Welcome to Support Portal

On December 13th, 2021, Aqua will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required, and they will be pre-suppressed in your account prior to release. 

 
We have added additional permissions to our security audit supplemental policy. The Aqua CSPM audit role can be updated by redeploying the cloud formation stack or by adding the following permissions to the inline policy. To update permissions follow these steps.

kendra:ListIndices, proton:ListEnvironmentTemplates, qldb:ListLedgers, airflow:ListEnvironments, profile:ListDomains, timestream:DescribeEndpoints, memorydb:DescribeClusters, kafka:ListClusters, apprunner:ListServices, finspace:ListEnvironments, healthlake:ListFHIRDatastores , codeartifact:ListDomains, auditmanager:GetSettings, appflow:ListFlows, databrew:ListJobs, managedblockchain:ListNetworks, connect:ListInstances , backup:ListBackupVaults, dlm:GetLifecyclePolicies, glue:GetSecurityConfigurations, ssm:GetServiceSetting

New Plugins 

AWS

AppFlow Flow Encrypted

Ensure that your Amazon AppFlow flows are encrypted with desired encryption level. Amazon AppFlow encrypts your access tokens, secret keys, and data in transit and data at rest with AWS-manager keys by default.

Service Encrypted

Ensure that AWS App Runner service is encrypted using using desired encryption level.

To protect your application's data at rest, App Runner encrypts all stored copies of your application source image or source bundle using AWS-managed key by default.

Audit Manager Data Encrypted

Ensure that all data in Audit Manager is encrypted with desired encryption level.

All resource in AWS Audit Manager such as assessments, controls, frameworks, evidence are encrypted under a customer managed key or an AWS owned key, depending on your selected settings.

Backup Vault Encrypted

Ensure that your Amazon Backup vaults are using AWS KMS Customer Master Keys instead of AWS managed-keys (i.e. default encryption keys).

CloudWatch Log Groups Encrypted

Ensure that the CloudWatch Log groups are encrypted using desired encryption level.

Log group data is always encrypted in CloudWatch Logs. You can optionally use AWS Key Management Service for this encryption.

CodeArtifact Domain Encrypted

Ensures that AWS CodeArtifact domains have encryption enabled with desired encryption level.

CodeArtifact domains make it easier to manage multiple repositories across an organization. By default, domain assets are encrypted with AWS-managed KMS key.

Project Artifacts Encrypted

Ensure that your AWS CodeBuild project artifacts are encrypted with desired encryption level.

AWS CodeBuild encrypts artifacts such as a cache, logs, exported raw test report data files, and build results.

Pipeline Artifacts Encrypted

Ensure that AWS CodePipeline is using desired encryption level to encrypt pipeline artifacts being stored in S3.CodePipeline creates an S3 artifact bucket and default AWS managed key when you create a pipeline. By default, these artifacts are encrypted using default AWS-managed S3 key. Use customer-managed key for encryption in order to to gain more granular control over encryption/decryption process.

Connect Customer Profiles Domain Encrypted

Ensure that AWS Connect Customer Profiles domains are using desired encryption level.

Customer profiles domain is a container for all data, such as customer profiles, object types, profile keys, and encryption keys. To encrypt this data, use a KMS key with desired encrypted level to meet regulatory compliance requirements within your organization.

Connect Instance Attachments Encrypted

Ensure that Amazon Connect instances have encryption enabled for attachments being saved on S3.

Connect Instance Call Recording Encrypted

Ensure that Amazon Connect instances have encryption enabled for call recordgins being saved on S3.

You can configure Amazon Connect instance to save recordings for incoming call to be saved on S3. When you save such data on S3, enable encryption for the data and use a KMS key with desired encrypted level to meet regulatory compliance requirements within your organization.

Connect Instance Media Streams Encrypted

Ensure that Amazon Connect instances have encryption enabled for media streams being saved on Kinesis Video Stream.

Connect Instance Exported Reports Encrypted

Ensure that Amazon Connect instances have encryption enabled for exported reports being saved on S3.

You can configure Amazon Connect instance to save exported reports on S3. When you save such data on S3, enable encryption for the data and use a KMS key with desired encrypted level to meet regulatory compliance requirements within your organization.

Connect Instance Chat Transcripts Encrypted

Ensure that Amazon Connect instances have encryption enabled for chat transcripts being saved on S3.

You can configure Amazon Connect instance to save transcripts for chats to be saved on S3. When you save such data on S3, enable encryption for the data and use a KMS key with desired encrypted level to meet regulatory compliance requirements within your organization.

DocumentDB Cluster Encrypted

Amazon DocumentDB integrates with AWS KMS and uses a method known as envelope encryption to protect your data. This gives you an extra layer of data security and help meet security compliance and regulations within your organization.

ECR Repository Encrypted

Ensure that the images in ECR repository are encrypted using desired encryption level.

By default, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts your data at rest using an AES-256 encryption algorithm.  Use customer-managed keys instead, in order to gain more granular control over encryption/decryption process.

ElastiCache Redis Cluster Encryption At-Rest

Amazon ElastiCache provides an optional feature to encrypt your data saved to persistent media. Enable this feature and use customer-managed keys In order to protect it from unauthorized access and fulfill compliance requirements within your organization.

