TABLE OF CONTENTS


On March 13th, 2023, Aqua will release and activate the following new plugins. They can be tested using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, no action is required -- they will be pre-suppressed in your account before release.


New plugins


AWS

ECS Cluster Active Services

Ensure that the ECS clusters have active services.

ECS Cluster Service with Active Tasks

Ensure ECS clusters have services with running tasks.

IAM User without Permissions

Ensure that no IAM user exists without any permissions.

Lambda Unique Execution Role

Ensure that AWS Lambda functions do not share the same execution role.

Default Security Group in Use

Ensure that AWS EC2 instances are not associated with a default security group.

Open All Ports Protocols Egress

Determine if the security group has all outbound ports or protocols open to the public.

Open HTTPS

Determines if TCP port 443 for HTTPS is open to the public.


Azure

Open HTTPS

Determines if TCP port 443 for HTTPS is open to the public.


Google

Comment Control Enabled

Ensure Comment Control is enabled for all cloud build triggers.

Specific Source Branch

Ensure cloud build triggers are configured with a specific source branch.

User Approval Enabled

Ensure User Approval is enabled for all cloud build triggers.

Snapshot Encryption

Ensure Snapshots are encrypted using Customer Managed or Supplied Keys.

Cloud Function All Users Policy

Ensure cloud functions are not anonymously or publicly accessible.

Trigger has Tags

Ensure cloud build triggers have tags.

Topic All Users Policy

Ensure Pub/Sub-topics are not anonymously or publicly accessible.

Binary Authorization Enabled 

Ensure Binary Authorization is enabled on Kubernetes clusters.

Images CMK Encrypted 

Ensure compute images are encrypted using Customer Managed or Supplied Keys.


Hot fixes and enhancements

Aqua will release the following on March 8, 2023.


Alibaba

Open Oracle 

Modified the plugin to also check if TCP port 2483 for Oracle is open to the public.


AWS

Open Oracle

Modified the plugin to also check if TCP 2483 for Oracle is open to the public.

CloudFormation Admin Privileges

Updated the resource ARN to use stack ID in results.


Azure

Java Version

The plugin was checking for an outdated version of JAVA. Modified the plugin to check for the latest version.

PHP Version 

The plugin was checking for an outdated version of PHP. Modified the plugin to check for the latest version.

Open Oracle 

Modified the plugin to also check if TCP port 2483 for Oracle is open to the public.

Web Apps Backup Retention Period

The plugin was producing unknown results in case no backups were found. Fixed the plugin to produce positive results in case no backups for the web app are found.

Web Apps Backup Enabled

The plugin was producing unknown results in case no backups were found. Fixed the plugin to produce negative results in case no backups are configured for web apps.

Google

Open Oracle 

Modified the plugin to also check for TCP port 2483 for Oracle is open to the public.

SQL Configuration Logging

Modified the plugin logic to check for SQL instances before scanning for logging and generate positive results if no instances for SQL are found.

Storage Permissions Logging

Modified the plugin logic to check for storage bucket resources before scanning for logging and generate positive results if no resources for storage buckets are found.

VPC Firewall Rule Logging

Modified the plugin logic to check for VPC firewall rule resources before scanning for logging and generate positive results if no resources for VPC firewall rule are found.

VPC Network Logging

Modified the plugin logic to check for VPC network resources before scanning for logging and generate positive results if no resources for VPC network are found.

VPC Network Route Logging

Modified the plugin logic to check for VPC network routes before scanning for logging and generate positive results if no resources for VPC Network routes are found.


Oracle

Open Oracle 

Modified the plugin to also check if TCP port 2483 for Oracle is open to the public.


New Regions

AWS

Added support for the following regions

  • ap-south-2
  • ap-southeast-4
  • eu-south-2
  • eu-central-2

Azure

Added support for the following region

  • qatarcentral