.
  
  
  
  The detailed view includes summary information, tags, evaluated controls, and associated resources such as network security groups and virtual networks.
  
• Enhanced filter options
  Five new QQL tokens are introduced to help you filter and identify VMSS resources and instances.
  • azure.vmss.orchestrationMode
  • azure.vmss.provisioningState
  • azure.vmss_instances.vmssName
  • azure.vmss_instances.provisioningState
  • azure.vm.isVmssVM
  Refer to the New Tokens section for details.
• Improved API Support
  Support for these new inventory types and resources is added to the Get Resources API for Azure. You can use this API to retrieve details of VMSS resources. For more information, refer to the TotalCloud API User Guide.

Enhanced AWS WorkSpaces Inventory

Applicable for:   

This release enhances the AWS WorkSpaces inventory experience by refining how WorkSpaces and directory resources are displayed. Now, only directories associated with WorkSpaces appear in the WorkSpaces inventory, while standalone AWS Directory Service directories are listed separately. Inventory names and categories have also been updated to make it easier for you to discover, filter, and report on resources across the user interface and APIs.

The key features of this enhancement include:

• Improved WorkSpaces Inventory organization: AWS WorkSpaces resources now appear in three clear segments:
  • Workspace Personal (previously known as Workspace)– For Individual user WorkSpaces.
  • Workspace Directories (previously known as Directories) – For Directories actively associated with WorkSpaces.
  • Workspace Pools – New Inventory for Shared or pooled WorkSpaces.
  • DS Directory - New Inventory for AWS Directory Service directories.
  This structure gives you better visibility into how WorkSpaces are deployed and managed.
  
  
• Enhanced Workspace Personal Inventory: Workspace Personal inventory now provides essential details about each workspace, including Workspace ID, AWS Account ID, associated directory, operating system, workspace state, AWS Region, and the first-discovered timestamp.
  
  
  
  When you select a personal workspace resource, a summary page opens to provide additional details, including associated subnets and directories, tags, and the evaluated controls.
  
  
• Enhanced Workspace Directories Inventory: Workspace Directory inventory now provides essential details about each directory, including Directory ID, AWS Account ID, identity Type, workspace type, AWS Region, first-discovered timestamp, and evaluated controls.
  
  
  
  When you select a workspace directory item, a summary page opens to provide additional details, including associated pools, subnets and security groups, tags, and the evaluated controls.
• New Workspaces Pools Inventory: This inventory provides details of Shared or Pooled WorkSpaces, including Pool Name, AWS Account ID, Pool ID, Running mode, Pool state, AWS Region, and the first-discovered timestamp.
  
  
  
  When you select a workspace pool, a summary page opens to provide additional details, including general information, the associated directory, and tags.
• New DS Directory Inventory: The new DS Directory Inventory now displays only directories that are not linked to any Amazon WorkSpaces. This change helps ensure that directory resources are accurately categorized and easily manageable.
  
  
• Enhanced Filter Options: You can now use nine new QQL tokens to filter and identify WorkSpaces and directory resources more precisely:
  • aws.workspacepersonal.directoryId
  • aws.workspacepersonal.operatingSystem
  • aws.workspacepersonal.state
  • aws.directory.identityType
  • aws.directory.state
  • aws.directory.workspaceType
  • aws.workspacepools.poolId
  • aws.workspacepools.directoryId
  • aws.workspacepools.state
  These tokens improve query accuracy and make directory-based analysis easier. For details, see the New Tokens section.
• Improved API Support
  Support for these new inventory types and repositories is added to the Get Resources API for AWS. You can use this API to retrieve details of workspace resources and directories. For more information, refer to the TotalCloud API User Guide.

New Tokens

The following section describes the new tokens introduced as part of TotalCloud 2.24.0

Inventory Tokens

Applicable for:   

The following section describes the new tokens introduced for TotalCloud Inventory as part of this release.

Control Updates

New IAC Build Time Controls in AWS

Applicable for:   

New RUN Time Controls in AWS

Applicable for:   

New Controls for AWS Without Policy Attachment

Applicable for:   

New Controls in CIS Microsoft Azure Compute Services Benchmark

Applicable for:   

Controls added to CIS Microsoft Azure Compute Services Benchmark

Applicable for:   

Azure Controls Policy-to-Policy Migration

Applicable for:   

Control Resource Type Updates

Applicable for:   

Platform	CID	Title	Old Resource Type	New Resource Type
AWS	179	Ensure multi-factor authentication (MFA) is enabled in Directory Service	Directory	DS Directory
AWS	181	Ensure proper protocol is configured for Radius server in AWS Directory	Directory	DS Directory
AWS	198	Ensure Workspace directory must have a vpc endpoint so that the API traffic associated with the management of workspaces stays within the vpc	Workspace	Directory

Controls Deprecated

Applicable for: 

Platform	CID	Description	Control Type	Policy
AWS	508	Ensure AWS EBS Volume has a corresponding AWS EBS Snapshot	Build Run Time	AWS Best Practices Policy AWS Infrastructure as Code Security Best Practices Policy

Control Enhancements

Applicable for:   

Issues Addressed

Applicable for: 

We fixed the following important and notable issue in this release.