On October 14th, 2021, Aqua will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required and they will be pre-suppressed in your account prior to release.
SQS Cross Account Access
When SQS queue policy is created with the principal as ‘*’ with conditions to scope down to a specific SourceArn, the plugin was giving false negative results.
KMS Key Rotation
fixed an issue where the plugin was showing results for AWS-managed keys as well. As a ripple, the plugin started skipping regions which don’t contain CMKs. For example, the plugin says that Key rotation should be enabled for CMKs, but if there are no CMKs in the ‘us-east-1’ region, the plugin would skip this region in the scan result.
EKS Kubernetes Version
AWS deprecated version 1.16 for kubernetes as of Sep 27, 2021, so we modified the plugin to reflect this update.
All EC2 Open Port plugins
In our last release, we added a functionality to have a setting to skip checking EC2 security groups for open ports which are not in use. Plugin would produce passing results for such security groups. Now we modified the implementation to produce a ‘WARN’ result instead of ‘PASS’ result.
Trusted Cross Account Roles
Added a new setting ‘whitelisted_aws_account_principals_regex’ which allows you to provide a regular expression to whitelist AWS cross-account principals. If this is provided, the plugin will compare cross account principals against this regex.
CloudFront WAF Enabled
Modified plugin to display one result for each CloudFront distribution instead of giving one result for all failing distributions. As a result, this plugin now supports resource-based suppression.
CLB HTTPS Only
Modified plugin implementation to display exactly one result for HTTP(S) load balancers giving a message whether CLB is HTTP(S) only or not. As a result, this plugin now support resource-based suppression.
Security Policy Alerts Enabled
Plugin was giving FAIL result with message ‘Log Alert for /policies delete is not enabled’. But such a policy cannot be created so this plugin will now ignore that check.
Tables CMK Encrypted
Ensure that BigQuery dataset tables are encrypted using desired encryption protection level.
HTTP Trigger require HTTPS
Ensure that Cloud Functions are configured to require HTTPS for HTTP invocations.
Ingress All Traffic Disabled
Ensure that Cloud Functions are configured to allow only internal traffic or traffic from Cloud Load Balancer.
Disk Automatic Backup Enabled
Ensure that Google Compute disks have scheduled snapshots configured.
Disk In Use
Ensure that there are no unused Compute disks.
Disk Old Snapshots
Ensure that Compute disk snapshots are deleted after defined time period.
Instance Maintenance Behavior
Ensure that "On Host Maintenance" configuration is set to Migrate for VM instances.
Instance Preemptibility Disabled
Ensure that preemptible Virtual Machine instances do not exist.
OS Login 2FA Enabled
Ensure that Virtual Machines instances have OS logic feature enabled and configured with Two-Factor Authentication.
Ensure that IAM members do not use primitive roles such as owner, editor or viewer.
Service Account Token Creator
Ensures that no users have the Service Account Token Creator role.
Dead Lettering Enabled
Ensure that each Google Pub/Sub subscription is configured to use dead-letter topic.
SQL CMK Encryption
Ensure that Cloud SQL instances are encrypted using Customer Managed Keys (CMKs).
Ensure that Cloud Storage buckets have encryption enabled using desired protection level.
Bucket Lifecycle Configured
Ensure that Cloud Storage buckets are using lifecycle management rules to transition objects between storage classes.
Firewall Logging Metadata
Ensure that VPC Network firewall logging is configured to exclude logging metadata in order to reduce the size of the log files.
Did you find it helpful?Send feedback