On January 13th, 2022, Aqua will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required, and they will be pre-suppressed in your account prior to release. 

 
 We have added additional permissions to our security audit supplemental policy. The Aqua CSPM audit role can be updated by redeploying the cloud formation stack or by adding the following permissions to the inline policy.

 

kinesisvideo:ListStreams, wisdom:ListAssistants, voiceid:ListDomains, lookoutequipment:ListDatasets, iotsitewise:DescribeDefaultEncryptionConfiguration, geo:ListTrackers, geo:ListGeofenceCollections, lookoutvision:ListProjects, lookoutmetrics:ListAnomalyDetectors, lex:ListBots, forecast:ListDatasets, forecast:ListForecastExportJobs

 

New Plugins 

 

AWS**

Connect Voice ID Domain Encrypted

Ensure that Voice domains created under Amazon Connect instances are using desired KMS encryption level.

  

Connect Wisdom Domain Encrypted

Ensure that Wisdom domains created under Amazon Connect instances are using desired KMS encryption level.

 

DocumentDB Cluster Backup Retention

Ensure that your Amazon DocumentDB clusters have set a minimum backup retention period.

 

EKS Latest Platform Version

Ensure that EKS clusters are using latest platform version. Amazon EKS platform versions represent the capabilities of the Amazon EKS cluster control plane, such as which Kubernetes API server flags are enabled, as well as the current Kubernetes patch version.

 

ElastiCache Instance Generation

Ensure that all ElastiCache clusters provisioned within your AWS account are using the latest generation of instances.

 

ElastiCache Nodes Count

Ensure that the number of ElastiCache cluster cache nodes has not reached the limit quota established by your organization.

 

ElastiCache Redis Cluster Have Multi-AZ

Ensure that your ElastiCache Redis Cache clusters are using a Multi-AZ deployment configuration to enhance High Availability.

 

ElastiCache idle Cluster Status

Idle Amazon ElastiCache cache cluster nodes represent a good candidate to reduce your monthly AWS costs and avoid accumulating unnecessary usage charges.

 

ElastiCache Engine Versions for Redis

Ensure that Amazon ElastiCache clusters are using the stable latest version of Redis cache engine.

 

ElastiCache Reserved Cache Node Lease Expiration

Ensure that your AWS ElastiCache Reserved Cache Nodes are renewed before expiration in order to get a significant discount.

 

ElastiCache Reserved Cache Node Payment Failed

Ensure that payments for ElastiCache Reserved Cache Nodes available within your AWS account has been processed completely.

 

ElastiCache Reserved Cache Node Payment Pending

Ensure that payments for ElastiCache Reserved Cache Nodes available within your AWS account has been processed completely.

 

Unused ElastiCache Reserved Cache Nodes

Ensure that all your AWS ElastiCache reserved nodes have corresponding cache nodes running within the same account of an AWS Organization.

 

Enhanced Health Reporting

Ensure that Amazon Elastic Beanstalk (EB) environments have enhanced health reporting feature enabled.

 

Environment Access Logs

Ensure that your Amazon Elastic Beanstalk environment is configured to save logs for load balancer associated with the application environment.

 

Environment Persistent Logs

Ensure that AWS Elastic Beanstalk environment logs are retained and saved on S3.

Elastic Beanstalk environment logs should be retained in order to keep the logging data for future audits, historical purposes or to track and analyze the EB application environment behavior for a long period of time.

 

EMR Instances Counts

Ensure that the number of EMR cluster instances provisioned in your AWS account has not reached the desired threshold established by your organization.

 

Forecast Dataset Export Encrypted

Ensure that AWS Forecast exports have encryption enabled before they are being saved on S3.

In AWS Forecast, you can save forecast reports on S3 in CSV format. Make sure to encrypt these export before writing them to the bucket in order to follow your organizations's security and compliance requirements.

 

Forecast Dataset Encrypted

Ensure that AWS Forecast datasets are using desired KMS key for data encryption.

atasets contain the data used to train a predictor. You create one or more Amazon Forecast datasets and import your training data into them. Make sure to enable encryption for these datasets using customer-managed keys (CMKs) in order to gain more granular control over encryption/decryption process.

 

FSx File System Encrypted

Ensure that Amazon FSx for Windows File Server file systems are encrypted using desired KMS encryption level. If your organization is subject to corporate or regulatory policies that require encryption of data and metadata at rest, AWS recommends creating encrypted file systems.

 

Exported Findings Encrypted

Ensure that GuardDuty findings export is encrypted using desired KMS encryption level.

GuardDuty data, such as findings, is encrypted at rest using AWS owned customer master keys (CMK).

 

GuardDuty No Active Findings

Ensure that GurardDuty active/current findings does not exist in your AWS account.

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. These findings should be acted upon and archived after they have been remediated in order to follow security best practices. If a finding had not been archived after set amount of time, Aqua CSPM plugin will display a FAIL result.

 

IoT SiteWise Data Encrypted

Ensure that AWS IoT SiteWise is using desired encryption level for data at-rest.

AWS IoT SiteWise encrypts data such as your asset property values and aggregate values by default. It is recommended to use customer managed keys in order to gain more control over data encryption/decryption process.

 

Video Stream Data Encrypted

Ensure that Amazon Kinesis Video Streams is using desired encryption level for Data at-rest.

Server-side encryption is always enabled on Kinesis video streams data. If a user-provided key is not specified when the stream is created, the default key (provided by Kinesis Video Streams) is used. It is recommended to use customer-managed keys (CMKs) for encryption in order to gain more granular control over encryption/decryption process.

