On April 12th, 2023, Aqua will release and activate the following new plugins. They can be tested using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, no action is required -- they will be pre-suppressed in your account before release.

New plugins


DynamoDB Unused Table

Ensure that Amazon DynamoDB unused tables are removed to optimize costs.

ELBv2 Cross-Zone Load Balancing

Ensure that AWS ELBv2 load balancers have cross-zone load balancing enabled.

Web ACL Rules Default Action

Ensure that default Web ACL action is set to "Block" for ACL rules with allow action.

Backup Vault Policies

Ensures Backup Vault policies are properly scoped with specific permissions.

OpenSearch Collection Public Access

Ensures that OpenSearch Serverless collections are not publicly accessible.

OpenSearch Collection CMK Encryption

Ensures that OpenSearch Serverless collections are encrypted with KMS Customer Master Keys (CMKs).

AWS WAFV2 CloudWatch Metrics Enabled

Ensure that AWS CloudWatch metrics is enabled for WAFV2 Web ACL rules.


Service Account Role

Ensure no Service Account exists without any associated role.

Cloud Function Serverless VPC Access

Ensure CloudFunctions are allowed to access only VPC resources.

Instance Default Network

Ensure no VM instances exist in default network.

Environment Labels Added

Ensure all Composer environments have labels added.

Airflow Web Server Public Access

Ensure Compose Airflow web server is not open to the world.

Environment Default Service Account

Ensure Compose environment is not using the default compute engine service account.

Environment Encryption

Ensure Compose environments have encryption enabled using desired protection level.

Hot fixes and enhancements

Aqua will release the following on April 12, 2023.


Renamed Elasticsearch Service Plugins to OpenSearch

Modified the plugin names, categories, messages and permissions to use the OpenSearch service. 


Application Gateway WAF Prevention Mode Enabled

The plugin was generating false negative results while checking the prevention mode for waf policy. Fixed the logic error to check for Application Gateway Waf Policy Prevention Mode instead of checking the prevention mode for Application Gateway.