CloudSploit version 3.10.0 introduces the most latest version on 2024-11-15. The update includes new plugins for Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.
New Plugin
Azure
Storage Account Public Network Access
- Description: Ensure that 'Public Network Access’ is disabled for storage accounts.
- More Info: Disabling public network access for Azure storage accounts enhances security by blocking anonymous access to data in containers and blobs. This restriction ensures that only trusted network sources can access the storage, reducing the risk of unauthorized access and data exposure.
Hot fixes and enhancements
Azure
Plugins divided into specific resource type checks
To correctly map the plugins with compliance controls, these plugins have been divided into specific resource type checks:
Disk Volumes BYOK Encryption Enabled
This plugin ensures that attached Azure virtual machine disks have BYOK (Customer-Managed Key) encryption enabled. The plugin has been divided into two specific versions:
- Attached Disk Volumes BYOK Encryption Enabled : Ensures that attached Azure virtual machine disks have BYOK (Customer-Managed Key) encryption enabled.
- Unattached Disk Volumes BYOK Encryption Enabled : Ensures that unattached Azure virtual machine disks have BYOK (Customer-Managed Key) encryption enabled.
Key Vault Key Expiry
This plugin proactively checks for key vault key expiry dates, and rotates them before expiry is reached. The Key Vault Key Expiry plugin has been split to accommodate different key vault access configurations:
- Key Vault Key Expiry Non RBAC : Ensures that an expiration date is set for all keys within key vaults that do not have Role-Based Access Control (RBAC) enabled.
- Key Vault Key Expiry RBAC : Ensures that an expiration date is set for all keys within RBAC-enabled key vaults.
Key Vault Secret Expiry
Proactively checks for key vault secret expiry dates, and rotates them before expiry is reached. The Key Vault Secret Expiry plugin has also been divided for improved specificity based on key vault access configurations:
- Key Vault Secret Expiry Non RBAC : Ensures that an expiration date is set for all secrets within key vaults that do not have RBAC enabled.
- Key Vault Secret Expiry RBAC : Ensures that an expiration date is set for all secrets within RBAC-enabled key vaults.
Other changes
- Enable Defender For SQL Servers
We added a setting to check for defenders at subscription level as well as at the server level. The default value for the setting is set to check Defender for SQL servers at the subscription level. If the setting is set to ‘resource’, it will check Defender for SQL servers individually.
-The following plugins have been refactored to also include the support for Managed Instances:
- TDE Protector Encrypted
- Transparent Data Encryption Enabled
- Permissions required for the above two plugins:
"Microsoft.Sql/managedInstances/read",
"Microsoft.Sql/managedInstances/encryptionProtector/read",
-
As Microsoft Azure has deprecated the support for TLS 1.0 and TLS 1.1, So we have revisited our plugins to end the support for these versions.
-Event Hubs Minimum TLS Version
-SQL Server Minimum TLS Version
-Storage Accounts Minimum TLS Version
Please refer to the following official documentation for more details.
- We have revisited our compliance for the following controls and updated the plugins for these controls.
To meet compliance control requirements, we have replaced the plugin for this control from Key Vault Logging Enabled to Key Vault Log Analytics Enabled.
To meet compliance control requirements, we have replaced the plugin for this control from TDE Protector Encrypted to Transparent Data Encryption Enabled.
Deprecated plugin
As Azure has deprecated certain policy assignments, Aqua is deprecating this plugin that checks for those outdated assignments:
- Application Whitelisting Enabled
What's Changed
- syncing with saas by @alphadev4 in #2113
- Azure/Storage-Account-Public-Network-Access by @AkhtarAmir in #2112
- Revised TDE Protectors Encrypted Plugin Update by @AkhtarAmir in #2101
- Enable defender for sql servers by @AkhtarAmir in #2102
- Revised diskByokEncryptionEnabled by @AkhtarAmir in #2103
- Revised unAttachedDiskByokEncryptionEnabled by @AkhtarAmir in #2104
- Revised dbTDEEnabled by @AkhtarAmir in #2110
- Revised keyVaultSecretExpiryNonRbac by @AkhtarAmir in #2109
- Revised keyVaultSecretExpiry by @AkhtarAmir in #2108
- Revised keyVaultKeyExpiryNonRbac (2) by @AkhtarAmir in #2106
- Revised keyVaultKeyExpiry by @AkhtarAmir in #2105
- TLS Version Changes by @AkhtarAmir in #2115
Full Changelog: v3.9.0...v3.10.0