2022-04-22 New CSPM Plugin Release
On April 22th, 2022, Aqua will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required, and they will be pre-suppressed in your account prior to release.
******************************************************************************************************
PLEASE NOTE
For all EC2 Plugins: Removed results limit boolean settings which combine the results when they reach a certain value in count. This may have major impact in number of results for EBS, EFS and EC2 Resources. To lower the impact of these resources, we will not be displaying "NEW" results for EC2 for 24 hours after the plugin release.
******************************************************************************************************
Hotfixes and Enhancements:
AWS
Lambda Old Runtimes
Added end of life dates for these lambda runtimes: Node.js 10.x, .Net Core 2.1, Ruby 2.5
EKS Latest Platform Version
Enhanced plugin implementation to reflect the latest EKS platform version i.e eks.4.
EC2 Open Port Plugins
Modified remediation input regex to accept comma separated list of CIDR IPs for open port plugins.
Event Bus Cross Account Access
Corrected the result message where it should display ‘No Event Buses found’ instead of ‘Event bus does not use custom policy’.
Azure
Database Auditing Enabled
Modified plugin logic to check for auditing on server first. If auditing is enabled on the server, it will give a PASS result without checking databases for that server. Otherwise, it will check auditing on individual databases.
Storage Accounts Plugins
Azure has rate limits for storage account management operations so we implemented rate limiting for storage accounts API calls.
GCP
Compute Plugins
Removed results limit boolean settings which combine the results when they reach a certain value in count.
Service Account Key Rotation
Added new setting ‘Service Account Keys Rotated Fail’ to define a threshold time in days for service account key rotation.
Alibaba
ECS Plugins
Removed results limit boolean settings which combine the results when they reach a certain value in count.
Regions
AWS
A new region named ap-southeast-3 has been added.
GCP
A new region named southamerica-west1 has been added.
Alibaba
Two new regions named cn-nanjing, ap-southeast-6 have been added.
Azure
These new regions have been added: westus3, centralusstage, eastusstage, eastus2stage, northcentralusstage, southcentralusstage, westusstage, westus2stage, eastus2euap, westcentralus, centraluseuap, australiaeast, jioindiawest, eastasiastage, southeastasiastage, jioindiacentral, swedencentral, brazilsoutheast.
Oracle
These new regions have been added: eu-marseille-1, il-jerusalem-1, eu-milan-1, ap-singapore-1, 'eu-amsterdam-1, 'af-johannesburg-1, eu-stockholm-1, us-gov-phoenix-1.
New plugins:
AWS
Config Service Enabled
Ensure that all the evaluation results returned for the Amazon Config rules created within your AWS account are compliant.
DynamoDB Table Backup Exists
Ensures that Amazon DynamoDB tables are using on-demand backups for DynamoDB tables.
ACM Single Domain Name Certificates
Ensure that ACM single domain name certificates are used instead of wildcard certificates within your AWS account.
API Gateway Response Caching
Ensure that response caching is enabled for your Amazon API Gateway REST APIs.
API Stage-Level Cache Encryption
Ensure that your Amazon API Gateway REST APIs are configured to encrypt API cached responses in order to protect data while in transit.
VPC Flow Logs Metric Alarm
Ensure that CloudWatch group and alarm exist to detect any changes within VPC flow logs.
App Mesh TLS Required
Ensure that AWS App Mesh virtual gateways Listener only accepts connections with TLS enabled.
CloudFormation Admin Privileges
Ensures no AWS CloudFormation stacks available in your AWS account have admin privileges.
AWS CloudWatch Events In Use
Ensure that Amazon CloudWatch Events service is in use in order to enable you to react selectively and efficiently to system events.
Event Bus Public Access
Ensure that EventBridge event bus is configured to prevent exposure to public access
CloudTrail Management Events
Ensures that AWS CloudTrail trails are configured to log management events.
Backup Resource Protection
Ensure that protected resource types feature is enabled and configured for Amazon Backup service within your AWS cloud account.
CloudFront Distribution Field-Level Encryption
Ensure that field-level encryption is enabled for your Amazon CloudFront web distributions.
CloudFront Enabled
Ensure that AWS CloudFront service is used within your AWS account.
AWS CloudFormation In Use
Ensure that Amazon CloudFormation is in use within your AWS account to automate your infrastructure management and deployment.
Backup In Use For RDS Snapshots
Ensure that Amazon Backup is integrated with Amazon Relational Database Service in order to manage RDS database instance snapshots.
Backup Notification Enabled
Ensure that your Amazon Backup vaults send notifications via Amazon SNS for each failed backup job.
Backup Deletion Protection Enabled
Ensure that an Amazon Backup vault access policy is configured to prevent the deletion of AWS backups in the backup vault.
AWS Backup Compliant Lifecycle Configured
Ensure that a compliant lifecycle configuration is enabled for your Amazon Backup plans in order to meet compliance requirements when it comes to security and cost optimization.
Config Delivery Failing
Ensure that the AWS Config log files are delivered to the S3 bucket in order to store logging data for auditing purposes without any failures.
Config Service Missing Bucket
Ensure that Amazon Config service is pointing an S3 bucket that is active in your account in order to save configuration information
Auto Scaling Unused Launch Configuration
Ensure that any unused Auto Scaling Launch Configuration templates are identified and removed from your account in order to adhere to AWS best practices.
Auto Scaling Group Cooldown Period
Ensure that your AWS Auto Scaling Groups are configured to use a cooldown period.
Access Analyzer Active Findings
Ensure that IAM Access analyzer findings are reviewed for resolving security issues by taking all necessary actions.
App Mesh Restrict External Traffic
Ensure that Amazon App Mesh virtual nodes have egress only access to other defined resources available within the
service mesh.
App Mesh VG Access Logging
Ensure that your Amazon App Mesh virtual gateways have access logging enabled.
SNS Valid Subscribers
Ensure that Amazon SNS subscriptions are valid and there are no unwanted subscribers.
SSM Session Duration
Ensure that all active sessions in the AWS Session Manager do not exceed the duration set in the settings.
MSK Cluster Encryption In-Transit
Ensure that your Amazon MSK clusters have encryption in-transit enabled.
ElastiCache Default Ports
Ensure AWS ElastiCache clusters are not using the default ports set for Redis and Memcached cache engines.
AZURE
PostgreSQL Server Database Logging Enabled
Ensures Activity Log alerts for create/update and delete PostgreSQL
Server Database events are enabled.
SQL Server Database Rename Alert Enabled
Ensures Activity Log alerts for the rename SQL Server Database events are enabled
Virtual Machine Power Off Alert Enabled
Ensures Activity Log alerts for the power off Virtual Machine events are enabled
Virtual Machine Deallocate Alert Enabled
Ensures Activity Log alerts for the deallocate Virtual Machine events are enabled
Virtual Machine Logging Enabled
Ensures Activity Log alerts for the create/update and delete Virtual Machine events are enabled
Key Vault Logging Enabled
Ensures Activity Log alerts for the create/update and delete Key Vault events are enabled
Storage Account Logging Enabled
Ensures Activity Log alerts for the create/update and delete Storage Account events are enabled
SQL Server Database Logging Enabled
Ensures Activity Log alerts for the create or update and delete SQL Server Database events are enabled
Load Balancers Logging Enabled
Ensures Activity Log alerts for the create or update and delete Load Balancers events are enabled
Did you find it helpful? Yes No
Send feedback