On October 14th, 2021, Aqua will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required and they will be pre-suppressed in your account prior to release. 


Plugin Updates 



SQS Cross Account Access 

When SQS queue policy is created with the principal as ‘*’ with conditions to scope down to a specific SourceArn, the plugin was giving false negative results. 


KMS Key Rotation 

fixed an issue where the plugin was showing results for AWS-managed keys as well. As a ripple, the plugin started skipping regions which don’t contain CMKs. For example, the plugin says that Key rotation should be enabled for CMKs, but if there are no CMKs in the ‘us-east-1’ region, the plugin would skip this region in the scan result. 


EKS Kubernetes Version 

AWS deprecated version 1.16 for kubernetes as of Sep 27, 2021, so we modified the plugin to reflect this update. 

All EC2 Open Port plugins 

In our last release, we added a functionality to have a setting to skip checking EC2 security groups for open ports which are not in use. Plugin would produce passing results for such security groups. Now we modified the implementation to produce a ‘WARN’ result instead of ‘PASS’ result. 


Trusted Cross Account Roles 

Added a new setting ‘whitelisted_aws_account_principals_regex’ which allows you to provide a regular expression to whitelist AWS cross-account principals. If this is provided, the plugin will compare cross account principals against this regex. 


CloudFront WAF Enabled 

Modified plugin to display one result for each CloudFront distribution instead of giving one result for all failing distributions. As a result, this plugin now supports resource-based suppression.




Modified plugin implementation to display exactly one result for HTTP(S) load balancers giving a message whether CLB is HTTP(S) only or not. As a result, this plugin now support resource-based suppression. 


Security Policy Alerts Enabled 

Plugin was giving FAIL result with message ‘Log Alert for microsoft.security/policies delete is not enabled’. But such a policy cannot be created so this plugin will now ignore that check.


New Plugins 


Tables CMK Encrypted 

Ensure that BigQuery dataset tables are encrypted using desired encryption protection level. 


HTTP Trigger require HTTPS 

Ensure that Cloud Functions are configured to require HTTPS for HTTP invocations. 


Ingress All Traffic Disabled 

Ensure that Cloud Functions are configured to allow only internal traffic or traffic from Cloud Load Balancer. 


Disk Automatic Backup Enabled 

Ensure that Google Compute disks have scheduled snapshots configured. 


Disk In Use 

Ensure that there are no unused Compute disks. 


Disk Old Snapshots 

Ensure that Compute disk snapshots are deleted after defined time period. 


Instance Maintenance Behavior 

Ensure that "On Host Maintenance" configuration is set to Migrate for VM instances. 


Instance Preemptibility Disabled 

Ensure that preemptible Virtual Machine instances do not exist. 


OS Login 2FA Enabled 

Ensure that Virtual Machines instances have OS logic feature enabled and configured with Two-Factor Authentication. 


Member Admin 

Ensure that IAM members do not use primitive roles such as owner, editor or viewer. 


Service Account Token Creator 

Ensures that no users have the Service Account Token Creator role. 


Dead Lettering Enabled 

Ensure that each Google Pub/Sub subscription is configured to use dead-letter topic. 


SQL CMK Encryption 

Ensure that Cloud SQL instances are encrypted using Customer Managed Keys (CMKs). 


Bucket Encryption 

Ensure that Cloud Storage buckets have encryption enabled using desired protection level. 


Bucket Lifecycle Configured 

Ensure that Cloud Storage buckets are using lifecycle management rules to transition objects between storage classes. 


Firewall Logging Metadata 

Ensure that VPC Network firewall logging is configured to exclude logging metadata in order to reduce the size of the log files.