On September 9th, 2021, Aqua will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required and they will be pre-suppressed in your account prior to release.

Plugin Updates


All S3 Plugins

Modified all S3 plugins to display actual region name instead of displaying ‘global’ region for S3 buckets

SNS Topic Policies

Added a new setting ‘sns_topic_policy_condition_keys’ which allows you to pass desired IAM condition keys such as aws:PrincipalArn, aws:PrincipalAccount that should be allowed for an IAM policy statement.

KMS Key Rotation

Modified plugin logic to check AWS owner to AWS-managed keys instead of their description in order to skip them

All EC2 Open Port plugins

Add a new setting ‘ec2_skip_unused_groups’ which allows you to skip checking open ports for EC2 security groups which are not in use.

Trusted Cross Account Roles

Added a new setting ‘whitelisted_aws_account_principals_regex’ which allows you to provide a regular expression to whitelist AWS cross-account principals. If this is provided, the plugin will compare cross account principals against this regex.

VPC Endpoint Exposed

Modified plugin logic to PASS VPC endpoints which are behind a private subnet.

S3 Bucket Encryption | S3 Bucket Encryption In Transit | S3 Bucket Encryption Enforcement

Added a new setting ‘s3_allow_unencrypted_static_websites’ which allows you to skip checking encryption for S3 buckets having static website features enabled


Audit Logging Enabled

Added a new setting ‘check_org_audit_logs’. If this is set to true, the plugin will check for audit logging on organization level before checking for project level.

New Plugins


Access Analyzer Enabled

Ensure that IAM Access analyzer is enabled for all regions.

Outdated Amazon Machine Images

Ensures that deprecated Amazon Machine Images are not in use.

ElasticSearch Cluster Status

Ensure that ElasticSearch clusters are healthy, i.e status is green.

ElasticSearch Domain Cross Account Access

Ensures that only trusted accounts have access to ElasticSearch domains.

ElasticSearch Dedicated Master Enabled

Ensure that Amazon Elasticsearch domains are using dedicated master nodes.

ElasticSearch Desired Instance Type

Ensure that all your Amazon Elasticsearch cluster instances are of given instance types.

ElasticSearch Encryption Enabled

Ensure that AWS ElasticSearch domains have encryption enabled.

ElasticSearch TLS Version

Ensure ElasticSearch domain is using the latest security policy to only allow TLS v1.2

Event Bus Cross Account Access

Ensure that EventBridge event bus is configured to allow access to whitelisted AWS account principals.

IAM Support Policy

Ensures that an IAM role, group or user exists with specific permissions to access support center.

IAM User Account In Use

Ensure that IAM user accounts are not being actively used.

Domain Privacy Protection

Ensure that Privacy Protection feature is enabled for your Amazon Route 53 domains.

Sender Policy Framework In Use

Ensure that Sender Policy Framework (SPF) is used to stop spammers from spoofing your AWS Route 53 domain.

Sender Privacy Framework Record Present

Ensure that Route 53 hosted zones have a DNS record containing Sender Policy Framework (SPF) value set for each MX record available.

PrivateLink in Use for Transfer for SFTP Server Endpoints

Ensure that AWS Transfer for SFTP server endpoints are configured to use VPC endpoints powered by AWS PrivateLink.


Instance Automatic Restart Enabled

Ensure that Virtual Machine instances have automatic restart feature enabled.

Instance Desired Machine Type

Ensures that Virtual Machine instances are of given types.

Instance Template Machine Type

Ensure that Cloud Virtual Machine instance templates are of given types.

Dataflow Hanged Jobs

Ensure that Cloud Dataflow jobs are not in same state for more than defined amount of time.

Dataflow Jobs Encryption

Ensure that Google Dataflow jobs are encrypted with desired encryption level.

Delete Expired Deployments

Ensure that Cloud Deployment Manager deployment are deleted after desired number of days from their creation time.

Cluster Encryption Enabled

Ensure that GKE clusters have KMS encryption enabled to encrypt application-layer secrets.

Integrity Monitoring Enabled

Ensures all Kubernetes shielded cluster node have integrity monitoring enabled

Node Encryption Enabled

Ensure that GKE cluster nodes are encrypted using desired encryption protection level.

Secure Boot Enabled

Ensures all Kubernetes cluster nodes have secure boot feature enabled.

Shielded Nodes

Ensure that shielded nodes setting is enabled for all Kubernetes clusters.

Spanner Instance Node Count

Ensure that node count for Spanner instances is not above allowed count.


Network Policy Enabled

Ensure that Kubernetes Engine Clusters are configured to enable NetworkPolicy.

API Protocol

Ensure that API Gateway APIs have protocol set to HTTPS.

Bucket CMK Encrypted

Ensure that OSS buckets are encrypted using Alibaba CMK.

Bucket Lifecycle Configuration

Ensures that OSS buckets have lifecycle configuration enabled to automatically transition bucket objects.