 

Audio Logs Encrypted

Ensure that Amazon Lex audio logs are encrypted using desired KMS encryption level.

For audio logs you use default encryption on your S3 bucket or specify an AWS KMS key to encrypt your audio objects. Even if your S3 bucket uses default encryption you can still specify a different AWS KMS key to encrypt your audio objects for enhanced security.

 

Geoference Collection Data Encrypted

Ensure that Amazon Location geoference collection data is encrypted using desired KMS encryption level.

Amazon Location Service provides encryption by default to protect sensitive customer data at rest using AWS owned encryption keys. It is recommended to use customer-managed keys instead in order to gain more granular control over encryption/decryption process.

 

Tracker Data Encrypted

Ensure that Amazon Location tracker data is encrypted using desired KMS encryption level.

Amazon Location Service provides encryption by default to protect sensitive customer data at rest using AWS owned encryption keys. It is recommended to use customer-managed keys instead in order to gain more granular control over encryption/decryption process.

 

LookoutMetrics Anomaly Detector Encrypted

Ensure that Amazon LookoutMetrics Anomaly Detector is encrypted using desired KMS encryption level.

 

LookoutEquipment Dataset Encrypted

Ensure that Amazon Lookout for Equipment datasets are encrypted using desired KMS encryption level.

 

MQ Desired Broker Instance Type

Ensure that the Amazon MQ broker instances are created with desired instance types.

 

SSM Managed Instances

Ensure that all Amazon EC2 instances are managed by AWS Systems Manager (SSM).

Systems Manager simplifies AWS cloud resource management, quickly detects and resolve operational problems, and makes it easier to operate and manage your instances securely at large scale.

 

AWS WAF In Use

Ensure that AWS Web Application Firewall (WAF) is in use to achieve availability and security for AWS-powered web applications.

Using WAF for your web application running in AWS environment can help against common web-based attacks, SQL injection attacks, DDOS attacks and more.

 

AWS WAFV2 In Use

Ensure that AWS Web Application Firewall V2 (WAFV2) is in use to achieve availability and security for AWS-powered web applications.

Using WAF for your web application running in AWS environment can help you against common web-based attacks, SQL injection attacks, DDOS attacks and more.

 

WorkSpaces Desired Bundle Type

Ensure that AWS WorkSpaces bundles are of desired types.

A bundle in AWS WorkSpaces defines the hardware and software for AWS WorkSpaces. You can create a WorkSpaces instance using a predefined or custom bundle. Setting a limit to the types that can be used will help you control billing and address internal compliance requirements.

 

WorkSpaces Instance Count

Ensure that the number of Amazon WorkSpaces provisioned in your AWS account has not reached set limit.

In order to manage your WorkSpaces compute resources efficiently and prevent unexpected charges on your AWS bill, monitor and configure limits for the maximum number of WorkSpaces instances provisioned within your AWS account.

 

KMS Duplicate Grants

Ensure that AWS KMS keys does not have duplicate grants to adhere to AWS security best practices. Duplicate grants have the same key ARN, API actions, grantee principal, encryption context, and name. If you retire or revoke the original grant but leave the duplicates, the leftover duplicate grants constitute unintended escalations of privilege.

 

KMS Grant Least Privilege

Ensure that AWS KMS key grants use the principle of least privileged access.

AWS KMS key grants should be created with minimum set of permissions required by grantee principal to adhere to AWS security best practices.

 

AZURE

App Service Access Restriction

Ensure that Azure App Services have access restriction configured to control network access to your app.

By setting up access restrictions, you can define a priority-ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, an implicit deny all exists at the end of the list.

 

App Service SCM Site Access Restriction

Ensure that Azure App Services restrict access to the SCM site that's used by your app.

In addition to being able to control access to your app, you can restrict access to the SCM site that's used by your app. The SCM site is both the web deploy endpoint and the Kudu console.

 

Storage Accounts Minimum TLS Version

Ensures Microsoft Azure Storage Accounts are using the latest TLS version 1.2 to enforce stricter security measure. Azure Storage accounts permit clients to send and receive data with the oldest version of TLS, TLS 1.0, and above. To enforce stricter security measures, you can configure your storage account to require that clients send and receive data with a newer version of TLS.

 

Hot Fixes/Enhancements

Google

Project Ownership Logging, SQL Configuration Logging, Storage Permissions Logging, VPC Firewall Rule Logging, VPC Network Logging, VPC Network Route Logging

As GCP has modified it is UI to create rule-based logs and alerts so we also modified our remediation guide for these plugins. Added another check to display FAIL result if the log metric exists but it is disabled.

 

Oracle

Users MFA Enabled

Added a new setting warn_federated_users which allows to display WARN instead of FAIL result if the user is a federated user.

 

AWS

SQS Cross Account Access

Contains a bug fix to check for cross account principals inside ‘condition’ filter for an SQS queue policy in case of ‘global’ principal.

 

Remediations

Right now the below mentioned remediation are supported only in manual mode.
 

Azure 

App Service Access Restriction

Access restriction rule will be added to deny access from any source for affected app services.

 

TLS Version Check

TLS version 1.2 will be set for the affected Web Apps.

 

Blob Container Private Access

Access level for affected blob containers will be set to private.

 

AWS

S3 Bucket All Users ACL

Bucket ACL will be modified to be private to bucket owner.

 

S3 Bucket All Users Policy

Bucket policy will be deleted for affected buckets.

 

Regions

Oracle

A new region named il-jerusalem-1 has been added.