On April 7th, 2021, Aqua Security will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required and they will be pre-suppressed in your account prior to release.


New Plugins


AWS

API Gateway CloudWatch Logs

Ensures that Amazon API Gateway API stages have Amazon CloudWatch Logs enabled.


CloudTrail Management Events

Ensures that AWS CloudTrail trails are configured to log management events.


API Gateway Content Encoding

Ensures that Amazon API Gateway APIs have content encoding enabled.


DevOps Guru Notifications Enabled*

Ensures SNS topic is set up for Amazon DevOps Guru.


Classic Load Balancers In Use

Ensures that HTTP/HTTPS applications are using Application Load Balancer instead of Classic Load Balancer.


ELB Connection Draining Enabled

Ensures that AWS ELBs have connection draining enabled.


ELB Cross-Zone Load Balancing

Ensures that AWS ELBs have cross-zone load balancing enabled.


ELBv2 Deregistration Delay

Ensures that AWS ELBv2 target groups have deregistration delay configured.


AWS Glue Data Catalog Encryption Enabled**

Ensures that AWS Glue Data Catalogs has encryption at-rest enabled.


AWS Glue CloudWatch Encrypted Logs**

Ensures that encryption at-rest is enabled when writing AWS Glue logs to Amazon CloudWatch.


MWAA Environment Admin Privileges***

Ensures no Amazon MWAA environment available in your AWS account has admin privileges.


MWAA Web Server Public Access***

Ensures web access to the Apache Airflow UI in your MWAA environment is not public.


RDS IAM Database Authentication Enabled

Ensures IAM Database Authentication is enabled for RDS database instances to manage database access


RDS Deletion Protection Enabled

Ensures deletion protection is enabled for RDS database instances.


S3 Bucket Lifecycle Configuration

Ensures that S3 buckets have lifecycle configuration enabled to automatically transition S3 bucket objects.


Secrets Manager Secret Rotation Enabled

Ensures AWS Secrets Manager is configured to automatically rotate the secret for a secured service or database.


Secrets Manager Encrypted Secrets

Ensures Secrets Manager Secrets are encrypted


Azure

Cosmos DB Automatic Failover Enabled

Ensure that the Automatic Failover feature is enabled for Microsoft Azure Cosmos DB accounts.


Cosmos DB Public Access Disabled

Ensure that Microsoft Azure Cosmos DB accounts are configured to deny public access.


Azure Active Directory Admin Configured

Ensures that Active Directory admin is set up on all PostgreSQL servers.


Enable Geo-Redundant Backups

Ensure that your Microsoft Azure PostgreSQL database servers have geo-redundant backups enabled.


Storage Auto-Growth Enabled

Ensures that Storage Auto-Growth feature is enabled for Microsoft Azure PostgreSQL servers.


SQL Server Minimum TLS Version

Ensures Microsoft Azure SQL Servers do not allow outdated TLS certificate versions.


Blobs Soft Deletion Enabled

Ensure that soft delete feature is enabled for all Microsoft Storage Account blobs.


DDoS Standard Protection Enabled

Ensures that DDoS Standard Protection is enabled for Microsoft Azure Virtual Networks


Google

Kubernetes Alpha Disabled

Ensure the GKE Cluster alpha cluster feature is disabled.


Storage Bucket Retention Policy

Ensures bucket retention policy is set and locked to prevent deleting or updating of bucket objects or retention policy.


Open Cassandra

Determines if TCP port 7001 for Cassandra is open to the public


Open MongoDB

Determines if TCP port 27017 for MongoDB is open to the public


Open MSSQL

Determines if TCP port 1433 for MSSQL is open to the public.


Open Redis

Determines if TCP port 6379 for Redis is open to the public



Plugin Updates


AWS

CloudTrail Delivery Failing

Added a new setting called ‘trails to check’. This allows you to override functionality to only check for specific CloudTrail


CloudTrail S3 Bucket

Added a new setting called ‘trails to check’. This allows you to override functionality to only check for specific CloudTrail


EBS Encryption Enabled By Default

Removed 'none' encryption level from ‘EBS Minimum Encryption Level’ setting


Public IP Address

Enhanced functionality to allow EC2 instance with public IP address to PASS if the attached security group is not open to public.


KMS Key Policy

Enhanced functionality to add custom IAM policy statement condition keys as opposed to earlier implementation which allowed conditions to have only one key i.e. ‘kms:CallerAccount’. Now, you can pass desired IAM condition keys such as aws:PrincipalArn, aws:PrincipalAccount that should be allowed for an IAM policy statement. To achieve this, a new setting is added called kms_key_policy_condition_keys


RDS Transport Encryption

Modified to check 'postgres' engine type as well in addition to sqlserver. Moreover, displaying results for each db instance now instead of just for supported engine types.


Dangling DNS Records

Added new setting: 'dns_allow_private_ips': Allow IP addresses outside AWS.

Also modified to check for dangling DNS records in case of deleted S3 buckets.


Route 53 Domain Expiry

Current implementation shows warning message in case domain expiry is in 30-45 days and failure message in case less than or equal to 30 days.

Modified to show failure message if expiry is in 30 or lesser days for com.ar, .com.br, and .jp domains. For other domains, it will now show failure only if expiry is in 35 days


Bucket Secure Transport Enabled

Modified the plugin to:

1: Ignore bucket policy statements if the IAM Principal is a service i.e. 

"Principal": {
    "Service": "delivery.logs.amazonaws.com"
}


2: Make the implementation access aware across multiple policy statements i.e. if one policy statement allows some action on a resource for an IAM principal, and there is another statement which denies the same permission, secure transport is not required for the first statement as it has no effect on the resulting policy.

For example, consider following statements in an S3 bucket policy:

{
    "Sid": "1",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
    },
    "Action": "s3:PutObject",
    "Resource": "arn:aws:s3:::my-s3-bucket/*"
},

Remediations


AWS

XRay Encryption Enabled

Encryption for the affected XRay traces will be enabled.


ElasticSearch HTTPS Only

ES domain will be configured to enforce HTTPS.


DynamoDB KMS Encryption

The impacted DynamoDB table will be configured to use either KMS encryption with AWS managed CMK, or CMK-based encryption if a KMS key ID is provided.


SQL Server TLS Version

TLS 1.2 will be enabled, TLS 1.0 and TLS 1.1 will be disabled


CloudFront HTTPS Only

CloudFront distribution will be configured to only accept HTTPS connections or to redirect HTTP connections to HTTPS.


ELB No Instances

ELBs that have no instances attached will be deleted. 

Please note: only manual remediations are allowed.


ELBv2 No Instances

ELBs that have no target groups attached will be deleted.

Please note: only manual remediations are allowed.


* These plugins require new IAM permissions (devops-guru:ListNotificationChannels) added to Aqua's IAM role. You may add these permissions directly, or update your CloudFormation stack using our latest stack URL.


** These plugins require new IAM permissions (glue:getSecurityConfigurations) added to Aqua's IAM role. You may add these permissions directly, or update your CloudFormation stack using our latest stack URL.


*** These plugins require new IAM permissions (airflow:listEnvironments) added to Aqua's IAM role. You may add these permissions directly, or update your CloudFormation stack using our latest stack URL.