On September 9th, 2021, Aqua will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required and they will be pre-suppressed in your account prior to release.
All S3 Plugins
Modified all S3 plugins to display actual region name instead of displaying ‘global’ region for S3 buckets
SNS Topic Policies
Added a new setting ‘sns_topic_policy_condition_keys’ which allows you to pass desired IAM condition keys such as aws:PrincipalArn, aws:PrincipalAccount that should be allowed for an IAM policy statement.
KMS Key Rotation
Modified plugin logic to check AWS owner to AWS-managed keys instead of their description in order to skip them
All EC2 Open Port plugins
Add a new setting ‘ec2_skip_unused_groups’ which allows you to skip checking open ports for EC2 security groups which are not in use.
Trusted Cross Account Roles
Added a new setting ‘whitelisted_aws_account_principals_regex’ which allows you to provide a regular expression to whitelist AWS cross-account principals. If this is provided, the plugin will compare cross account principals against this regex.
VPC Endpoint Exposed
Modified plugin logic to PASS VPC endpoints which are behind a private subnet.
S3 Bucket Encryption | S3 Bucket Encryption In Transit | S3 Bucket Encryption Enforcement
Added a new setting ‘s3_allow_unencrypted_static_websites’ which allows you to skip checking encryption for S3 buckets having static website features enabled
Audit Logging Enabled
Added a new setting ‘check_org_audit_logs’. If this is set to true, the plugin will check for audit logging on organization level before checking for project level.
Access Analyzer Enabled
Ensure that IAM Access analyzer is enabled for all regions.
Outdated Amazon Machine Images
Ensures that deprecated Amazon Machine Images are not in use.
ElasticSearch Cluster Status
Ensure that ElasticSearch clusters are healthy, i.e status is green.
ElasticSearch Domain Cross Account Access
Ensures that only trusted accounts have access to ElasticSearch domains.
ElasticSearch Dedicated Master Enabled
Ensure that Amazon Elasticsearch domains are using dedicated master nodes.
ElasticSearch Desired Instance Type
Ensure that all your Amazon Elasticsearch cluster instances are of given instance types.
ElasticSearch Encryption Enabled
Ensure that AWS ElasticSearch domains have encryption enabled.
ElasticSearch TLS Version
Ensure ElasticSearch domain is using the latest security policy to only allow TLS v1.2
Event Bus Cross Account Access
Ensure that EventBridge event bus is configured to allow access to whitelisted AWS account principals.
IAM Support Policy
Ensures that an IAM role, group or user exists with specific permissions to access support center.
IAM User Account In Use
Ensure that IAM user accounts are not being actively used.
Domain Privacy Protection
Ensure that Privacy Protection feature is enabled for your Amazon Route 53 domains.
Sender Policy Framework In Use
Ensure that Sender Policy Framework (SPF) is used to stop spammers from spoofing your AWS Route 53 domain.
Sender Privacy Framework Record Present
Ensure that Route 53 hosted zones have a DNS record containing Sender Policy Framework (SPF) value set for each MX record available.
PrivateLink in Use for Transfer for SFTP Server Endpoints
Ensure that AWS Transfer for SFTP server endpoints are configured to use VPC endpoints powered by AWS PrivateLink.
Instance Automatic Restart Enabled
Ensure that Virtual Machine instances have automatic restart feature enabled.
Instance Desired Machine Type
Ensures that Virtual Machine instances are of given types.
Instance Template Machine Type
Ensure that Cloud Virtual Machine instance templates are of given types.
Dataflow Hanged Jobs
Ensure that Cloud Dataflow jobs are not in same state for more than defined amount of time.
Dataflow Jobs Encryption
Ensure that Google Dataflow jobs are encrypted with desired encryption level.
Delete Expired Deployments
Ensure that Cloud Deployment Manager deployment are deleted after desired number of days from their creation time.
Cluster Encryption Enabled
Ensure that GKE clusters have KMS encryption enabled to encrypt application-layer secrets.
Integrity Monitoring Enabled
Ensures all Kubernetes shielded cluster node have integrity monitoring enabled
Node Encryption Enabled
Ensure that GKE cluster nodes are encrypted using desired encryption protection level.
Secure Boot Enabled
Ensures all Kubernetes cluster nodes have secure boot feature enabled.
Ensure that shielded nodes setting is enabled for all Kubernetes clusters.
Spanner Instance Node Count
Ensure that node count for Spanner instances is not above allowed count.
Network Policy Enabled
Ensure that Kubernetes Engine Clusters are configured to enable NetworkPolicy.
Ensure that API Gateway APIs have protocol set to HTTPS.
Bucket CMK Encrypted
Ensure that OSS buckets are encrypted using Alibaba CMK.
Bucket Lifecycle Configuration
Ensures that OSS buckets have lifecycle configuration enabled to automatically transition bucket objects.