2020-11-09 New CSPM Plugin Releases
On November 9th, 2020, Aqua Security will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required and they will be pre-suppressed in your account prior to release.
New Plugins
AWS
App-Tier Auto Scaling Group CloudWatch Logs Enabled*
Ensures that App-Tier Auto Scaling Groups are using CloudWatch logs agent.
App-Tier Launch Configurations IAM Roles*
Ensures that App-Tier Auto Scaling launch configuration is configured to use a customer created IAM role.
Launch Configuration Referencing Missing Security Groups*
Ensures that Auto Scaling launch configurations are not utilizing missing security groups.
ELB Health Check Active
Ensures all Auto Scaling groups have ELB health check active.
Web-Tier Auto Scaling Group Associated ELB*
Ensures that Web-Tier Auto Scaling Group has an associated Elastic Load Balancer.
Web-Tier Auto Scaling Group CloudWatch Logs Enabled*
Ensures that Web-Tier Auto Scaling Groups are using CloudWatch Logs agent.
Web-Tier Launch Configurations IAM Roles*
Ensures that Web-Tier Auto Scaling launch configuration is configured to use a customer created IAM role.
Open Custom Ports*
Ensure that defined custom ports are not open to public.
Open RFC 1918
Ensures EC2 security groups are configured to deny inbound traffic from RFC-1918 CIDRs
IAM User Unauthorized to Edit
Ensures AWS IAM users that are not authorized to edit IAM access policies are decommissioned.
RDS CMK Encryption
Ensures RDS instances are encrypted with KMS Customer Master Keys (CMKs).
RDS Transport Encryption Enabled
Ensures RDS SQL Server instances have Transport Encryption enabled.
Redshift Cluster CMK Encryption
Ensures Redshift clusters are encrypted using KMS customer master keys (CMKs).
Redshift Parameter Group SSL Required
Ensures AWS Redshift non-default parameter group associated with Redshift cluster require SSL connection.
SNS Topic Encrypted
Ensures that Amazon SNS topics enforce Server-Side Encryption (SSE).
SQS Public Access
Ensures that SQS queues are not publicly accessible.
SSM Agent Auto Update Enabled
Ensures the SSM agent is configured to automatically update to new versions.
Allowed Custom Ports*
Ensures that security groups does not allow public access to any port.
Public IP Address EC2 Instances
Ensures that EC2 instances do not have public IP address attached.
Plugin Updates
AWS
ELB HTTPS Only
Added checks for SSL and bug fixes for more accurate results and reduce false positives.
ELBv2 HTTPS Only
Added checks for SSL and bug fixes for more accurate results.
S3 Bucket Public Access Block
Added opt-in setting* to check global access block.
IAM Role Last Used
Added whitelist opt-in setting* to skip roles and added setting flag to ignore AWS service roles.
CloudFront Insecure CloudFront Protocols
Changed the "WARN" results to "FAIL" for SSLv3, TLSv1.0, and TLSv1_2016
ELB Logging Enabled
The "resource" field is changing from the ELB DNS name to the ARN of the ELB. This may impact suppressions that are resource-based.
Azure
Key Expiration Enabled
Updated code to reflect Azure API changes.
Key Vault Recovery Enabled
Updated code to reflect Azure API changes.
Google Cloud
Logging Suite of Plugins
Updated all logging plugins to fail if no logging data is returned.
*This plugin is opt-in and requires a setting to be enabled. Click Here for instructions on enabling opt-in plugins.
Did you find it helpful? Yes No
Send feedback