On August 8th, 2022, Aqua will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required, and they will be pre-suppressed in your account prior to release. 


Hot Fixes/Enhancements:

Azure


Queue Service All Access ACL

As Microsoft Azure has updated it’s API and changed the names for queue ACL permissions so we updated the plugin to reflect those changes. This will fix a false-positive issue.


New Plugins:

 

AWS

Image Builder Components Encrypted

Ensure that Image Builder components are encrypted.

Dockerfile Template Encrypted

Ensure that Image Recipe Dockerfile Templates are encrypted.

Infrastructure Configuration Notification Enabled

Ensure that Image Builder infrastructure configurations have SNS notifications enabled.

Image Recipe Storage Volumes Encrypted

Ensure that Image Recipe storage EBS volumes are encrypted.


Oracle


Cloud Guard Enabled

Ensure Cloud Guard is enabled in the root compartment of the tenancy.

Flow Logs Enabled

Ensures VCN flow logs are enabled for traffic logging.

Key Rotation

Ensure that your OCI Vault Keys are periodically rotated.

Bucket Write Logs Enabled

Ensures write level Object Storage logging is enabled for all buckets.

IAM Group Changes

Ensure an event rule is configured for IAM Group changes.

IAM Policy Changes

Ensure an event rule is configured for IAM Policy changes.

Identity Provider Changes

Ensure an event rule is configured for Identity Provider changes.

Idp Group Mapping Changes

Ensure an event rule is configured for Idp Group Mapping changes.

User Changes

Ensure an event rule is configured for User changes.

Network Gateway Changes

Ensure an event rule is configured for network gateway changes.

Route Table Changes

Ensure an event rule is configured for route table changes.

Security Group Changes

Ensure an event rule is configured for security group changes.

Security List Changes

Ensure an event rule is configured for security list changes.

VCN Changes

Ensure an event rule is configured for VCN changes.


Remediations:

Google


HTTP Trigger require HTTPS

Ensure that Cloud Functions are configured to require HTTPS for HTTP invocations.

Instance Automatic Restart Enabled

Ensure that Virtual Machine instances have automatic restart feature enabled.

Bucket Uniform Level Access

Ensures that uniform level access is enabled on storage buckets.

Bucket Versioning

Ensures object versioning is enabled on storage buckets

Compute Allowed External IPs

Determine if "Define Allowed External IPs for VM Instances" constraint policy is enabled at the 

GCP organization level.

Detailed Audit Logging Mode

Determine if "Detailed Audit Logging Mode" policy is configured at the GCP organization level.

Disable Automatic IAM Grants

Determine if "Disable Automatic IAM Grants for Default Service Accounts" policy is 

enforced at the organization level.

Disable Default Encryption Creation

Determine if "Restrict Default Google-Managed Encryption for Cloud SQL Instances" is enforced on the GCP organization level.

Disable Guest Attributes

Determine if "Disable Guest Attributes of Compute Engine Metadata" constraint policy is enabled at the GCP organization level.

Disable Workload Identity Cluster Creation

Determine if "Disable Workload Identity Cluster Creation" policy is enforced at the GCP organization level.

Disable Service Account Key Creation

Determine if "Disable Service Account Key Creation" policy is enforced at the GCP organization level.

Disable Service Account Key Upload

Determine if "Disable Service Account Key Upload" policy is enforced at the GCP organization level.

Disable Serial Port Access

Determine if "Disable VM serial port access" policy is enforced at the GCP organization level.

Disable VM IP Forwarding

Determine if "Restrict VM IP Forwarding" constraint policy is enforced at the GCP organization level.

Location-Based Service Restriction

Determine if "Resource Location Restriction" is enforced on the GCP organization level.

Enforce Require OS Login

Determine if "Require OS Login" policy is enforced at the GCP organization level.

Enforce Restrict Authorized Networks

Determine if "Restrict Authorized Networks on Cloud SQL instances" policy is enforced at the GCP organization level.

Restrict Load Balancer Creation

Determine if "Restrict Load Balancer Creation for Types" is enforced on the GCP organization level.

Restrict Shared VPC Subnetworks

Determine if "Restrict Shared VPC Subnetworks" is enforced on the GCP organization level.

Restrict VPC Peering

Determine if "Restrict VPC Peering" is enforced on the GCP organization level.

Restrict VPN Peer IPs

Determine if "Restrict VPN Peer IPs" is enforced on the GCP organization level.

Skip Default Network Creation

Determine if "Skip Default Network Creation" constraint policy is enforces at the GCP organization level.

Trusted Image Projects

Determine if "Define Trusted Image Projects" constraint policy is enforces at the GCP organization level.

Enforce Uniform Bucket-Level Access

Determine if "Enforce uniform bucket-level access" policy is enabled at the GCP organization level.