2022-09-15 New CSPM Plugin Release
On September 15, 2022, Aqua will release and activate the following new plugins. They can be tested ahead of time using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required, and they will be pre-suppressed in your account prior to release.
New Announcements:
Alibaba Cloud Service (Beta) China
Added support for Alibaba cloud accounts created from within Mainland China. This segregation will benefit with non-China accounts by excluding scan results for Chinese regions.
Hot Fixes/Enhancements:
AWS
Open Elasticsearch
Modified the plugin to also check for TCP port 9300 for Elasticsearch.
Open NetBIOS
Modified the plugin to also check for UDP port 139 for NetBIOS.
CloudFront Geo Restriction
Added a new setting to check whether specified geo location are whitelisted and not blacklisted within CloudFront restrictions.
Open MongoDB
Modified the plugin to also check for TCP port 27018 and 27019 for MongoDB.
Open NetBIOS
Modified the plugin to also check for UDP port 138 or 139 for NetBIOS.
API Key Rotation
Added a new settings to produce WARN result when API Keys haven't been rotated for over 45 days.
New Plugins:
Azure
Key Vault Restrict Default Network Access
Ensure that Microsoft Azure Key Vaults are configured to deny access to traffic from all networks.
KeyVault Trusted Services Enabled
Ensure that "Allow trusted Microsoft services to bypass this firewall" feature is enabled for Azure Key Vault network firewall configuration.
AWS
Internet Gateways In VPC
Ensure Internet Gateways are associated with at least one available VPC.
Virtual Private Gateway In VPC
Ensure Virtual Private Gateways are associated with at least one VPC.
RDS Snapshot Publicly Accessible
Ensure that Amazon RDS database snapshots are not publicly exposed.
Services In Use
Ensures that only permitted services are being used in your AWS cloud account.
Open Cassandra Client
Determine if TCP port 9042 for Cassandra Client is open to the public.
Open Cassandra Internode
Determine if TCP port 7000 for Cassandra Internode is open to the public.
Open Cassandra Monitoring
Determine if TCP port 7199 for Cassandra Monitoring is open to the public.
Open Cassandra Thrift
Determine if TCP port 9160 for Cassandra Thrift is open to the public.
Open LDAP
Determine if TCP or UDP port 389 for LDAP is open to the public.
Open LDAPS
Determine if TCP port 636 for LDAP is open to the public.
Open Memcached
Determine if TCP or UDP port 11211 for DNS is open to the public.
Open MongoDB
Determine if TCP port 27017 or 27018 or 27019 for MongoDB is open to the public.
Open Redis
Determine if TCP port 6379 for Redis is open to the public.
Open SNMP
Determine if UDP port 161 for SNMP is open to the public.
Open Internal Web
Determine if TCP port 8080 for internal web is open to the public.
Password Policy Allows To Change Password
Ensure IAM password policy allows users to change their passwords.
Open Cassandra Thrift
Determines if TCP port 9160 for Cassandra Thrift is open to the public.
Open Cassandra Monitoring
Determines if TCP port 7199 for Cassandra Monitoring is open to the public.
Open Cassandra Internode
Determines if TCP port 7000 for Cassandra Internode is open to the public.
Open Cassandra Client
Determines if TCP port 9042 for Cassandra Client is open to the public.
Open Elasticsearch
Determines if TCP ports 9200, 9300 for Elasticsearch are open to the public.
Open LDAP
Determines if TCP or UDP port 389 for LDAP is open to the public.
Open SNMP
Determines if UDP port 161 for SNMP is open to the public.
Open Internal Web
Determine if TCP port 8080 for internal web is open to the public.
Open Memcached
Determines if TCP or UDP port 11211 for Memcached is open to the public.
Open LDAPS
Determines if TCP port 636 for LDAP SSL is open to the public.
Did you find it helpful? Yes No
Send feedback