CloudSploit will be deploying the following plugins on Thursday, August 8th at 6PM ET. These plugins can be pre-suppressed from the "Suppressions" page ahead of this release if you prefer not to take advantage of these checks.
AWS Cloud:
1. Shield Advanced Enabled - Ensures AWS Shield Advanced is setup and properly configured
2. Shield Emergency Contacts - Ensures AWS Shield emergency contacts are configured
3. Shield Protections - Ensures AWS Shield Advanced is configured to protect account resources
4. EKS Kubernetes Version - Ensures the latest version of Kubernetes is installed on EKS clusters
5. EKS Logging Enabled - Ensures all EKS cluster logs are being sent to CloudWatch
6. EKS Private Endpoint - Ensures the private endpoint setting is enabled for EKS clusters
7. EKS Security Groups - Ensures the EKS control plane only allows inbound traffic on port 443
8. ECR Repository Policy - Ensures ECR repository policies do not enable global or public access to images
Azure Cloud:
1. Log Storage Encryption - Ensures BYOK encryption is properly configured in the Activity Log Storage Account
2. Log Container Public Access - Ensures that the Activity Log Container does not have public read access
3. Autoscale Enabled - Ensures Autoscaling is enabled on Resource Groups
4. NSG Log Analytics Enabled - Ensures Network Security Groups logs are sent to the Log Analytics workspace.
5. Log Profile Archive Data - Ensures the Log Profile is configured to export all activities from the control/management plane in all active locations
6. Security Configuration Monitoring - Ensures that Security Configuration Monitoring is set to audit on the Default Policy
7. Resources Allowed Locations - Ensures deployed resources and resource groups belong to the list set in the Allowed locations for resource groups policy
8. Resource Location Matches Resource Group - Ensures deployed resources match the resource groups they are in, as well as ensuring the Audit resource location matches resource group location policy is assigned.
9. Enforce SSL Connection Enabled - Ensures SSL connection is set on MySQL Servers.
10. TDE Protector Encrypted - Ensures SQL server's TDE protector is encrypted with BYOK (Use your own key)
11. Key Expiration Enabled - Ensures that all Keys in Azure Key Vault have an expiry time set.
12. Monitor Blob Encryption - Ensures that Blob Storage Encryption monitoring is enabled.
13. RBAC Enabled - Ensures that RBAC is enabled on all Azure Kubernetes Services Instances
Oracle Cloud:
1. Open Hadoop HDFS NameNode Metadata Service - Determine if TCP port 8020 for HDFS NameNode metadata service is open to the public.
2. Open Hadoop HDFS NameNode WebUI - Determine if TCP port 50070 and 50470 for Hadoop/HDFS NameNode WebUI service is open to the public
3. Open Kibana - Determine if TCP port 5601 for Kibana is open to the public
4. Open SMTP - Determine if TCP port 25 for SMTP is open to the public
5. Bucket Public Access Type - Ensures Object Store buckets do not allow global write, delete, or read permissions
AWS Cloud:
1. Shield Advanced Enabled - Ensures AWS Shield Advanced is setup and properly configured
2. Shield Emergency Contacts - Ensures AWS Shield emergency contacts are configured
3. Shield Protections - Ensures AWS Shield Advanced is configured to protect account resources
4. EKS Kubernetes Version - Ensures the latest version of Kubernetes is installed on EKS clusters
5. EKS Logging Enabled - Ensures all EKS cluster logs are being sent to CloudWatch
6. EKS Private Endpoint - Ensures the private endpoint setting is enabled for EKS clusters
7. EKS Security Groups - Ensures the EKS control plane only allows inbound traffic on port 443
8. ECR Repository Policy - Ensures ECR repository policies do not enable global or public access to images
Azure Cloud:
1. Log Storage Encryption - Ensures BYOK encryption is properly configured in the Activity Log Storage Account
2. Log Container Public Access - Ensures that the Activity Log Container does not have public read access
3. Autoscale Enabled - Ensures Autoscaling is enabled on Resource Groups
4. NSG Log Analytics Enabled - Ensures Network Security Groups logs are sent to the Log Analytics workspace.
5. Log Profile Archive Data - Ensures the Log Profile is configured to export all activities from the control/management plane in all active locations
6. Security Configuration Monitoring - Ensures that Security Configuration Monitoring is set to audit on the Default Policy
7. Resources Allowed Locations - Ensures deployed resources and resource groups belong to the list set in the Allowed locations for resource groups policy
8. Resource Location Matches Resource Group - Ensures deployed resources match the resource groups they are in, as well as ensuring the Audit resource location matches resource group location policy is assigned.
9. Enforce SSL Connection Enabled - Ensures SSL connection is set on MySQL Servers.
10. TDE Protector Encrypted - Ensures SQL server's TDE protector is encrypted with BYOK (Use your own key)
11. Key Expiration Enabled - Ensures that all Keys in Azure Key Vault have an expiry time set.
12. Monitor Blob Encryption - Ensures that Blob Storage Encryption monitoring is enabled.
13. RBAC Enabled - Ensures that RBAC is enabled on all Azure Kubernetes Services Instances
Oracle Cloud:
1. Open Hadoop HDFS NameNode Metadata Service - Determine if TCP port 8020 for HDFS NameNode metadata service is open to the public.
2. Open Hadoop HDFS NameNode WebUI - Determine if TCP port 50070 and 50470 for Hadoop/HDFS NameNode WebUI service is open to the public
3. Open Kibana - Determine if TCP port 5601 for Kibana is open to the public
4. Open SMTP - Determine if TCP port 25 for SMTP is open to the public
5. Bucket Public Access Type - Ensures Object Store buckets do not allow global write, delete, or read permissions