On October 5th, 2020, Aqua Security will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required and they will be pre-suppressed in your account prior to release.


ElasticSearch IAM Authentication

Ensures ElasticSearch domains require IAM Authentication

RDS DocumentDB Minor Version Upgrade

Ensures Auto Minor Version Upgrade is enabled on RDS and DocumentDB databases

Lambda Log Groups

Ensures each Lambda function has a valid log group attached to it

CloudFormation Plaintext Parameters

Ensures CloudFormation parameters that reference sensitive values are configured to use NoEcho.

EC2 LaunchWizard Security Groups

Ensures security groups created by the EC2 launch wizard are not used

VPC PrivateLink Endpoint Acceptance Required

Ensures VPC PrivateLink endpoints require acceptance

Empty AutoScaling Group

Ensures all autoscaling groups contain at least 1 instance.

IAM Role Last Used

Ensures IAM roles that have not been used within the given time frame are deleted.

Root Account Active Signing Certificates

Ensures the root user is not using x509 signing certificates

SQL Server TLS Version

Ensures RDS SQL Servers do not allow outdated TLS certificate versions

Auto Scaling Notifications Active

Ensures auto scaling groups have notifications active.

Auto Scaling Group Missing ELB

Ensures all Auto Scaling groups are referencing active load balancers.

Amazon Comprehend Volume Encryption

Ensures the Comprehend service is using encryption for all volumes storing data at rest.

Amazon Comprehend Output Result Encryption

Ensures the Comprehend service is using encryption for all result output.

DynamoDB Accelerator Cluster Encryption

Ensures DynamoDB Cluster Accelerator DAX clusters have encryption enabled.

Unused EBS Volumes

Ensures EBS volumes are in use and attached to EC2 instances

ElasticBeanstalk Managed Platform Updates

Ensures ElasticBeanstalk applications are configured to use managed updates.

Group Inline Policies

Ensures that groups do not have any inline policies

AutoScaling ELB Same Availability Zone

Ensures all autoscaling groups with attached ELBs are operating in the same availability zone.

Suspended AutoScaling Groups

Ensures that there are no Amazon AutoScaling groups with suspended processes.

Object Lock Enabled

Ensures that AWS CloudTrail S3 buckets use Object Lock for data protection and regulatory compliance.

Unassociated Elastic IP Addresses

Ensures all EIPs are allocated to a resource to avoid accidental usage or reuse and to save costs

ELBv2 Deletion Protection

Ensures ELBv2 load balancers are configured with deletion protection.

EMR Encryption In Transit

Ensures encryption in transit is enabled for EMR clusters

EMR Encryption At Rest

Ensures encryption at rest for local disks is enabled for EMR clusters

ElasticSearch Exposed Domain

Ensures ElasticSearch domains are not publicly exposed to all AWS accounts

Cross-Account Access External ID and MFA

Ensures that either MFA or external IDs are used to access AWS roles.

S3 Secure Transport Enabled

Ensure AWS S3 buckets enforce SSL to secure data in transit

SNS Topic CMK Encryption

Ensures Amazon SNS topics are encrypted with KMS Customer Master Keys (CMKs).


Kubernetes Version For Agent Pools

Ensures the kubernetes version is same across the node pools with the cluster.