On April 22th, 2022, Aqua will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required, and they will be pre-suppressed in your account prior to release. 


******************************************************************************************************

                                                       PLEASE NOTE

For all EC2 Plugins: Removed results limit boolean settings which combine the results when they reach a certain value in count. This may have major impact in number of results for EBS, EFS and EC2 Resources. To lower the impact of these resources, we will not be displaying "NEW" results for EC2 for 24 hours after the plugin release.

******************************************************************************************************

 

Hotfixes and Enhancements:

AWS

Lambda Old Runtimes

Added end of life dates for these lambda runtimes: Node.js 10.x, .Net Core 2.1, Ruby 2.5


EKS Latest Platform Version

Enhanced plugin implementation to reflect the latest EKS platform version i.e eks.4.

EC2 Open Port Plugins

Modified remediation input regex to accept comma separated list of CIDR IPs for open port plugins.


Event Bus Cross Account Access

Corrected the result message where it should display ‘No Event Buses found’ instead of ‘Event bus does not use custom policy’.


Azure

Database Auditing Enabled

Modified plugin logic to check for auditing on server first. If auditing is enabled on the server, it will give a PASS result without checking databases for that server. Otherwise, it will check auditing on individual databases.

Storage Accounts Plugins

Azure has rate limits for storage account management operations so we implemented rate limiting for storage accounts API calls.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/request-limits-and-throttling


GCP

Compute Plugins

Removed results limit boolean settings which combine the results when they reach a certain value in count.

Service Account Key Rotation

Added new setting ‘Service Account Keys Rotated Fail’ to define a threshold time in days for service account key rotation.


Alibaba

ECS Plugins

Removed results limit boolean settings which combine the results when they reach a certain value in count.


Regions

AWS

A new region named ap-southeast-3 has been added.

GCP

A new region named southamerica-west1 has been added.


Alibaba

Two new regions named cn-nanjing, ap-southeast-6 have been added.

Azure

These new regions have been added: westus3, centralusstage, eastusstage, eastus2stage, northcentralusstage, southcentralusstage, westusstage, westus2stage, eastus2euap, westcentralus, centraluseuap, australiaeast, jioindiawest, eastasiastage, southeastasiastage, jioindiacentral, swedencentral, brazilsoutheast.

Oracle

These new regions have been added: eu-marseille-1, il-jerusalem-1, eu-milan-1, ap-singapore-1, 'eu-amsterdam-1, 'af-johannesburg-1, eu-stockholm-1, us-gov-phoenix-1.


New plugins:

AWS

Config Service Enabled

Ensure that all the evaluation results returned for the Amazon Config rules created within your AWS account are compliant.


DynamoDB Table Backup Exists

Ensures that Amazon DynamoDB tables are using on-demand backups for DynamoDB tables.


ACM Single Domain Name Certificates

Ensure that ACM single domain name certificates are used instead of wildcard certificates within your AWS account.


API Gateway Response Caching

Ensure that response caching is enabled for your Amazon API Gateway REST APIs.


API Stage-Level Cache Encryption

Ensure that your Amazon API Gateway REST APIs are configured to encrypt API cached responses in order to protect data while in transit.


VPC Flow Logs Metric Alarm

Ensure that CloudWatch group and alarm exist to detect any changes within VPC flow logs.


App Mesh TLS Required

Ensure that AWS App Mesh virtual gateways Listener only accepts connections with TLS enabled.

CloudFormation Admin Privileges

Ensures no AWS CloudFormation stacks available in your AWS account have admin privileges.

AWS CloudWatch Events In Use

Ensure that Amazon CloudWatch Events service is in use in order to enable you to react selectively and efficiently to system events.

Event Bus Public Access

Ensure that EventBridge event bus is configured to prevent exposure to public access

CloudTrail Management Events

Ensures that AWS CloudTrail trails are configured to log management events.

Backup Resource Protection

Ensure that protected resource types feature is enabled and configured for Amazon Backup service within your AWS cloud account.

CloudFront Distribution Field-Level Encryption

Ensure that field-level encryption is enabled for your Amazon CloudFront web distributions.

CloudFront Enabled

Ensure that AWS CloudFront service is used within your AWS account.

AWS CloudFormation In Use

Ensure that Amazon CloudFormation is in use within your AWS account to automate your infrastructure management and deployment.

Backup In Use For RDS Snapshots

Ensure that Amazon Backup is integrated with Amazon Relational Database Service in order to manage RDS database instance snapshots.

Backup Notification Enabled

Ensure that your Amazon Backup vaults send notifications via Amazon SNS for each failed backup job.

Backup Deletion Protection Enabled

Ensure that an Amazon Backup vault access policy is configured to prevent the deletion of AWS backups in the backup vault.

AWS Backup Compliant Lifecycle Configured

Ensure that a compliant lifecycle configuration is enabled for your Amazon Backup plans in order to meet compliance requirements when it comes to security and cost optimization.

Config Delivery Failing

Ensure that the AWS Config log files are delivered to the S3 bucket in order to store logging data for auditing purposes without any failures.

Config Service Missing Bucket

Ensure that Amazon Config service is pointing an S3 bucket that is active in your account in order to save configuration information

Auto Scaling Unused Launch Configuration

Ensure that any unused Auto Scaling Launch Configuration templates are identified and removed from your account in order to adhere to AWS best practices.

Auto Scaling Group Cooldown Period

Ensure that your AWS Auto Scaling Groups are configured to use a cooldown period.

Access Analyzer Active Findings

Ensure that IAM Access analyzer findings are reviewed for resolving security issues by taking all necessary actions.

App Mesh Restrict External Traffic

Ensure that Amazon App Mesh virtual nodes have egress only access to other defined resources available within the 

service mesh.

App Mesh VG Access Logging

Ensure that your Amazon App Mesh virtual gateways have access logging enabled.

SNS Valid Subscribers

Ensure that Amazon SNS subscriptions are valid and there are no unwanted subscribers.

SSM Session Duration

Ensure that all active sessions in the AWS Session Manager do not exceed the duration set in the settings.

MSK Cluster Encryption In-Transit

Ensure that your Amazon MSK clusters have encryption in-transit enabled.

ElastiCache Default Ports

Ensure AWS ElastiCache clusters are not using the default ports set for Redis and Memcached cache engines.


AZURE 

PostgreSQL Server Database Logging Enabled

Ensures Activity Log alerts for create/update and delete PostgreSQL

Server Database events are enabled.

SQL Server Database Rename Alert Enabled

Ensures Activity Log alerts for the rename SQL Server Database events are enabled

Virtual Machine Power Off Alert Enabled 

Ensures Activity Log alerts for the power off Virtual Machine events are enabled

Virtual Machine Deallocate Alert Enabled

Ensures Activity Log alerts for the deallocate Virtual Machine events are enabled

Virtual Machine Logging Enabled

Ensures Activity Log alerts for the create/update and delete Virtual Machine events are enabled

Key Vault Logging Enabled

Ensures Activity Log alerts for the create/update and delete Key Vault events are enabled

Storage Account Logging Enabled

Ensures Activity Log alerts for the create/update and delete Storage Account events are enabled

SQL Server Database Logging Enabled

Ensures Activity Log alerts for the create or update and delete SQL Server Database events are enabled

Load Balancers Logging Enabled

Ensures Activity Log alerts for the create or update and delete Load Balancers events are enabled