On November 25th, 2020, Aqua Security is releasing an update to simplify the process of opting into plugins for compliance programs such as PCI and HIPAA.
Previously, Aqua CSPM had marked some plugins as being "PCI only" or "HIPAA only." These plugins would not run by default, but instead would only be enabled after a cloud account was marked as "PCI enabled" or "HIPAA enabled."
Originally, this was done to allow for the publishing of "stricter" plugins that may have been only applicable to environments that needed higher compliance standards. For example, ELB Logging may not be required in non-PCI environments, while PCI requires it.
Since the initial release of these capabilities, Aqua CSPM has developed much greater flexibility around the plugin release process and the ability to suppress plugins both at the cloud account and global Aqua levels. Due to these changes, the need for opting into PCI or HIPAA plugins is no longer required. Instead, Aqua can simply enable all plugins and users can suppress ones that are not applicable to their environments.
On November 25th, 2020, a release will be published that does the following:
- Marks all plugins that are currently "PCI only" or "HIPAA only" as enabled (see the full list below for the affected plugins).
- Removes the ability to mark cloud accounts as "PCI enabled" or "HIPAA enabled"
Aqua will pre-suppress these plugins for any account that has opted into pre-suppressions per the normal release process.
- AWS EBS Encryption Enabled
- AWS S3 Bucket Logging
- AWS KMS Default Key Usage
- Azure VM OS Disk Encryption
- Azure VM Data Disk Encryption
- Azure Authentication Enabled
- Google Project Ownership Logging
- Google Storage Permissions Logging
- Google SQL Configuration Logging
- Google Custom Role Logging
- Google VPC Firewall Rule Logging
- Google VPC Network Route Logging
- Google VPC Network Logging
- If you do nothing (and have the "Pre-Suppress Plugins" option set): Nothing will change in your scan reports
- If you do nothing (and do not have the "Pre-Suppress Plugins" option set): You will likely see new scan results in your account for the above plugins.
- If you do not wish to get results for these plugins: Suppress the plugins globally (or per cloud account) from the "Suppressions" page.
Changes to API
As part of this release, the CSPM REST API /keys endpoint is also being updated to remove the following fields: