2022-08-08 New CSPM Plugin Release
On August 8th, 2022, Aqua will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required, and they will be pre-suppressed in your account prior to release.
Hot Fixes/Enhancements:
Azure
Queue Service All Access ACL
As Microsoft Azure has updated its API and changed the names for queue ACL permissions so we updated the plugin to reflect those changes. This will fix a false-positive issue.
New Plugins:
AWS
Image Builder Components Encrypted
Ensure that Image Builder components are encrypted.
Dockerfile Template Encrypted
Ensure that Image Recipe Dockerfile Templates are encrypted.
Infrastructure Configuration Notification Enabled
Ensure that Image Builder infrastructure configurations have SNS notifications enabled.
Image Recipe Storage Volumes Encrypted
Ensure that Image Recipe storage EBS volumes are encrypted.
Oracle
Cloud Guard Enabled
Ensure Cloud Guard is enabled in the root compartment of the tenancy.
Flow Logs Enabled
Ensures VCN flow logs are enabled for traffic logging.
Key Rotation
Ensure that your OCI Vault Keys are periodically rotated.
Bucket Write Logs Enabled
Ensures write level Object Storage logging is enabled for all buckets.
IAM Group Changes
Ensure an event rule is configured for IAM Group changes.
IAM Policy Changes
Ensure an event rule is configured for IAM Policy changes.
Identity Provider Changes
Ensure an event rule is configured for Identity Provider changes.
Idp Group Mapping Changes
Ensure an event rule is configured for Idp Group Mapping changes.
User Changes
Ensure an event rule is configured for User changes.
Network Gateway Changes
Ensure an event rule is configured for network gateway changes.
Route Table Changes
Ensure an event rule is configured for route table changes.
Security Group Changes
Ensure an event rule is configured for security group changes.
Security List Changes
Ensure an event rule is configured for security list changes.
VCN Changes
Ensure an event rule is configured for VCN changes.
Remediations:
HTTP Trigger require HTTPS
Ensure that Cloud Functions are configured to require HTTPS for HTTP invocations.
Instance Automatic Restart Enabled
Ensure that Virtual Machine instances have automatic restart feature enabled.
Bucket Uniform Level Access
Ensures that uniform level access is enabled on storage buckets.
Bucket Versioning
Ensures object versioning is enabled on storage buckets
Compute Allowed External IPs
Determine if "Define Allowed External IPs for VM Instances" constraint policy is enabled at the
GCP organization level.
Detailed Audit Logging Mode
Determine if "Detailed Audit Logging Mode" policy is configured at the GCP organization level.
Disable Automatic IAM Grants
Determine if "Disable Automatic IAM Grants for Default Service Accounts" policy is
enforced at the organization level.
Disable Default Encryption Creation
Determine if "Restrict Default Google-Managed Encryption for Cloud SQL Instances" is enforced on the GCP organization level.
Disable Guest Attributes
Determine if "Disable Guest Attributes of Compute Engine Metadata" constraint policy is enabled at the GCP organization level.
Disable Workload Identity Cluster Creation
Determine if "Disable Workload Identity Cluster Creation" policy is enforced at the GCP organization level.
Disable Service Account Key Creation
Determine if "Disable Service Account Key Creation" policy is enforced at the GCP organization level.
Disable Service Account Key Upload
Determine if "Disable Service Account Key Upload" policy is enforced at the GCP organization level.
Disable Serial Port Access
Determine if "Disable VM serial port access" policy is enforced at the GCP organization level.
Disable VM IP Forwarding
Determine if "Restrict VM IP Forwarding" constraint policy is enforced at the GCP organization level.
Location-Based Service Restriction
Determine if "Resource Location Restriction" is enforced on the GCP organization level.
Enforce Require OS Login
Determine if "Require OS Login" policy is enforced at the GCP organization level.
Enforce Restrict Authorized Networks
Determine if "Restrict Authorized Networks on Cloud SQL instances" policy is enforced at the GCP organization level.
Restrict Load Balancer Creation
Determine if "Restrict Load Balancer Creation for Types" is enforced on the GCP organization level.
Restrict Shared VPC Subnetworks
Determine if "Restrict Shared VPC Subnetworks" is enforced on the GCP organization level.
Restrict VPC Peering
Determine if "Restrict VPC Peering" is enforced on the GCP organization level.
Restrict VPN Peer IPs
Determine if "Restrict VPN Peer IPs" is enforced on the GCP organization level.
Skip Default Network Creation
Determine if "Skip Default Network Creation" constraint policy is enforced at the GCP organization level.
Trusted Image Projects
Determine if "Define Trusted Image Projects" constraint policy is enforced at the GCP organization level.
Enforce Uniform Bucket-Level Access
Determine if "Enforce uniform bucket-level access" policy is enabled at the GCP organization level.
Did you find it helpful? Yes No
Send feedback