TABLE OF CONTENTS

On June 26, 2023, Aqua will release and activate the following new plugins. They can be tested using the Live Rutool and optionally suppressed if required. If you have selected the Suppress All New Plugins option from the Account Settings page, no action is required -- they will be pre-suppressed in your account before release.

New plugins

AWS

API Gateway Authorization

Ensures that Amazon API Gateway APIs are using authorizer.

EBS Volumes Recent Snapshots

Ensures that EBS volume has had a snapshot within the last 7 days.

EC2 CPU Alarm Threshold Exceeded

Ensures EC2 instances do not exceed the alarm threshold for CPU utilization.

Amazon ECR Scan on Push

Ensures Amazon ECR container images are automatically scanned for security vulnerabilities after being pushed to a repository.

ELB Unhealthy Instances

Ensures that AWS ELBs have healthy instances attached.

ELBv2 Unhealthy Instances

Ensures that ELBv2 have healthy instances attached.

EMR Cluster has Tags

Ensures that EMR clusters have tags associated.

S3 GuardDuty Enabled

Ensures GuardDuty is enabled for S3 buckets.

OpenSearch Version

Ensures OpenSearch domains are using the latest engine version.

RDS MySQL Vulnerability Check

Ensures RDS MySQL instances are not vulnerable to specific CVEs.

RDS Default Master UserName

Ensures RDS instance does not have a default master username.

RDS Instance Generation

Ensures that AWS RDS instance is not using older generation of EC2.

Underutilized Redshift Cluster Check

Ensures Redshift clusters are not underutilized.

SNS Subscription HTTPS Only

Ensures that Amazon SNS subscriptions are configured to use HTTPS protocol.

SNS Topic HTTP Protocol Restriction

Ensures SNS topics do not allow HTTP protocol.


Azure

Azure Bastion Host Exists

Ensure that there is at least one Bastion host in Azure subscription.

ACR CMK Encryption

Ensures that Microsoft Azure Container registries have CMK encryption enabled.

ACR Public Access

Ensures that Azure Container registries are not publicly accessible.

Enable Defender for Key Vaults

Ensures that Microsoft Defender for Key Vaults is enabled.

Event Grid Domain Public Access

Ensures that Azure Event Grid domains are not publicly accessible.

Monitor Resource SKU

Ensures that basic or consumption SKUs are not used on artifacts that need to be monitored.

PostgreSQL Server Services Access Disabled

Ensures that PostgreSQL servers does not allow access to other Azure services.

Recovery Services Vault BYOK Encrypted

Ensures that Microsoft Azure Recovery Services Vaults have BYOK encryption enabled.

Resource Group has Tags

Ensures that Azure resource groups have tags associated.

Infrastructure Encryption Enabled

Ensures that Azure Storage Accounts have infrastructure encryption enabled.

Storage Account Private Endpoints

Ensure that Azure Storage accounts are accessible only through private endpoints.

Azure Subscription has Tags

Ensures that Azure subscriptions have tags associated.

VM System-Assigned Identity Enabled

Ensures that virtual machines have system-assigned managed identities enabled.


Google

BigQuery Admin

Ensures that there are no IAM Users with BigQuery Admin, BigQuery Data Owner, or BigQuery Data Editor role at the project level.

Bigtable Admin

Ensures that there are no IAM Users with Bigtable Administrator role at the project level.

Client Certificate Disabled

Ensures that client certificate authentication to Kubernetes clusters is disabled.

Pub/Sub Admin

Ensures that there are no IAM Users with Pub/Sub Administrator role at the project level.


Hot fixes and enhancements

Aqua will release the following on June 26, 2023. 


AWS

ElastiCache Engine Versions for Redis

Added check for non-recommended version 3.2.6 for redis engine.


Azure

High Severity Alerts Enabled

Added the setting in plugin to allow to set the minimal desired security level for email alert notification from low, medium, and high category.

Authentication Enabled

Modified the plugin logic to ignore the logic apps because authentication is enabled on logic apps by default.

Key Vault Log Analytics Enabled

Changed category from Monitor > Key Vaults and domain from Management and Governance > Application Integration.

Load Balancer Log Analytics Enabled

Changed category from Monitor > Load Balancer and domain from Management and Governance > Availability.

NSG Log Analytics Enabled

Changed category from Monitor > Network Security Groups and domain from Management and Governance > Network Access Control.

New Regions

AWS

Added support for the following regions

  • ap-southeast-3

Azure

Added support for the following region

  • polandcentral