On April 12th, 2023, Aqua will release and activate the following new plugins. They can be tested using the "Live Run" tool and optionally suppressed if required. If you have selected the "Suppress All New Plugins" option from the "Account Settings" page, no action is required -- they will be pre-suppressed in your account before release.
DynamoDB Unused Table
Ensure that Amazon DynamoDB unused tables are removed to optimize costs.
ELBv2 Cross-Zone Load Balancing
Ensure that AWS ELBv2 load balancers have cross-zone load balancing enabled.
Web ACL Rules Default Action
Ensure that default Web ACL action is set to "Block" for ACL rules with allow action.
Backup Vault Policies
Ensures Backup Vault policies are properly scoped with specific permissions.
OpenSearch Collection Public Access
Ensures that OpenSearch Serverless collections are not publicly accessible.
OpenSearch Collection CMK Encryption
Ensures that OpenSearch Serverless collections are encrypted with KMS Customer Master Keys (CMKs).
AWS WAFV2 CloudWatch Metrics Enabled
Ensure that AWS CloudWatch metrics is enabled for WAFV2 Web ACL rules.
Service Account Role
Ensure no Service Account exists without any associated role.
Cloud Function Serverless VPC Access
Ensure CloudFunctions are allowed to access only VPC resources.
Instance Default Network
Ensure no VM instances exist in default network.
Environment Labels Added
Ensure all Composer environments have labels added.
Airflow Web Server Public Access
Ensure Compose Airflow web server is not open to the world.
Environment Default Service Account
Ensure Compose environment is not using the default compute engine service account.
Ensure Compose environments have encryption enabled using desired protection level.
Hot fixes and enhancements
Aqua will release the following on April 12, 2023.
Renamed Elasticsearch Service Plugins to OpenSearch
Modified the plugin names, categories, messages and permissions to use the OpenSearch service.
Application Gateway WAF Prevention Mode Enabled
The plugin was generating false negative results while checking the prevention mode for waf policy. Fixed the logic error to check for Application Gateway Waf Policy Prevention Mode instead of checking the prevention mode for Application Gateway.