2023-01-09 New CSPM Plugin Release
On January 09, 2023, Aqua released and activated the following new plugins. They can be tested using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, then no action is required, and they will be pre-suppressed in your account prior to release.
Hot Fixes/Enhancements:
AWS
Max Password Age
Changed message to 'Account has Default password policy', if Custom password policy is not found.
Min Password Length
Added check to produce passing or failing result in case of AWS Default Password policy which enforces minimum length of 8 characters.
Password Expiration
Changed message to 'Account has Default password policy', if Custom password policy is not found.
Password Requires Lowercase
Changed message to 'Account has Default password policy', if Custom password policy is not found.
Password Requires Numbers
Changed message to 'Account has Default password policy', if Custom password policy is not found.
Password Requires Symbols
Changed message to 'Account has Default password policy', if Custom password policy is not found.
Password Requires Uppercase
Changed message to 'Account has Default password policy', if Custom password policy is not found.
Password Reuse Prevention
Changed message to 'Account has Default password policy', if Custom password policy is not found.
Password Policy Allows To Change Password
Changed message to 'Account has Default password policy', if Custom password policy is not found.
Azure
Open NetBIOS
Added check for UDP port 139.
Tables CMK Encrypted
This plugin is checking encryption on BigQuery datasets instead of tables. As we added a separate plugin to check encryption on datasets, we modified this plugin to check encryption on BigQuery tables.
New Plugins:
AWS
SNS Topic Has Tags
Ensure that Amazon SNS topics have tags associated.
ECR Repository Has Tags
Ensure that Amazon ECR repositories have tags associated.
Backup Vault Has Tags
Ensure that AWS Backup Vaults have tags associated.
Secret Has Tags
Ensure that AWS Secrets Manager secrets have tags associated.
Asset Inventory Enabled
Ensure that Asset Inventory service is enabled for the project.
MySQL Skip Show Database Enabled
Ensures SQL instances for MySQL type have skip show database flag enabled.
PostgreSQL Log Hostname Flag Enabled
Ensures SQL instances for PostgreSQL type have log hostname flag enabled.
PostgreSQL Pg Audit Flag Enabled
Ensures SQL instances for PostgreSQL type have cloudsql.enable_pgaudit flag enabled for centralized logging.
PostgreSQL Log Min Messages
Ensures SQL instances for PostgreSQL type have log min messages flag set to Warning or stricter.
PostgreSQL Log Statement
Ensures SQL instances for PostgreSQL type have log statement flag set to desired value.
SQL Server External Scripts Flag Disabled
Ensures that external scripts enabled flag is disabled for SQL Server instances.
SQL Server Remote Access Flag Disabled
Ensure that remote access flag is disabled for SQL Server instances.
SQL Server Trace Flag Disabled
Ensure that 3625 ( trace flag ) database flag is disabled for SQL Server instances.
SQL Server Contained Database
Ensure that contained database authentication flag is disabled for SQL Server instances.
SQL Server User Connections Flag
Ensure that user connections database flag for Cloud SQL Server Instances is set to desired value.
Access Approval Enabled
Ensure that Access Approval is enabled for the project.
Confidential Computing Enabled
Ensure that Virtual Machine instances have confidential computing enabled.
PostgreSQL Log Error Verbosity
Ensure SQL instances for PostgreSQL type have log error verbosity flag set to default or stricter.
Default VPC Exists
Ensures that your Google Cloud Project does not use a default network.
Legacy Network Exists
Ensures that your Google Cloud Project does not have legacy networks.
Datasets CMK Encrypted
Ensures that BigQuery datasets are encrypted using desired encryption protection level.
Essential Contacts Configured
Ensure Essential Contacts is configured to designate email addresses for Google Cloud services to notify of important technical or security information.
SQL Server User Options Flag Disabled
Ensure user options database flag for Cloud SQL Server instances is not configured.
Azure
AKS Cluster Private
Ensures that Azure Kubernetes clusters are private.
Enable Defender for DNS
Ensures that Microsoft Defender for DNS is enabled.
Cosmos DB Has Tags
Ensure that Azure Cosmos DB database accounts have tags associated.
Virtual Machine Has Tags
Ensure that Azure virtual machines have tags associated.
Virtual Network Has Tags
Ensures that Microsoft Azure Virtual Network has tags associated.
AKS Cluster Has Tags
Ensures that Azure Kubernetes clusters have tags associated.
Redis Cache Has Tags
Ensures that Azure Cache for Redis have tags associated.
Snapshot Has Tags
Ensures that Azure VM disk snapshots have tags associated.
Load Balancer Has Tags
Ensures that Azure Load Balancers have tags associated.
Key Vault Has Tags
Ensure that Azure Key Vault vaults have tags associated.
Storage Account Has Tags
Ensure that Azure Storage accounts have tags associated.
PostgreSQL Server Has Tags
Ensure that Azure PostgreSQL servers have tags associated.
SQL Server Has Tags
Ensure that Azure SQL servers have tags associated.
VM Disk Has Tags
Ensure that Azure virtual machine disks have tags associated.
AKS Encryption At Rest with BYOK
Ensure that Azure Kubernetes cluster data is encrypted with CMK.
Open SNMP
Determine if UDP port 161 for SNMP is open to public.
Open Redis
Determine if TCP port 6379 for Redis is open to public.
Open Cassandra Client
Determine if TCP port 9042 for Cassandra Client is open to public.
Open Cassandra Internode
Determine if TCP port 7000 for Cassandra Internode is open to public.
Open Cassandra Monitoring
Determine if TCP port 7199 for Cassandra Monitoring is open to public.
Open Cassandra Thrift
Determine if TCP port 9160 for Cassandra Thrift is open to public.
Open Elasticsearch
Determine if TCP port 9200 or 9300 for Elasticsearch is open to public.
Open Internal Web
Determine if TCP port 8080 for internal web is open to public.
Open LDAP
Determine if TCP or UDP port 389 for LDAP is open to public.
Open LDAPS
Determine if TCP port 636 for LDAP SSL is open to public.
Open Memcached
Determine if TCP or UDP port 11211 for Memcached is open to public.
Open MongoDB
Determine if TCP port 27017 or 27018 or 27019 for MongoDB is open to public.
Did you find it helpful? Yes No
Send feedback