On March 1st, 2021, Aqua Security will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required and they will be pre-suppressed in your account prior to release.


New Plugins


AWS

API Gateway Certificate Rotation

Ensures that Amazon API Gateway APIs have certificates with expiration date more than the rotation limit.


API Gateway Client Certificate

Ensures that Amazon API Gateway API stages use client certificates.


API Gateway Content Encoding

Ensures that Amazon API Gateway APIs have content encoding enabled.


API Gateway Private Endpoints

Ensures that Amazon API Gateway APIs are only accessible through private endpoints.


API Gateway Tracing Enabled

Ensures that Amazon API Gateway API stages have tracing enabled for AWS X-Ray.


API Gateway Detailed CloudWatch Metrics

Ensures that API Gateway API stages have detailed CloudWatch metrics enabled.


App-Tier ASG Launch Configurations Approved AMIs*

Ensures that App-Tier Auto Scaling Group Launch Configurations are using approved AMIs


Web-Tier ASG Launch Configurations Approved AMIs*

Ensures that Web-Tier Auto Scaling Group Launch Configurations are using approved AMIs.


CloudWatch Log Retention Period

Ensures that the CloudWatch Log retention period is set above a specified length of time.


DynamoDB Continuous Backups

Ensures that Amazon DynamoDB tables have continuous backups enabled.


EBS Encryption Enabled By Default

Ensure the setting for encryption by default is enabled


Unrestricted Network ACL Outbound Traffic

Ensures that no Amazon Network ACL allows outbound/egress traffic to all ports.


VPC Endpoint Cross Account Access

Ensures that Amazon VPC endpoints do not allow unknown cross account access.


Cross Organization VPC Peering Connections

Ensures that VPC peering communication is only between AWS accounts, members of the same AWS Organization.


VPC Subnet Instances Present

Ensures that there are instances attached to every subnet.


VPN Tunnel State

Ensures that each AWS Virtual Private Network (VPN) connection has all tunnels up.


EKS Secrets Encrypted

Ensures EKS clusters are configured to enable envelope encryption of Kubernetes secrets using KMS.


App-Tier ELB Security Policy*

Ensures that AWS App-Tier ELBs are using the latest predefined security policies.


AWS Glue Job Bookmark Encryption Enabled

Ensures that AWS Glue job bookmark encryption is enabled.


AWS Glue Data Catalog CMK Encrypted

Ensures that AWS Glue has data catalog encryption enabled with KMS Customer Master Key (CMK).


AWS Glue S3 Encryption Enabled

Ensures that encryption at-rest is enabled when writing AWS Glue data to Amazon S3.


IAM Master and IAM Manager Roles

Ensure IAM Master and IAM Manager roles are active within your AWS account.


Trusted Cross Account Roles

Ensures that only trusted cross-account IAM roles can be used.


Lambda Environment Variables Client Side Encryption

Ensure that all sensitive AWS Lambda environment variable values are client side encrypted.


Lambda Admin Privileges

Ensures no Lambda function available in your AWS account has admin privileges.


Lambda Tracing Enabled

Ensures AWS Lambda functions have active tracing for X-Ray.


Redshift Cluster Default Port

Ensures that Amazon Redshift clusters are not using port "5439" (default port) for database access.


Redshift Cluster In VPC

Ensures that Amazon Redshift clusters are launched within a Virtual Private Cloud (VPC).


Redshift Cluster Default Master Username

Ensures that Amazon Redshift clusters are not using "awsuser" (default master username) for database access.


Redshift Desired Node Type*

Ensures that Amazon Redshift cluster nodes are of given types.


Redshift Nodes Count

Ensures that each AWS region has not reached the limit set for the number of Redshift cluster nodes.


Redshift Unused Reserved Nodes

Ensures that Amazon Redshift Reserved Nodes are being utilized.


Redshift Automated Snapshot Retention Period

Ensures that retention period is set for Amazon Redshift automated snapshots.


S3 DNS Compliant Bucket Names

Ensures that S3 buckets have DNS complaint bucket names.


S3 Bucket Policy CloudFront OAI

Ensures S3 bucket is origin to only one distribution and allows only that distribution.


S3 Transfer Acceleration Enabled

Ensures that S3 buckets have transfer acceleration enabled to increase the speed of data transfers.


SQS Queue Unprocessed Messages

Ensures that Amazon SQS queue has not reached unprocessed messages limit.


SQS Dead Letter Queue

Ensures that each Amazon SQS queue has Dead Letter Queue configured.


Workspaces IP Access Control

Ensures enforced IP Access Control on Workspaces


WorkSpaces Volume Encryption

Ensures volume encryption on WorkSpaces for data protection.


CloudFormation Drift Detection

Ensures that AWS CloudFormation stacks are not in a drifted state.


CloudFormation Stack Failed Status

Ensures that AWS CloudFormation stacks are not in Failed mode for more than the maximum failure limit hours.


CloudFormation Stack SNS Notifications

Ensures that AWS CloudFormation stacks have SNS topic associated.


CloudFormation Stack Termination Protection Enabled

Ensures that AWS CloudFormation stacks have termination protection enabled.



Plugin Updates


AWS

Allowed Custom Ports

Added functionality to let user define port ranges for whitelisted_open_ports and restricted_open_ports settings such as tcp:20-30.


Open Custom Ports

Added functionality to let user define port ranges for whitelisted_open_ports and restricted_open_ports settings such as tcp:20-30.


VPC PrivateLink Endpoint Acceptance Required

Added new settings ‘allow_blank_whitelisted_principals’: Boolean value to allow VPC endpoints with blank whitelisted principals to pass.


AWS Glue S3 Encryption Enabled

Enhanced result message.


Cross-Account Access External ID and MFA

Fixed issue where plugin falsely cassifies IAM roles as cross-account.

Also modified to show results for all IAM roles instead of only for cross-account roles.



IAM Role Policies

Added functionality to loop AWS IAM managed policies in addition to inline policies.


Added two settings:

i. ignore_service_specific_wildcards: Boolean value to only consider roles which allow all actions.

ii. Ignore_identity_federation_roles: Boolean value to allow IAM roles with user federated roles to pass.


IAM User Admins

Added functionality to loop AWS IAM managed policies in addition to inline policies.


Lambda Old Runtimes

Modified deprecated runtimes to include Node 6.10 and Node 8.10.


RDS Encryption Enabled

Added settings ‘rds_encryption_level’ to set desired encryption level for RDS databases.

Possible values: awskms, awscmk, externalcmk, cloudhsm.


S3 Secure Transport Enabled

Bug fix.


SSM Encrypted Parameters

Added two settings:

i. ssm_encryption_level to set desired encryption level for secure SSM parameters.

Possible values: awskms, awscmk, externalcmk, cloudhsm.

ii. allow_ssm_non_secure_strings: Boolean value to allow non-secure SSM parameters such as String, StringList.



*This plugin is opt-in and requires a setting to be enabled. Click Here for instructions on enabling opt-in plugins.