On October 5th, 2020, Aqua Security will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required and they will be pre-suppressed in your account prior to release.
ElasticSearch IAM Authentication
Ensures ElasticSearch domains require IAM Authentication
RDS DocumentDB Minor Version Upgrade
Ensures Auto Minor Version Upgrade is enabled on RDS and DocumentDB databases
Lambda Log Groups
Ensures each Lambda function has a valid log group attached to it
CloudFormation Plaintext Parameters
Ensures CloudFormation parameters that reference sensitive values are configured to use NoEcho.
EC2 LaunchWizard Security Groups
Ensures security groups created by the EC2 launch wizard are not used
VPC PrivateLink Endpoint Acceptance Required
Ensures VPC PrivateLink endpoints require acceptance
Empty AutoScaling Group
Ensures all autoscaling groups contain at least 1 instance.
IAM Role Last Used
Ensures IAM roles that have not been used within the given time frame are deleted.
Root Account Active Signing Certificates
Ensures the root user is not using x509 signing certificates
SQL Server TLS Version
Ensures RDS SQL Servers do not allow outdated TLS certificate versions
Auto Scaling Notifications Active
Ensures auto scaling groups have notifications active.
Auto Scaling Group Missing ELB
Ensures all Auto Scaling groups are referencing active load balancers.
Amazon Comprehend Volume Encryption
Ensures the Comprehend service is using encryption for all volumes storing data at rest.
Amazon Comprehend Output Result Encryption
Ensures the Comprehend service is using encryption for all result output.
DynamoDB Accelerator Cluster Encryption
Ensures DynamoDB Cluster Accelerator DAX clusters have encryption enabled.
Unused EBS Volumes
Ensures EBS volumes are in use and attached to EC2 instances
ElasticBeanstalk Managed Platform Updates
Ensures ElasticBeanstalk applications are configured to use managed updates.
Group Inline Policies
Ensures that groups do not have any inline policies
AutoScaling ELB Same Availability Zone
Ensures all autoscaling groups with attached ELBs are operating in the same availability zone.
Suspended AutoScaling Groups
Ensures that there are no Amazon AutoScaling groups with suspended processes.
Object Lock Enabled
Ensures that AWS CloudTrail S3 buckets use Object Lock for data protection and regulatory compliance.
Unassociated Elastic IP Addresses
Ensures all EIPs are allocated to a resource to avoid accidental usage or reuse and to save costs
ELBv2 Deletion Protection
Ensures ELBv2 load balancers are configured with deletion protection.
EMR Encryption In Transit
Ensures encryption in transit is enabled for EMR clusters
EMR Encryption At Rest
Ensures encryption at rest for local disks is enabled for EMR clusters
ElasticSearch Exposed Domain
Ensures ElasticSearch domains are not publicly exposed to all AWS accounts
Cross-Account Access External ID and MFA
Ensures that either MFA or external IDs are used to access AWS roles.
S3 Secure Transport Enabled
Ensure AWS S3 buckets enforce SSL to secure data in transit
SNS Topic CMK Encryption
Ensures Amazon SNS topics are encrypted with KMS Customer Master Keys (CMKs).
Kubernetes Version For Agent Pools
Ensures the kubernetes version is same across the node pools with the cluster.