ElastiCache Redis Cluster Encryption In-Transit

Ensure that your AWS ElastiCache Redis clusters have encryption in-transit enabled.

Amazon ElastiCache in-transit encryption is an optional feature that allows you to increase the security of your data at its most vulnerable points—when it is in transit from one location to another.

Elastic Transcoder Job Outputs Encrypted

Ensure that Elastic Transcoder jobs have encryption enabled to encrypt your data before saving on S3. Amazon Elastic Transcoder jobs saves the result output on S3. If you don\'t configure encryption parameters, this job will save the file unencrypted. You should enabled encryption for output files and use customer-managed keys for encryption in order to gain more granular control over encryption/decryption process.

Elastic Transcoder Pipeline Data Encrypted

Ensure that Elastic Transcoder pipelines have encryption enabled with desired encryption level to encrypt your data.

Amazon Elastic Transcoder pipelines use AWS-managed KMS keys to encrypt your data. You should use customer-managed keys in order to gain more granular control over encryption/decryption process.

FinSpace Environment Encrypted

Amazon FinSpace is a fully managed data management and analytics service that makes it easy to store, catalog, and prepare financial industry data at scale. To encrypt this data, use a KMS key with desired encrypted level to meet regulatory compliance requirements within your organization.

AWS Glue DataBrew Job Output Encrypted

Ensure that AWS Glue DataBrew jobs have encryption enabled for output files with desired encryption level.

AWS Glue DataBrew jobs should have encryption enabled to encrypt S3 targets i.e. output files to meet regulatory compliance requirements within your organization.

HealthLake Data Store Encrypted

Ensure that AWS HealthLake Data Store is using desired encryption level.

Amazon HealthLake is a Fast Healthcare Interoperability Resources (FHIR)-enabled patient Data Store that uses AWS-managed KMS keys for encryption. Encrypt these data stores using customer-managed keys (CMKs) in order to gain more granular control over encryption/decryption process.

Kendra Index Encrypted

Ensure that the Kendra index is encrypted using desired encryption level.

Amazon Kendra encrypts your data at rest with AWS-manager keys by default. Use customer-managed keys instead in order to gain more granular control over encryption/decryption process.

Managed Blockchain Network Member Data Encrypted

Ensure that members created in Amazon Managed Blockchain are encrtypted using desired encryption level.

Amazon Managed Blockchain encrypts the network member data at-rest by default with AWS-managed keys. Use your own key (CMK) to encrypt this data to meet regulatory compliance requirements within your organization.

MemoryDB Cluster Encrypted

To help keep your data secure, MemoryDB at-rest encryption is always enabled to increase data security by encrypting persistent data using AWS-managed KMS keys. Use AWS customer-managed Keys (CMKs) instead in order to have a fine-grained control over data-at-rest encryption/decryption process and meet compliance requirements.

MQ Broker Encrypted

Ensure that Amazon MQ brokers have data ecrypted at-rest feature enabled.

Amazon MQ encryption at rest provides enhanced security by encrypting your data using encryption keys stored in the AWS Key Management Service (KMS).

MSK Cluster Encryption At-Rest

Ensure that Amazon Managed Streaming for Kafka (MSK) clusters are using desired encryption key for at-rest encryption.

Amazon MSK encrypts all data at rest using AWS-managed KMS keys by default. Use AWS customer-managed Keys (CMKs) instead in order to have a fine-grained control over data-at-rest encryption/decryption process and meet compliance requirements.

Environment Data Encrypted

Ensure that AWS MWAA environment data is encrypted.

Amazon MWAA encrypts data saved to persistent media with AWS-manager keys by default. Use customer-managed keys instead in order to gain more granular control over encryption/decryption process.

Neptune Database Instance Encrypted

Ensure that your AWS Neptune database instances are encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys.

Environment Template Encrypted

Ensure that AWS Proton environment template is encrypted with desired level.

AWS Proton encrypts sensitive data in your template bundles at rest in the S3 bucket where you store your template bundles using AWS-managed keys. Use customer-managed keys (CMKs) in order to meet regulatory compliance requirements within your organization.

Ledger Encrypted

QLDB encryption at rest provides enhanced security by encrypting all ledger data at rest using encryption keys in AWS Key Management Service (AWS KMS). Use customer-managed keys (CMKs) instead in order to gain more granular control over encryption/decryption process.

S3 Versioned Buckets Lifecycle Configuration

Ensure that S3 buckets having versioning enabled also have liecycle policy configured for non-current objects.

SES Email Messages Encrypted

Ensure that Amazon SES email messages are encrypted before delivering them to specified buckets.

Timestream Database Encrypted

Ensure that AWS Timestream databases are encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys.

Timestream encryption at rest provides enhanced security by encrypting all your data at rest using encryption keys. This functionality helps reduce the operational burden and complexity involved in protecting sensitive data. With encryption at rest using customer-managed keys, you can build security-sensitive applications that meet strict encryption compliance and regulatory requirements.

Translate Job Output Encrypted

Ensure that your Amazon Translate jobs have CMK encryption enabled for output data residing on S3.

Amazon Translate encrypts your output data with AWS-manager keys by default. Encrypt your files using customer-managed keys in order to gain more granular control over encryption/decryption process.