On February 15th, 2022, Aqua will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required, and they will be pre-suppressed in your account prior to release. 

 

New Plugins 

 

AWS

 

CloudFront Geo Restriction

Ensure that geo-restriction feature is enabled for your CloudFront distribution to allow or block location-based access.

AWS CloudFront geo restriction feature can be used to assist in mitigation of Distributed Denial of Service (DDoS) attacks. Also, you have the ability to block IP addresses based on Geo IP from reaching your distribution and your web application content delivered by the distribution.

 

CloudFront Compress Objects Automatically

Ensure that your Amazon Cloudfront distributions are configured to automatically compress files(object).

Cloudfront data transfer is based on the total amount of data served, sending compressed files to the viewers is much less expensive than sending uncompressed files. To optimize your AWS cloud costs and speed up your web applications, configure your Cloudfront distributions to compress the web content served with compression enabled.

 

CloudFront Enable Origin Failover

Ensure that Origin Failover feature is enabled for your CloudFront distributions in order to improve the availability of the content delivered to your end users.

 

DMS Auto Minor Version Upgrade

Ensure that your Amazon Database Migration Service (DMS) replication instances have the Auto Minor Version Upgrade feature enabled. AWS Database Migration Service (AWS DMS) helps you migrate databases to AWS quickly and securely. The DMS service releases engine version upgrades regularly to introduce new software features, bug fixes, security patches and performance improvements.

 

DMS Multi-AZ Feature Enabled

Ensure that your Amazon Database Migration Service (DMS) replication instances are using Multi-AZ deployment configurations.

AWS Database Migration Service (AWS DMS) helps you migrate databases to AWS quickly and securely. In a Multi-AZ deployment, AWS DMS automatically provisions and maintains a synchronous standby replica of the replication instance in a different Availability Zone.

 

DMS Publicly Accessible Instances

Ensure that Amazon Database Migration Service (DMS) instances are not publicly accessible. An AWS DMS replication instance can have one public IP address and one private IP address. If you uncheck (disable) the box for Publicly accessible, then the replication instance has only a private IP address. that prevents from exposure of data to other users.

 

Unused Security Groups

Keeping the number of security groups to a minimum makes the management easier and helps to avoid reaching the service limit.

 

ElastiCache Cluster In VPC

Ensure that your ElastiCache clusters are provisioned within the AWS VPC platform.

Creating Amazon ElastiCache clusters inside Amazon VPC can bring multiple advantages such as better networking infrastructure and flexible control over access security.

 

ElastiCache Desired Node Type

Ensure that the Amazon ElastiCache cluster nodes provisioned in your AWS account have the desired node type established within your organization based on the workload deployed.Setting limits for the type of Amazon ElastiCache cluster nodes will help you address internal compliance requirements and prevent unexpected charges on your AWS bill.

 

EMR Cluster In VPC

Ensure that your Amazon Elastic MapReduce (EMR) clusters are provisioned using the AWS VPC platform instead of EC2-Classic platform.

AWS EMR clusters using VPC platform instead of EC2-Classic can bring multiple advantages such as better networking infrastructure, much more flexible control over access security.

 

EMR Cluster Desired Instance Type

Ensure AWS Elastic MapReduce (EMR) clusters are using desired instance type. EMR cluster desired instance should be enabled to get the desired instance type.

 

Firehose Delivery Streams CMK Encrypted

Ensures Firehose delivery stream are encrypted using AWS KMS key of desired encryption level. Data sent through Firehose delivery streams can be encrypted using KMS server-side encryption. Existing delivery streams can be modified to add encryption with minimal overhead. Use customer-managed keys instead in order to gain more granular control over encryption/decryption process.

 

Fraud Detector Data Encrypted

Ensure that Amazon Fraud Detector has encryption enabled for data at rest with desired KMS encryption level. Amazon Fraud Detector encrypts your data at rest with AWS-managed KMS key. Use customer-manager KMS keys (CMKs) instead in order to follow your organizations\'s security and compliance requirements.

 

Kinesis Data Streams Encrypted

Ensures Kinesis data streams are encrypted using AWS KMS key of desired encryption level. Data sent to Kinesis data streams can be encrypted using KMS server-side encryption. Existing streams can be modified to add encryption with minimal overhead. Use customer-managed keys instead in order to gain more granular control over encryption/decryption process.

Notebook instance in VPC

Ensure that Amazon SageMaker Notebook instances are launched within a VPC.

Launching instances can bring multiple advantages such as better networking infrastructure, much more flexible control over access security. Also it makes it possible to access VPC-only resources such as EFS file systems.

 

Secrets Manager In Use

Ensure that Amazon Secrets Manager service is being used in your account to manage all the credentials.

Amazon Secrets Manager helps you protect sensitive information needed to access your cloud applications, services and resources. Users and apps can use secrets manager to get the secrets stored with a call to Secrets Manager API, enhancing access security.

 

SQS Encryption Enabled

Ensure SQS queues are encrypted using keys of desired encryption level.

Messages sent to SQS queues can be encrypted using KMS server-side encryption. Existing queues can be modified to add encryption with minimal overhead. Use customer-managed keys instead in order to gain more granular control over encryption/decryption process.

 

Oracle

 

Admin User API Keys

The administrator user should avoid using API keys. Since the administrator user has full permissions across the entire tenancy, creating API keys for it only increases the chance that they are compromised. Instead, create non-admin user with limited permissions and use its API keys.

 

User API Keys Rotated

Ensure that user API keys are rotated regularly in order to reduce accidental exposures. User API keys should be rotated frequently to avoid having them accidentally exposed.

 

User Auth Token Rotated

Ensure that user auth tokens are rotated regularly in order to reduce accidental exposures. User auth tokens should be rotated frequently to avoid having them accidentally exposed.

 

User Customer Secret Keys Rotated

Ensure that user customer secret keys are rotated regularly in order to reduce accidental exposures.

User customer secret keys should be rotated frequently to avoid having them accidentally exposed.