2023-02-08 New CSPM Plugin Release
TABLE OF CONTENTS
New plugins
On February 8, 2023, Aqua will release and activate the following new plugins. They can be tested using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, no action is required -- they will be pre-suppressed in your account prior to release.
AWS
S3 Bucket Policy CloudFront OAC
Ensures that S3 buckets are the origin of only one distribution and allows only that distribution.
IAM User Account Not In Use
Ensures that IAM user accounts are being actively used.
S3 Bucket MFA Delete Status
Ensures that MFA delete is enabled on S3 buckets.
Unrestricted Network ACL Inbound Traffic
Ensures that no Amazon Network ACL allows inbound/ingress traffic to remote administration ports.
Azure
Open HTTP
Determines if TCP port 80 for HTTP is open to the public.
Unattached Disk Volumes with Default Encryption
Ensures that no default encrypted Azure virtual machine disks are in the unattached state.
Application Gateway WAF Enabled
Ensures that Web Application Firewall (WAF) is enabled for Application Gateways.
VM Disk Snapshot Public Access Disabled
Ensures that Azure virtual machine disk snapshots are not publicly accessible.
VM Disk Snapshot BYOK Encryption Enabled
Ensures that Azure virtual machine disk snapshots have BYOK (Customer-Managed Key) encryption enabled.
Application Gateway WAF Prevention Mode Enabled
Ensures that WAF policies for Microsoft Azure Application gateways are set to Prevention mode.
PostgreSQL Infrastructure Double Encryption
Ensures infrastructure double encryption is enabled for PostgreSQL Database Servers.
ACR Has Tags
Ensures that Microsoft Azure Container registries have associated tags.
Application Gateway Has Tags
Ensures that Microsoft Azure Application Gateways have associated tags.
WAF Policy Has Tags
Ensures that each Microsoft Azure WAF Policy has associated tags.
VM Scale Set Has Tags
Ensures that Azure Virtual Machine scale sets have associated tags.
Route Table Has Tags
Ensures that Microsoft Azure Network route tables have associated tags.
Public IP Address Logging Enabled
Ensures that Activity Log alerts for create/update and delete Public IP Address events are enabled.
MySQL Flexible Server Minimum TLS Version
Ensures that the TLS version on MySQL flexible servers is set to the default value.
Security Contact Enabled for Subscription Owner
Ensures that security alert emails are enabled for subscription owners.
Security Contact Additional Email
Ensures that additional email addresses are configured with security contact email addresses.
VM Image Has Tags
Ensures that Microsoft Azure virtual machine images have associated tags.
Open HTTP
Determines if the TCP port 80 for HTTP is open to the public.
CLB Logging Enabled
Ensures that logging is enabled for all HTTP(s) load balancers.
API Key Active Services Only
Ensures that API Keys exist only for active services.
API Key API Restriction
Ensures that there are no unrestricted API keys available within GCP projects.
Project API Keys
Ensures that there are no API keys created within GCP projects.
Oracle
Open HTTP
Determine if TCP port 80 for HTTP is open to the public.
Hot fixes and enhancements (AWS)
Aqua will release the following on February 8, 2023.
Lambda Old Runtimes
Added settings which enable flagging Lambda functions whose runtime will expire within x days.
IAM Role Policies Unused Services
We refactored the logic to be more rigorous when it comes to resources within an IAM policy:
- Policy statements having global wildcards on resources will be flagged.
- There is a new setting to flag policy resources based on a given regex. If a regex is provided for this setting, all policy resources will be checked against the regex.
IAM Role Policies
We refactored the logic to be more rigorous when it comes to resources within an IAM policy:
- Policy statements having global wildcards on resources will be flagged.
- There is a new setting to flag policy resources based on a given regex. If a regex is provided for this setting, all policy resources will be checked against the regex.
FSX File System Encrypted
We fixed a bug for resource values to show ARN values instead of "undefined".
CloudWatch Monitoring Metrics
We added logic to check for "Organizations Changes".
Plugin removed
On February 8, 2023, Aqua will remove the Pod Security Policy Enabled plugin from Google.
Did you find it helpful? Yes No
Send feedback