2023-03-13 New CSPM Plugin Release
TABLE OF CONTENTS
On March 13th, 2023, Aqua will release and activate the following new plugins. They can be tested using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, no action is required -- they will be pre-suppressed in your account before release.
New plugins
AWS
ECS Cluster Active Services
Ensure that the ECS clusters have active services.
ECS Cluster Service with Active Tasks
Ensure ECS clusters have services with running tasks.
IAM User without Permissions
Ensure that no IAM user exists without any permissions.
Lambda Unique Execution Role
Ensure that AWS Lambda functions do not share the same execution role.
Default Security Group in Use
Ensure that AWS EC2 instances are not associated with a default security group.
Open All Ports Protocols Egress
Determine if the security group has all outbound ports or protocols open to the public.
Open HTTPS
Determines if TCP port 443 for HTTPS is open to the public.
Azure
Open HTTPS
Determines if TCP port 443 for HTTPS is open to the public.
Comment Control Enabled
Ensure Comment Control is enabled for all cloud build triggers.
Specific Source Branch
Ensure cloud build triggers are configured with a specific source branch.
User Approval Enabled
Ensure User Approval is enabled for all cloud build triggers.
Snapshot Encryption
Ensure Snapshots are encrypted using Customer Managed or Supplied Keys.
Cloud Function All Users Policy
Ensure cloud functions are not anonymously or publicly accessible.
Trigger has Tags
Ensure cloud build triggers have tags.
Topic All Users Policy
Ensure Pub/Sub-topics are not anonymously or publicly accessible.
Binary Authorization Enabled
Ensure Binary Authorization is enabled on Kubernetes clusters.
Images CMK Encrypted
Ensure compute images are encrypted using Customer Managed or Supplied Keys.
Hot fixes and enhancements
Aqua will release the following on March 8, 2023.
AWS
Open Oracle
Modified the plugin to also check if TCP 2483 for Oracle is open to the public.
Updated the resource ARN to use stack ID in results.
Azure
Java Version
The plugin was checking for an outdated version of JAVA. Modified the plugin to check for the latest version.
PHP Version
The plugin was checking for an outdated version of PHP. Modified the plugin to check for the latest version.
Open Oracle
Modified the plugin to also check if TCP port 2483 for Oracle is open to the public.
Web Apps Backup Retention Period
The plugin was producing unknown results in case no backups were found. Fixed the plugin to produce positive results in case no backups for the web app are found.
The plugin was producing unknown results in case no backups were found. Fixed the plugin to produce negative results in case no backups are configured for web apps.
Open Oracle
Modified the plugin to also check for TCP port 2483 for Oracle is open to the public.
SQL Configuration Logging
Modified the plugin logic to check for SQL instances before scanning for logging and generate positive results if no instances for SQL are found.
Storage Permissions Logging
Modified the plugin logic to check for storage bucket resources before scanning for logging and generate positive results if no resources for storage buckets are found.
VPC Firewall Rule Logging
Modified the plugin logic to check for VPC firewall rule resources before scanning for logging and generate positive results if no resources for VPC firewall rule are found.
VPC Network Logging
Modified the plugin logic to check for VPC network resources before scanning for logging and generate positive results if no resources for VPC network are found.
VPC Network Route Logging
Modified the plugin logic to check for VPC network routes before scanning for logging and generate positive results if no resources for VPC Network routes are found.
Alibaba
Open Oracle
Modified the plugin to also check if TCP port 2483 for Oracle is open to the public.
Oracle
Open Oracle
Modified the plugin to also check if TCP port 2483 for Oracle is open to the public.
New Regions
AWS
Added support for the following regions
- ap-south-2
- ap-southeast-4
- eu-south-2
- eu-central-2
Azure
Added support for the following region
- qatarcentral
Did you find it helpful? Yes No
Send feedback