Regions

AWS

Amazon DAX

Removed regions where DynamoDB Accelerator is not supported.

Amazon Translate

Removed regions where Translate is not supported.

Amazon Healthlake

Removed 'eu-west-2’ region as this region is not supported. Instead, added the ‘us-west-2’ region.

Amazon Location Service

Removed region 'ap-south-1' as it’s not supported.


Hot Fixes/Enhancements:

AWS

EBS Encrypted Snapshots

Modified plugin to display exactly one result per EBS snapshot instead of combining more than 20 results into one.

Insecure EC2 Metadata Options

Modified plugin to display exactly one result per EC2 instance instead of combining more than 20 results into one.

EKS Latest Platform Version

Changes for the latest Kubernetes Platform Version from AWS are now reflected in the plugin.

EC2 Open Port Plugins

Modified all open port plugins to display either PASS or FAIL result for each security group.

SSM Agent Auto Update Enabled

Fixed false negative error in the plugin where it was producing FAIL result for EC2 instance even when SSM Agent Auto Update document was attached.

Backup Failure Notification Enabled

Modified logic to give FAIL result if Backup vault does not have any notifications configured. This fix will resolve false UNKNOWN results.

CloudTrail Bucket Access Logging & CloudTrail Bucket Delete Policy & CloudTrail Bucket Private

Added a check to validate whether the attached bucket has been deleted after the creation of CloudTrail trail and produce a FAIL result in such a case. This fix will resolve false UNKNOWN results.

CloudTrail Notifications Enabled

Added a fix to check whether the attached SNS topic has been deleted after the creation of CloudTrail trail and produce a FAIL result for such a case. This fix will resolve false UNKNOWN results.


Azure

Network Security Groups Open Port Plugins

Modified all open port plugins to display either PASS or FAIL result for each NSG.

TDE Protector Encrypted

Added a new setting ‘SQL Server TDE Protector Encryption Key Type’ to set usage of either default or BYOK key for TDE protector encryption.


Google

Remove Unnecessary Project Get Call

We make ‘project:get’ API call in all Google plugins to get the project name. Now, we have refactored the code to get the project name from our system instead of making that API call.

Firewall Rules Open Port Plugins

Modified all open port plugins to display either PASS or FAIL result for each NSG.


Oracle

Network Security Groups Open Port Plugins

Modified all open port plugins to display either PASS or FAIL result for each NSG.


New plugins:

AWS

Compute Optimizer Recommendations Enabled

Ensure that Compute Optimizer is enabled for your AWS account.

EBS Volumes Optimized

Ensure that Compute Optimizer does not have active recommendation summaries for unoptimized EBS Volumes.

Lambda Function Optimized

Ensure that Compute Optimizer does not have active recommendation summaries for unoptimized Lambda Functions.

Auto Scaling Group Optimized

Ensure that Compute Optimizer does not have active recommendation summaries for unoptimized Auto Scaling groups.

EC2 Instances Optimized

Ensure that Compute Optimizer does not have active recommendation summaries for over-provisioned or under-provisioned EC2 instances.

MSK Cluster Client Broker Encryption

Ensure that only TLS encryption between the client and broker feature is enabled for your Amazon MSK clusters.

MSK Cluster Public Access

Ensure that the public access feature within the cluster is disabled for your Amazon MSK clusters.

MSK Cluster Unauthenticated Access

Ensure that unauthenticated access feature is disabled for your Amazon MSK clusters.

Enhanced Metadata Collection Enabled

Ensure that enhanced metadata collection is enabled for image pipelines.


AZURE 

Diagnostics Captured Categories

Ensures that Diagnostics Settings is configured to log activities for all appropriate categories.

Diagnostics Settings Enabled

Ensures that Diagnostics Settings exist and are exporting activity logs.


ORACLE

Bucket Object Events

Ensures object store buckets can emit object events.

Legacy Metadata Endpoint Disabled

Ensure that compute instances are configured with Legacy MetaData service (IMDSv1) endpoints disabled.

File Systems CMK Encryption

Ensures that OCI File Storage file systems have encryption enabled using desired protection level.

OKE Secrets Encrypted

Ensures the OKE secret objects have encryption enabled using desired protection level.

Boot Volume CMK Encryption

Ensures that boot volumes have encryption enabled using desired protection level.

Block Volume CMK Encryption

Ensures that block volumes have encryption enabled using desired protection level.

Bucket Versioning

Ensures object store buckets have bucket versioning enabled.

Bucket CMK Encryption

Ensure that Oracle Object Store buckets have encryption enabled using desired protection level.

Notification Topic With Active Subscription

Ensure that there is at least one notification topic and subscription to receive monitoring alerts.

Default Tags For Resources

Ensures default tags are used on resources.

VCN Inbound Security List

Ensure all security lists have ingress rules configured.

OKE Security Groups

Ensures the OKE clusters only allows inbound traffic on port 443.