On September 12, 2023, Aqua will release and activate the following new plugins. They can be tested using the Live Rutool and optionally suppressed if required. If you have selected the Suppress All New Plugins option from the Account Settings page, no action is required -- they will be pre-suppressed in your account before release.

New plugins


App Mesh VG Health Check Policies

Ensure that Amazon App Mesh virtual gateways use health check policies to monitor the availability of virtual nodes.

MQ Latest Engine Version

Ensure that Amazon MQ brokers are using the latest version of Apache ActiveMQ broker engine.

RDS Idle Instance Status

Identify RDS instance having CPU utilization below defined threshold within last 7 days (idle instance).

RDS CPU Alarm Threshold Exceeded

Ensure RDS instances do not exceed the alarm threshold for CPU utilization.

RDS Default Port

Ensure RDS database instances are not using the default ports.

RDS Public Subnet

Ensures RDS database instances are not deployed in public subnet.

MQ Broker Public Accessibility

Ensure that Amazon MQ brokers are not publicly accessible.

Password Policy Exists

Ensures that password policy is set for IAM users.


VM Windows AntiMalware Extension

Ensures that Windows Virtual Machine have IaaS AntiMalware extension installed.

Virtual Networks Logging Enabled

Ensure that Microsoft Virtual Networks have diagnostic logs enabled.


Open All Ports Egress

Ensure no firewall rules allow egress to all ports and protocols.

PostgreSQL Log Planner Stats Disabled

Ensures SQL instances for PostgreSQL type have log_planner_stats flag set to "off".

PostgreSQL Log Executor Stats Disabled

Ensures SQL instances for PostgreSQL type have log_executor_stats flag set to "off".

PostgreSQL Log Parser Stats Disabled

Ensures SQL instances for PostgreSQL type have log_parser_stats flag set to "off".

Hot fixes and enhancements

Aqua will release the following on September 12, 2023.


Email DKIM Enabled

Adding pagination for the related AWS API to avoid unknown results.


These plugins were updated to check for default values from the ASC default policy:

  • Application Whitelisting Enabled
  • Monitor Blob Encryption
  • Monitor Disk Encryption
  • Monitor Endpoint Protection
  • Monitor External Accounts with Write Permissions
  • Monitor IP Forwarding
  • Monitor JIT Network Access
  • Monitor Next Generation Firewall
  • Monitor NSG Enabled
  • Monitor SQL Auditing
  • Monitor SQL Encryption
  • Monitor Total Number of Subscription Owners
  • Monitor System Updates
  • Monitor VM Vulnerability
  • Security Configuration Monitoring

Deprecated plugins 


Log Profile Retention Policy

Log profiles are the legacy method for sending the activity log to storage or event hubs. Activity log events are retained in Azure for 90 days and then deleted. This functionality have been transitioned to diagnostic setting. Diagnostic settings are available for each individual cloud resource within a subscription.

For more information refer to this link.