TABLE OF CONTENTS


New plugins


On February 8, 2023, Aqua will release and activate the following new plugins. They can be tested using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, no action is required -- they will be pre-suppressed in your account prior to release.


AWS


S3 Bucket Policy CloudFront OAC

Ensures that S3 buckets are the origin of only one distribution and allows only that distribution.


IAM User Account Not In Use

Ensures that IAM user accounts are being actively used.


S3 Bucket MFA Delete Status

Ensures that MFA delete is enabled on S3 buckets.


Unrestricted Network ACL Inbound Traffic

Ensures that no Amazon Network ACL allows inbound/ingress traffic to remote administration ports.


Azure


Open HTTP

Determines if TCP port 80 for HTTP is open to the public.


Unattached Disk Volumes with Default Encryption

Ensures that no default encrypted Azure virtual machine disks are in the unattached state.


Application Gateway WAF Enabled

Ensures that Web Application Firewall (WAF) is enabled for Application Gateways.


VM Disk Snapshot Public Access Disabled

Ensures that Azure virtual machine disk snapshots are not publicly accessible.


VM Disk Snapshot BYOK Encryption Enabled

Ensures that Azure virtual machine disk snapshots have BYOK (Customer-Managed Key) encryption enabled.


Application Gateway WAF Prevention Mode Enabled

Ensures that WAF policies for Microsoft Azure Application gateways are set to Prevention mode.


PostgreSQL Infrastructure Double Encryption

Ensures infrastructure double encryption is enabled for PostgreSQL Database Servers.


ACR Has Tags

Ensures that Microsoft Azure Container registries have associated tags.


Application Gateway Has Tags

Ensures that Microsoft Azure Application Gateways have associated tags.


WAF Policy Has Tags

Ensures that each Microsoft Azure WAF Policy has associated tags.


VM Scale Set Has Tags

Ensures that Azure Virtual Machine scale sets have associated tags.


Route Table Has Tags

Ensures that Microsoft Azure Network route tables have associated tags.


Public IP Address Logging Enabled

Ensures that Activity Log alerts for create/update and delete Public IP Address events are enabled.


MySQL Flexible Server Minimum TLS Version

Ensures that the TLS version on MySQL flexible servers is set to the default value.


Security Contact Enabled for Subscription Owner

Ensures that security alert emails are enabled for subscription owners.


Security Contact Additional Email

Ensures that additional email addresses are configured with security contact email addresses.


VM Image Has Tags

Ensures that Microsoft Azure virtual machine images have associated tags.


Google


Open HTTP

Determines if the TCP port 80 for HTTP is open to the public.


CLB Logging Enabled

Ensures that logging is enabled for all HTTP(s) load balancers.


API Key Active Services Only

Ensures that API Keys exist only for active services.


API Key API Restriction

Ensures that there are no unrestricted API keys available within GCP projects.


Project API Keys

Ensures that there are no API keys created within GCP projects.


Oracle


Open HTTP

Determine if TCP port 80 for HTTP is open to the public.


Hot fixes and enhancements (AWS)


Aqua will release the following on February 8, 2023.


Lambda Old Runtimes

Added settings which enable flagging Lambda functions whose runtime will expire within x days.


IAM Role Policies Unused Services

We refactored the logic to be more rigorous when it comes to resources within an IAM policy:

  • Policy statements having global wildcards on resources will be flagged. 
  • There is a new setting to flag policy resources based on a given regex. If a regex is provided for this setting, all policy resources will be checked against the regex.

IAM Role Policies

We refactored the logic to be more rigorous when it comes to resources within an IAM policy:

  • Policy statements having global wildcards on resources will be flagged. 
  • There is a new setting to flag policy resources based on a given regex. If a regex is provided for this setting, all policy resources will be checked against the regex.


FSX File System Encrypted 

We fixed a bug for resource values to show ARN values instead of "undefined".


CloudWatch Monitoring Metrics

We added logic to check for "Organizations Changes".


Plugin removed


On February 8, 2023, Aqua will remove the Pod Security Policy Enabled plugin from Google.