On November 25th, 2020, Aqua Security is releasing an update to simplify the process of opting into plugins for compliance programs such as PCI and HIPAA.


Previously, Aqua CSPM had marked some plugins as being "PCI only" or "HIPAA only." These plugins would not run by default, but instead would only be enabled after a cloud account was marked as "PCI enabled" or "HIPAA enabled."

Originally, this was done to allow for the publishing of "stricter" plugins that may have been only applicable to environments that needed higher compliance standards. For example, ELB Logging may not be required in non-PCI environments, while PCI requires it.

Since the initial release of these capabilities, Aqua CSPM has developed much greater flexibility around the plugin release process and the ability to suppress plugins both at the cloud account and global Aqua levels. Due to these changes, the need for opting into PCI or HIPAA plugins is no longer required. Instead, Aqua can simply enable all plugins and users can suppress ones that are not applicable to their environments.

Release Process

On November 25th, 2020, a release will be published that does the following:

  • Marks all plugins that are currently "PCI only" or "HIPAA only" as enabled (see the full list below for the affected plugins).
  • Removes the ability to mark cloud accounts as "PCI enabled" or "HIPAA enabled"

Aqua will pre-suppress these plugins for any account that has opted into pre-suppressions per the normal release process.

Affected Plugins

  • AWS    EBS Encryption Enabled
  • AWS    S3 Bucket Logging
  • AWS    KMS Default Key Usage
  • Azure    VM OS Disk Encryption
  • Azure    VM Data Disk Encryption
  • Azure    Authentication Enabled
  • Google    Project Ownership Logging
  • Google    Storage Permissions Logging
  • Google    SQL Configuration Logging
  • Google    Custom Role Logging
  • Google    VPC Firewall Rule Logging
  • Google    VPC Network Route Logging
  • Google    VPC Network Logging

Action Required

  • If you do nothing (and have the "Pre-Suppress Plugins" option set): Nothing will change in your scan reports

  • If you do nothing (and do not have the "Pre-Suppress Plugins" option set): You will likely see new scan results in your account for the above plugins.

  • If you do not wish to get results for these plugins: Suppress the plugins globally (or per cloud account) from the "Suppressions" page.

Changes to API

As part of this release, the CSPM REST API /keys endpoint is also being updated to remove the following fields:

  • pci_enabled
  • hipaa_enabled