On January 19th, 2021, Aqua Security will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required and they will be pre-suppressed in your account prior to release.

New Plugins


CloudTrail Data Events

Ensure Data events are included into Amazon CloudTrail trails configuration.

CloudTrail Delivery Failing

Ensures that Amazon CloudTrail trail log files are delivered to destination S3 bucket.

CloudTrail S3 Bucket

Ensure that AWS CloudTrail trail uses the designated Amazon S3 bucket.

CloudTrail Global Services Logging Duplicated

Ensures that AWS CloudTrail trails are not duplicating global services events in log files.

App-Tier EC2 Instance IAM Role*

Ensure IAM roles attached with App-Tier EC2 instances have IAM policies attached.

EBS Volumes Too Old Snapshots

Ensure that EBS volume snapshots are deleted after defined time period.

Automate EBS Snapshot Lifecycle

Ensure DLM is used to automate EBS volume snapshots management.

Amazon EBS Public Snapshots

Ensure that Amazon EBS volume snapshots are not shared to all AWS accounts.

Managed NAT Gateway In Use

Ensure AWS VPC Managed NAT (Network Address Translation) Gateway service is enabled for high availability (HA).

Unused Amazon Machine Images

Ensures that all Amazon Machine Images are in use to ensure cost optimization.

Unused Elastic Network Interfaces

Ensures that unused AWS Elastic Network Interfaces (ENIs) are removed.

Unused Virtual Private Gateway

Ensures that unused Virtual Private Gateways (VGWs) are removed.

Unused VPC Internet Gateways

Ensures that unused VPC Internet Gateways and Egress-Only Internet Gateways are removed.

VPC Endpoint Exposed

Ensure Amazon VPC endpoints are not publicly exposed.

Web-Tier EC2 Instance IAM Role*

Ensure IAM roles attached with Web-Tier EC2 instances have IAM policies attached.

AWS EFS CMK Encrypted

Ensure EFS file systems are encrypted using Customer Master Keys (CMKs).

ELBv2 Minimum Number of EC2 Target Instances

Ensures that there is a minimum number of two healthy target instances associated with each AWS ELBv2 load balancer.

ELBv2 NLB Listener Security

Ensures that AWS Network Load Balancers have secured listener configured.

EMR Cluster Logging

Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data to Amazon S3.

ElasticSearch Access From IP Addresses

Ensure only whitelisted IP addresses can access Amazon Elasticsearch domains.

App-Tier KMS Customer Master Key (CMK)*

Ensures that there is one Amazon KMS Customer Master Key (CMK) present in the account for App-Tier resources.

Redshift Cluster Audit Logging Enabled

Ensure audit logging is enabled for Redshift clusters for security and troubleshooting purposes.

Redshift Cluster Allow Version Upgrade

Ensure that version upgrade is enabled for Redshift clusters to automatically receive upgrades during the maintenance window.

Redshift User Activity Logging Enabled

Ensure that user activity logging is enabled for your Amazon Redshift clusters.

AWS Route53 Dangling DNS Records

Ensures that AWS Route53 DNS records are not pointing to invalid/deleted EIPs.

Plugin Updates


CloudTrail Bucket Private

Fixed syntax error in apis ('S3:listBucket' -> 'S3:listBuckets')

Object Lock Enabled

Checks that AWS CloudTrail S3 buckets use Object Lock for data 


EBS Encrypted Snapshots

Added test cases

VPC Multiple Subnets

Added additional check while querying for VPC subnets.

NAT Multiple AZ

Fixed logical error.

IAM User Unauthorized to Edit

Added additional check for IAM user permissions

S3 Bucket Public Access Block

Modified existing implementation to add settings to check for S3 Global Block Public Access. Provided 'true' value for 'check_global_block' in the settings, If S3 Block Public Access is enabled for Account, all the buckets will pass the scan for this plugin, otherwise implementation will check Block Public Access for each individual bucket and will generate results.

*This plugin is opt-in and requires a setting to be enabled.