CloudSploit version 3.3.0 introduces the most latest version on 2024-03-25. The update includes severities added for all clouds plugins, new regions of AWS and Azure clouds and new category plugins for Azure Open AI Service and Vertex AI Service for GCP , category change of AWS Services to 'AI &ML' and title and description change of AWS and Azure plugins. Along with this there are new plugins for existing services of Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.
Severities
Added severities for all plugins of following clouds:
- Alibaba
- AWS
- Azure
- GCP
- GitHub
- Oracle
Severities were assigned based on careful analysis of services, taking into account compliance rules, thorough documentation review, addressing customer complaints, and incorporating their suggestions.This approach ensures accurate representation of the impact and importance of each plugin and service across AWS, Azure, GCP, Oracle, Alibaba, and GitHub platforms, aligning with compliance standards.
New regions
AWS
Added support for the following regions:
- il-central-1
- ca-west-1
Azure
Added support for the following regions:
- italynorth
- israelcentral
Category changes
AWS
Changed category of the following AWS services to AI and ML:
- Amazon Bedrock
- Amazon Comprehend
- Amazon DevOps Guru
- Amazon Forecast
- Amazon Fraud Detector
- Amazon Kendra
- Amazon Lex
- Amazon Lookout for Equipment
- Amazon Lookout for Metrics
- Amazon Lookout for Vision
- Amazon SageMaker
- Amazon Translate
- Amazon HealthLake
Plugin title changes
Changed the title, description, and output messages for the following plugins:
AWS
- Firehose Delivery Streams CMK Encrypted is renamed to Firehose Delivery Stream Destination CMK Encrypted
- DynamoDB Unused Table is renamed to DynamoDB Empty Table
Azure
- PostgreSQL Server Services Access Disabled is renamed to PostgreSQL Server Services Network Access Disabled
- PostgreSQL Flexible Server Services Access Disabled is renamed to PostgreSQL Flexible Server Services Public Network Access Disabled
New Plugins
AWS
CodeStar
- Code Star Has Tags
Azure
App Service
- App Service Diagnostic Logging Enabled
- Web Apps VNet Integrated
- Web Apps Private Endpoints Configured
- Web Apps Security Logging Enabled
- Secure Azure Http Triggered Function
- Node.js Version
- Access Control Allow Credential Enabled
Application Gateway
- Application Gateway HTTPS Listener
- Application Gateway Request Body Size
App Configurations
- App Configurations Has Tags
- App Configuration Encryption At Rest with CMK
Automation Account
- Automation Account Has Tags
- Automation Account Valid Source Controls
- Automation Account Expired Webhooks
- Automation Account Public Access Disabled
- Automation Account Encrypted Variables
- Automation Account Private Endpoints Configured
Bastion
- Bastion Host Diagnostic Logs Enabled
- Bastion Host Has Tags
Blob Service
- Blob Container CMK Encrypted
Container Registry
- ACR Trusted Services Enabled
Defender
- Enable Defender For Resource Manager
- Enable Defender For CSPM
- Enable Defender For APIs
- Enable Defender For SQL Servers On Machines
- Enable Defender For Cosmos DBs
Event Hub
- Event Hub Public Access
Front Door
- Front Door WAF Latest Default Rule Set
Key Vaults
- Key Vaults Private Endpoint
Kubernetes Services
- AKS API Server Authorized IP Ranges
- AKS Cluster Host Based Encryption
- AKS Cluster Managed Identity Enabled
Load Balancer
- Load Balancer Public IP
Monitor
- Log Analytics Public Workspace
Network Security Groups
- NSG Flow Logs Enabled
Open AI
- OpenAI Account CMK Encrypted
- OpenAI Account Managed Identity Enabled
- OpenAI Account Public Access Disabled
- OpenAI Account Has Tags
- OpenAI Account Diagnostic Logging Enabled
PostgreSQL Server
- PostgreSQL Flexible Server Advanced Threat Protection
Redis Cache
- Redis Cache VNet Integrated
Service Bus
- Namespace Managed Identity
- Service Bus Namespace Has Tags
SQL Databases
- SQL Database Diagnostic Logging Enabled
- SQL Database Data Discovery and Classification
SQL Server
- SQL Server Managed Identity Enabled
- SQL Server VNet Rules Integrated
- SQL Server Services Access Disabled
- SQL Server Connection Policy
- Auditing Storage Authentication Type
Virtual Machines
- Compute Gallery RBAC Sharing
- VM Disk Public Access
- VM Disk CMK Rotation
- VM Disk Double Encryption
Virtual Machines Scale Sets
- VMSS Windows AntiMalware Extension
- Health Monitoring Extension HTTPS Enabled
- Scale Sets Boot Diagnostics Enabled
Virtual Networks
- Public IP Address DDos Protection
- VNET Flow Logs Enabled
GCP
Vertex AI
- Vertex AI Model Encryption
- Vertex AI Model Labels Added
- Vertex AI Dataset Encryption
- Vertex AI Dataset Labels Added
Hot fixes and enhancements
Aws
-
As per AWS document, AWS now provides the SSE to all bucket objects by default. Previously, the following plugins were failing in case SSE was not enabled on s3. However, the logic of the following plugins are modified to produce pass result by default when checking for server side encryption:
- S3 Bucket Enforce Object Encryption
- Firehose Delivery Stream Destination CMK Encrypted
-
Open RFC 1918
Updated the output message of plugin so it provides a more accurate description when RFC IP ranges are utilized. -
EKS Kubernetes Version
Modified the depreciation date for following eks versions. 1.23, 1.24, and 1.27. -
Lambda Old Runtimes
Modified the deprecation date for following runtime environments, Node.js 16, Go 1, Java 8. -
SES Email Messages Encrypted
Added logic to exclude regions that don't have SES enabled.
Azure
-
VM Security Type
Previously, the plugin was checking for only trusted launch type configured, added the setting to the check desired security type for Azure virtual machines. -
No Network Gateways In Use
Previously, the plugin was checking for only network gateway in use. Added the Virtual Network Gateway Type setting with empty default value. The setting can be used to the check for desired type for network gateways in use. -
Added setting Ignore Internal Load Balancers in plugins with default value set to false. When set to true the plugin ignores internal load balancers.
- LB HTTPS Only
- Load Balancer Has Tags
- Load Balancer Log Analytics Enabled
- LB No Instances