2021-11-17 New CSPM Plugin Release
On November 17th, 2021, Aqua will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required and they will be pre-suppressed in your account prior to release.
Region Updates
** The new regions are available for suppression ahead of the release.**
AWS
Added eu-south-1, ap-northeast-3, me-south-1, af-south-1 regions for scans.
Modified regions list for Athena, DAX, DevOps Guru, EKS, Elastic BeanStalk, Firehose, Sagemaker, SES, Transfer, MWAA, Direct Connect, Directory Service, EFS and XRay to include all.
Added us-west3, us-west4, northamerica-northeast2, europe-central2, asia-south2, asia-southeast2, asia-northeast3, australia-southeast2 as well as zones for these regions.
Modified regions list for Cloud Functions to include missing regions. Additionally, modified VM Max Instances plugin to add settings for newly added regions.
Plugin Updates
AWS
All
Added domain flag for all plugins.
Instance vCPU On-Demand Based Limits
Refactored the plugin implementation to include missing regions for AWS ServiceQuotas. Pre-refactoring implementation shows results for max-instances limit on legacy regions (where ServiceQuotas was not supported) and vCPUs limit for supported regions. As ServiceQuotas is now available in all AWS regions so newer implementation gives results based on vCPUs limit for all regions.
ACM Certificate Expiry
Plugin was missing certificates which are past their expiry date. Fixed logic to check for such certificates.
CloudTrail Bucket Access Logging, CloudTrail Bucket Delete Policy, CloudTrail Bucket Private, Object Lock Enabled
Fixed bug where CloudTrail plugins were giving duplicate records for trails create in multiple AWS regions (Multi-regions trails).
EKS Kubernetes Versions
Modified plugin to reflect more deprecated (1.17) EKS Kubernetes versions and display results accordingly
Storage Bucket All Users Policy
Modified to show result for each buckets instead of aggregating results for all PASSING buckets to allow resource-based suppression.
CSEK Encryption Enabled, Disk Automatic Backup Enabled, Disk In Use
As you can create a Compute disk in a single zone as well as multiple zones in single regions. Current implementation does not check disk created in region i.e. regional disks. We refactored plugin implementation to check regional disks as well.
New Plugins
AWS
IAM User Present
Ensure that at least one IAM user exists so that access to your AWS services and resources is made only through IAM users instead of the root account.
MQ Auto Minor Version Upgrade
Ensure that Amazon MQ brokers have the Auto Minor Version Upgrade feature enabled.
MQ Deployment Mode
Ensure that for high availability, your AWS MQ brokers are using the active/standby deployment mode instead of single-instance.
MQ Log Exports Enabled
Ensure that Amazon MQ brokers have the Log Exports feature enabled.
S3 Glacier Vault Public Access
Ensure that S3 Glacier Vault public access block is enabled for the account.
SSM Documents Public Access
Ensure that SSM service has block public sharing setting enabled.
Unused WorkSpaces
Ensure that there are no unused AWS WorkSpaces instances available within your AWS account.
Alibaba
ActionTrail Bucket Private
Ensure that OSS buckets which are acting as ActionTrail trails destinations, should not be publicly accessible.
API Group TLS Version
Ensure that API Gateway groups are using latest TLS version.
OSS Bucket IP Restriction Configured
Ensure that OSS buckets have policy configured to allow only specific IP addresses.
OSS Bucket Secure Transport Enabled
Ensure that Alibaba OSS buckets have secure transport enabled.
RAM Administrator Policies
Ensure that RAM policies which allow administrator access ("*:*") are not attached to RAM users, groups or roles.
Security Agent Installed
Ensure that all assets are configured to be installed with Security Agent.
Security Center Edition
Ensure that your cloud Security Center edition is Advanced or plus.
Security Notifications Enabled
Ensure that notifications are enabled for all risk items in Vulnerability, Baseline Risks, Alerts and Accesskey Leak event detection categories.
Compute Allowed External Ips
Determine if "Define Allowed External IPs for VM Instances" constraint policy is enabled at the GCP organization level.
Detailed Audit Logging Mode
Determine if "Detailed Audit Logging Mode" policy is configured at the GCP organization level.
Disable Automatic IAM Grants
Determine if "Disable Automatic IAM Grants for Default Service Accounts" policy is enforced at the organization level.
Disable Default Encryption Creation
Determine if "Restrict Default Google-Managed Encryption for Cloud SQL Instances" is enforced on the GCP organization level.
Disable Guest Attributes
Determine if "Disable Guest Attributes of Compute Engine Metadata" constraint policy is enabled at the GCP organization level.
Disable Workload Identity Cluster Creation
Determine if "Disable Workload Identity Cluster Creation" policy is enforced at the GCP organization level.
Disable Service Account Key Creation
Determine if "Disable Service Account Key Creation" policy is enforced at the GCP organization level.
Disable Service Account Key Upload
Determine if "Disable Service Account Key Upload" policy is enforced at the GCP organization level.
Disable Serial Port Access
Determine if "Disable VM serial port access" policy is enforced at the GCP organization level.
Disable VM IP Forwarding
Determine if "Restrict VM IP Forwarding" constraint policy is enforced at the GCP organization level.
Location-Based Service Restriction
Determine if "Resource Location Restriction" is enforced on the GCP organization level.
Enforce Require OS Login
Determine if "Require OS Login" policy is enforced at the GCP organization level.
Enforce Restrict Authorized Networks
Determine if "Restrict Authorized Networks on Cloud SQL instances" policy is enforced at the GCP organization level.
Restrict Load Balancer Creation
Determine if "Restrict Load Balancer Creation for Types" is enforced on the GCP organization level.
Restrict Shared VPC Subnetworks
Determine if "Restrict Shared VPC Subnetworks" is enforced on the GCP organization level.
Restrict VPC Peering
Determine if "Restrict VPC Peering" is enforced on the GCP organization level.
Restrict VPN Peer Ips
Determine if "Restrict VPN Peer IPs" is enforced on the GCP organization level.
Skip Default Network Creation
Determine if "Skip Default Network Creation" constraint policy is enforces at the GCP organization level.
Trusted Image Projects
Determine if "Define Trusted Image Projects" constraint policy is enforces at the GCP organization level.
Enforce Uniform Bucket-Level Access
Determine if "Enforce uniform bucket-level access" policy is enabled at the GCP organization level.
VM Disks CMK Encryption
Ensure that Virtual Machine instances are encrypted using customer-managed keys.
Application Consistent Snapshots
Ensure that application consistent snapshots feature is enabled for snapshot schedules.
Autoscale Minimum CPU Utilization Target
Ensure that minimum CPU utilization target is greater or equal than set percentage.
Deprecated Images
Ensure that Compute instances are not created from deprecated images.
Disk MultiAz
Ensure that Compute disks have regional disk replication feature enabled for high availability.
Enable Usage Export
Ensure that setting is configured to export Compute instances usage to Cloud Storage bucket.
Frequently Used Snapshots
Ensure that frequently used disks are created from images instead of snapshots to save networking cost.
Persistent Disks Auto Delete
Ensure that auto-delete is disabled for attached persistent disks.
Open Custom Ports
Ensure that defined custom ports are not open to public.
Did you find it helpful? Yes No
Send feedback