On November 9th, 2020, Aqua Security will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required and they will be pre-suppressed in your account prior to release.


New Plugins


AWS

App-Tier Auto Scaling Group CloudWatch Logs Enabled*

Ensures that App-Tier Auto Scaling Groups are using CloudWatch logs agent.


App-Tier Launch Configurations IAM Roles*

Ensures that App-Tier Auto Scaling launch configuration is configured to use a customer created IAM role.


Launch Configuration Referencing Missing Security Groups*

Ensures that Auto Scaling launch configurations are not utilizing missing security groups. 


ELB Health Check Active

Ensures all Auto Scaling groups have ELB health check active.


Web-Tier Auto Scaling Group Associated ELB*

Ensures that Web-Tier Auto Scaling Group has an associated Elastic Load Balancer.


Web-Tier Auto Scaling Group CloudWatch Logs Enabled*

Ensures that Web-Tier Auto Scaling Groups are using CloudWatch Logs agent.


Web-Tier Launch Configurations IAM Roles*

Ensures that Web-Tier Auto Scaling launch configuration is configured to use a customer created IAM role.


Open Custom Ports*

Ensure that defined custom ports are not open to public.


Open RFC 1918

Ensures EC2 security groups are configured to deny inbound traffic from RFC-1918 CIDRs


IAM User Unauthorized to Edit

Ensures AWS IAM users that are not authorized to edit IAM access policies are decommissioned.


RDS CMK Encryption

Ensures RDS instances are encrypted with KMS Customer Master Keys (CMKs).


RDS Transport Encryption Enabled

Ensures RDS SQL Server instances have Transport Encryption enabled.


Redshift Cluster CMK Encryption

Ensures Redshift clusters are encrypted using KMS customer master keys (CMKs).


Redshift Parameter Group SSL Required

Ensures AWS Redshift non-default parameter group associated with Redshift cluster require SSL connection.


SNS Topic Encrypted

Ensures that Amazon SNS topics enforce Server-Side Encryption (SSE).


SQS Public Access

Ensures that SQS queues are not publicly accessible.


SSM Agent Auto Update Enabled

Ensures the SSM agent is configured to automatically update to new versions.


Allowed Custom Ports*

Ensures that security groups does not allow public access to any port.


Public IP Address EC2 Instances

Ensures that EC2 instances do not have public IP address attached.



Plugin Updates


AWS

ELB HTTPS Only

Added checks for SSL and bug fixes for more accurate results and reduce false positives.


ELBv2 HTTPS Only

Added checks for SSL and bug fixes for more accurate results.


S3 Bucket Public Access Block

Added opt-in setting* to check global access block.


IAM Role Last Used

Added whitelist opt-in setting* to skip roles and added setting flag to ignore AWS service roles.


CloudFront Insecure CloudFront Protocols

Changed the "WARN" results to "FAIL" for SSLv3, TLSv1.0, and TLSv1_2016 


ELB Logging Enabled

The "resource" field is changing from the ELB DNS name to the ARN of the ELB. This may impact suppressions that are resource-based.


Azure

Key Expiration Enabled

Updated code to reflect Azure API changes.


Key Vault Recovery Enabled

Updated code to reflect Azure API changes.


Google Cloud

Logging Suite of Plugins

Updated all logging plugins to fail if no logging data is returned.




*This plugin is opt-in and requires a setting to be enabled.