CloudSploit version 3.5.0 introduces the most latest version on 2024-05-28. The update includes new plugins for Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.
New Plugins
AWS
Bedrock
- AWS Bedrock In Use
Neptune
- Neptune Database IAM Authentication Enabled
- Neptune Database Deletion Protection Enabled
- Neptune Database Multiple AZ
- Neptune Database Instance Backup Retention
DocumentDB
- DocumentDB Has Tags
- DocumentDB Cluster Deletion Protection
SQS
- SQS Has Tags
WAFV2
- Web ACL Logging Enabled
Azure
Batch Account
- Batch Account CMK Encrypted
App Configuration
- App Configuration Access Key Authentication Disabled
Container App
- Container Apps Volume Mount Configured
- Container Apps Has Tags
Cosmos DB
- Cosmos DB Local Authentication Disabled
DataBricks
- Databricks Workspace Managed Disk CMK Encrypted
- Databricks Workspace Has Tags
Event Hub
- Event Hubs Namespace Has Tags
- Event Hubs Namespace Diagnostic Logs
- Event Hub Namespace Local Auth Disabled
- Event Hubs Namespace Managed Identity
Front Door
- Front Door Managed Identity Enabled
Machine Learning
- Machine Learning Workspace Has Tags
- Machine Learning Workspace Public Access Disabled
- Machine Learning Workspace Diagnostic Logs
Log Alerts
- PostgreSQL Flexible Server Logging Enabled
PostgreSQL Server
- PostgreSQL FLexible Server Log Duration Enabled
Hot fixes and enhancements
Aws
KMS Key Rotation
Key rotation feature is only available on key type SYMMETRIC_DEFAULT , updated the plugin to produce passing results for the key
type that does not have key rotation feature available.
-
ELBv2 TLS Version and Cipher Header Enabled
Updated the plugin logic to check that TLS version and Cipher should be disabled in headers. Enabling these headers may leak
sensitive information, so updating the plugin to check the TLS version and Cipher header should not be enabled. Updated the title,
description and output message . The plugin title is renamed to ELBv2 TLS Version and Cipher Header Disabled. -
EKS Kubernetes Version
Modified the depreciation date for EKS versions. For list of updated EKS versions, refer
https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html -
EKS Latest Platform Version
Modified the depreciation date and latest platform version for EKS versions. For list of updated latest platform, refer to
https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html -
Lambda Old Runtimes
Modified the end of life dates for lambda runtimes versions. For list of updated end of life dates for lambda runtimes versions,
refer , https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html#runtime-support-policy
Azure
-
Load Balancer Public IP
Revised title, description, more info, recommended actions, and output message of the plugin to ensure that Azure Load Balancers
are public to meet your organization's security compliance and availability needs. The plugin title is renamed to Public Load
Balancer. -
PostgreSQL Flexible Server Version
Earlier, the plugin was checking for the latest version, which was 13. Modified the latest version of the flexible server from 13 to 16. -
Microsoft Support Operations Auditing Enabled
Updated the plugin to produce unknown results if it’s unable to get audit policies, previously it was producing failed results if there
were no audit policies in data. -
Previously, the following plugins were responsible for checking the diagnostic logs of blob, queue, and table for both V1 and V2
storage account types. But as in V1 (premium) type the diagnostic logs can only be enabled for that specific storage account kind
service, so updated the plugins to produce pass results if the storage account type is premium.
Storage Account Blob Service Logging Enabled
Storage Account Queue Service Logging Enabled
Storage Account Table Service Logging Enabled
- PostgreSQL Latest Version
Earlier, the plugin checking for the latest version, which was 14. Modified the latest version of PostgreSQL server from 14 to 15.