On January 19th, 2021, Aqua Security will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required and they will be pre-suppressed in your account prior to release.
CloudTrail Data Events
Ensure Data events are included into Amazon CloudTrail trails configuration.
CloudTrail Delivery Failing
Ensures that Amazon CloudTrail trail log files are delivered to destination S3 bucket.
CloudTrail S3 Bucket
Ensure that AWS CloudTrail trail uses the designated Amazon S3 bucket.
CloudTrail Global Services Logging Duplicated
Ensures that AWS CloudTrail trails are not duplicating global services events in log files.
App-Tier EC2 Instance IAM Role*
Ensure IAM roles attached with App-Tier EC2 instances have IAM policies attached.
EBS Volumes Too Old Snapshots
Ensure that EBS volume snapshots are deleted after defined time period.
Automate EBS Snapshot Lifecycle
Ensure DLM is used to automate EBS volume snapshots management.
Amazon EBS Public Snapshots
Ensure that Amazon EBS volume snapshots are not shared to all AWS accounts.
Managed NAT Gateway In Use
Ensure AWS VPC Managed NAT (Network Address Translation) Gateway service is enabled for high availability (HA).
Unused Amazon Machine Images
Ensures that all Amazon Machine Images are in use to ensure cost optimization.
Unused Elastic Network Interfaces
Ensures that unused AWS Elastic Network Interfaces (ENIs) are removed.
Unused Virtual Private Gateway
Ensures that unused Virtual Private Gateways (VGWs) are removed.
Unused VPC Internet Gateways
Ensures that unused VPC Internet Gateways and Egress-Only Internet Gateways are removed.
VPC Endpoint Exposed
Ensure Amazon VPC endpoints are not publicly exposed.
Web-Tier EC2 Instance IAM Role*
Ensure IAM roles attached with Web-Tier EC2 instances have IAM policies attached.
AWS EFS CMK Encrypted
Ensure EFS file systems are encrypted using Customer Master Keys (CMKs).
ELBv2 Minimum Number of EC2 Target Instances
Ensures that there is a minimum number of two healthy target instances associated with each AWS ELBv2 load balancer.
ELBv2 NLB Listener Security
Ensures that AWS Network Load Balancers have secured listener configured.
EMR Cluster Logging
Ensure AWS Elastic MapReduce (EMR) clusters capture detailed log data to Amazon S3.
ElasticSearch Access From IP Addresses
Ensure only whitelisted IP addresses can access Amazon Elasticsearch domains.
App-Tier KMS Customer Master Key (CMK)*
Ensures that there is one Amazon KMS Customer Master Key (CMK) present in the account for App-Tier resources.
Redshift Cluster Audit Logging Enabled
Ensure audit logging is enabled for Redshift clusters for security and troubleshooting purposes.
Redshift Cluster Allow Version Upgrade
Ensure that version upgrade is enabled for Redshift clusters to automatically receive upgrades during the maintenance window.
Redshift User Activity Logging Enabled
Ensure that user activity logging is enabled for your Amazon Redshift clusters.
AWS Route53 Dangling DNS Records
Ensures that AWS Route53 DNS records are not pointing to invalid/deleted EIPs.
CloudTrail Bucket Private
Fixed syntax error in apis ('S3:listBucket' -> 'S3:listBuckets')
Object Lock Enabled
Checks that AWS CloudTrail S3 buckets use Object Lock for data
EBS Encrypted Snapshots
Added test cases
VPC Multiple Subnets
Added additional check while querying for VPC subnets.
NAT Multiple AZ
Fixed logical error.
IAM User Unauthorized to Edit
Added additional check for IAM user permissions
S3 Bucket Public Access Block
Modified existing implementation to add settings to check for S3 Global Block Public Access. Provided 'true' value for 'check_global_block' in the settings, If S3 Block Public Access is enabled for Account, all the buckets will pass the scan for this plugin, otherwise implementation will check Block Public Access for each individual bucket and will generate results.
*This plugin is opt-in and requires a setting to be enabled. Click Here for instructions on enabling opt-in plugins.