2021-04-07 New CSPM Plugin Release
On April 7th, 2021, Aqua Security will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required and they will be pre-suppressed in your account prior to release.
New Plugins
AWS
API Gateway CloudWatch Logs
Ensures that Amazon API Gateway API stages have Amazon CloudWatch Logs enabled.
CloudTrail Management Events
Ensures that AWS CloudTrail trails are configured to log management events.
API Gateway Content Encoding
Ensures that Amazon API Gateway APIs have content encoding enabled.
DevOps Guru Notifications Enabled*
Ensures SNS topic is set up for Amazon DevOps Guru.
Classic Load Balancers In Use
Ensures that HTTP/HTTPS applications are using Application Load Balancer instead of Classic Load Balancer.
ELB Connection Draining Enabled
Ensures that AWS ELBs have connection draining enabled.
ELB Cross-Zone Load Balancing
Ensures that AWS ELBs have cross-zone load balancing enabled.
ELBv2 Deregistration Delay
Ensures that AWS ELBv2 target groups have deregistration delay configured.
AWS Glue Data Catalog Encryption Enabled**
Ensures that AWS Glue Data Catalogs has encryption at-rest enabled.
AWS Glue CloudWatch Encrypted Logs**
Ensures that encryption at-rest is enabled when writing AWS Glue logs to Amazon CloudWatch.
MWAA Environment Admin Privileges***
Ensures no Amazon MWAA environment available in your AWS account has admin privileges.
MWAA Web Server Public Access***
Ensures web access to the Apache Airflow UI in your MWAA environment is not public.
RDS IAM Database Authentication Enabled
Ensures IAM Database Authentication is enabled for RDS database instances to manage database access
RDS Deletion Protection Enabled
Ensures deletion protection is enabled for RDS database instances.
S3 Bucket Lifecycle Configuration
Ensures that S3 buckets have lifecycle configuration enabled to automatically transition S3 bucket objects.
Secrets Manager Secret Rotation Enabled
Ensures AWS Secrets Manager is configured to automatically rotate the secret for a secured service or database.
Secrets Manager Encrypted Secrets
Ensures Secrets Manager Secrets are encrypted
Azure
Cosmos DB Automatic Failover Enabled
Ensure that the Automatic Failover feature is enabled for Microsoft Azure Cosmos DB accounts.
Cosmos DB Public Access Disabled
Ensure that Microsoft Azure Cosmos DB accounts are configured to deny public access.
Azure Active Directory Admin Configured
Ensures that Active Directory admin is set up on all PostgreSQL servers.
Enable Geo-Redundant Backups
Ensure that your Microsoft Azure PostgreSQL database servers have geo-redundant backups enabled.
Storage Auto-Growth Enabled
Ensures that Storage Auto-Growth feature is enabled for Microsoft Azure PostgreSQL servers.
SQL Server Minimum TLS Version
Ensures Microsoft Azure SQL Servers do not allow outdated TLS certificate versions.
Blobs Soft Deletion Enabled
Ensure that soft delete feature is enabled for all Microsoft Storage Account blobs.
DDoS Standard Protection Enabled
Ensures that DDoS Standard Protection is enabled for Microsoft Azure Virtual Networks
Kubernetes Alpha Disabled
Ensure the GKE Cluster alpha cluster feature is disabled.
Storage Bucket Retention Policy
Ensures bucket retention policy is set and locked to prevent deleting or updating of bucket objects or retention policy.
Open Cassandra
Determines if TCP port 7001 for Cassandra is open to the public
Open MongoDB
Determines if TCP port 27017 for MongoDB is open to the public
Open MSSQL
Determines if TCP port 1433 for MSSQL is open to the public.
Open Redis
Determines if TCP port 6379 for Redis is open to the public
Plugin Updates
AWS
CloudTrail Delivery Failing
Added a new setting called ‘trails to check’. This allows you to override functionality to only check for specific CloudTrail
CloudTrail S3 Bucket
Added a new setting called ‘trails to check’. This allows you to override functionality to only check for specific CloudTrail
EBS Encryption Enabled By Default
Removed 'none' encryption level from ‘EBS Minimum Encryption Level’ setting
Public IP Address
Enhanced functionality to allow EC2 instance with public IP address to PASS if the attached security group is not open to public.
KMS Key Policy
Enhanced functionality to add custom IAM policy statement condition keys as opposed to earlier implementation which allowed conditions to have only one key i.e. ‘kms:CallerAccount’. Now, you can pass desired IAM condition keys such as aws:PrincipalArn, aws:PrincipalAccount that should be allowed for an IAM policy statement. To achieve this, a new setting is added called kms_key_policy_condition_keys
RDS Transport Encryption
Modified to check 'postgres' engine type as well in addition to sqlserver. Moreover, displaying results for each db instance now instead of just for supported engine types.
Dangling DNS Records
Added new setting: 'dns_allow_private_ips': Allow IP addresses outside AWS.
Also modified to check for dangling DNS records in case of deleted S3 buckets.
Route 53 Domain Expiry
Current implementation shows warning message in case domain expiry is in 30-45 days and failure message in case less than or equal to 30 days.
Modified to show failure message if expiry is in 30 or lesser days for com.ar, .com.br, and .jp domains. For other domains, it will now show failure only if expiry is in 35 days
Bucket Secure Transport Enabled
Modified the plugin to:
1: Ignore bucket policy statements if the IAM Principal is a service i.e.
"Principal": { "Service": "delivery.logs.amazonaws.com" }
2: Make the implementation access aware across multiple policy statements i.e. if one policy statement allows some action on a resource for an IAM principal, and there is another statement which denies the same permission, secure transport is not required for the first statement as it has no effect on the resulting policy.
For example, consider following statements in an S3 bucket policy:
{ "Sid": "1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::my-s3-bucket/*" },
Remediations
AWS
XRay Encryption Enabled
Encryption for the affected XRay traces will be enabled.
ElasticSearch HTTPS Only
ES domain will be configured to enforce HTTPS.
DynamoDB KMS Encryption
The impacted DynamoDB table will be configured to use either KMS encryption with AWS managed CMK, or CMK-based encryption if a KMS key ID is provided.
SQL Server TLS Version
TLS 1.2 will be enabled, TLS 1.0 and TLS 1.1 will be disabled
CloudFront HTTPS Only
CloudFront distribution will be configured to only accept HTTPS connections or to redirect HTTP connections to HTTPS.
ELB No Instances
ELBs that have no instances attached will be deleted.
Please note: only manual remediations are allowed.
ELBv2 No Instances
ELBs that have no target groups attached will be deleted.
Please note: only manual remediations are allowed.
* These plugins require new IAM permissions (devops-guru:ListNotificationChannels) added to Aqua's IAM role. You may add these permissions directly, or update your CloudFormation stack using our latest stack URL.
** These plugins require new IAM permissions (glue:getSecurityConfigurations) added to Aqua's IAM role. You may add these permissions directly, or update your CloudFormation stack using our latest stack URL.
*** These plugins require new IAM permissions (airflow:listEnvironments) added to Aqua's IAM role. You may add these permissions directly, or update your CloudFormation stack using our latest stack URL.
Did you find it helpful? Yes No
Send feedback