Scans Versions Save

Cloud Security Posture Management (CSPM)

v3.4.0

2 weeks ago

CloudSploit version 3.4.0 introduces the most latest version on 2024-04-25. The update includes new plugins for Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.

New Plugins

AWS

Bedrock

  • Custom Model Has Tags

CloudFormation

  • CloudFormation Deletion Policy In Use

Comprehend

  • Amazon Comprehend Flywheel In VPC

DynamoDB

  • DynamoDB Deletion Protection Enabled

Guard duty

  • GuardDuty RDS Protection Enabled

Lambda

  • Lambda Dead Letter Queue
  • Lambda Enhanced Monitoring Enabled
  • Lambda Code Signing Enabled

Route 53

  • Route 53 In Use

OpenSearch

  • OpenSearch Audit Logs Enabled

WorkSpaces

  • WorkSpaces Healthy Instances

Azure

Automation Account

  • Automation Account Approved Certificates Only

Container Apps

  • Container Apps Authentication Enabled
  • Container Apps External Network Access
  • Container Apps Managed Identity
  • Container Apps Authentication Enabled

Cosmos DB

  • Cosmos DB Diagnostic Logs
  • Cosmos DB Managed Identity

DataBricks

  • Databricks Workspace DBFS Infrastructure Encryption
  • Databricks Workspace Managed Services CMK Encrypted
  • Databricks Workspace Diagnostic Logs
  • Databricks Workspace Secure Cluster

Event Grid

  • Event Grid Domain Diagnostic Logs
  • Event Grid Domain Minimum TLS Version
  • Event Grid Domain Local Authentication Disabled
  • Event Grid Domain Managed Identity

Event Hub

  • Event Hubs Namespace CMK Encrypted

PostgreSQL Server

  • PostgreSQL Flexible Server Connection Throttling Enabled
  • PostgreSQL Flexible Server Log Disconnections Enabled

Hot fixes and enhancements

Aws

  1. Earlier the following plugins were generating unknowns for the regions in which Bedrock Custom model service was not available. Updated the plugin logic to produce pass results for those regions.
  • Custom Model Encryption Enabled
  • Custom Model In VPC
  • Private Custom Model

  1. RDS Public Subnets Fixed the bug for which the plugin was generating false negative results in case where the RDS instance was not connected to the public subnet.

  2. Instance Limit Earlier the plugin was checking the max instance limit provided by AWS. As of now max_limit attribute is no longer supported by AWS so added the setting for Max Instance Count from which users can set the desired value for max number of utilised instances in a region.

Azure

  1. SQL Databases Data Masking Enabled Updated the plugin logic to remove the unnecessary unknown form the results

  2. Updated the plugin info link for following plugins

  • Storage Account Queue Service Logging Enable
  • Storage Account Blob Service Logging Enable

Google

  1. Service Account Key Rotation Update the plugin to generate pass results if there is no user managed service account key found, earlier the plugin results were getting skipped if there was no user managed key found.

v3.3.0

1 month ago

CloudSploit version 3.3.0 introduces the most latest version on 2024-03-25. The update includes severities added for all clouds plugins, new regions of AWS and Azure clouds and new category plugins for Azure Open AI Service and Vertex AI Service for GCP , category change of AWS Services to 'AI &ML' and title and description change of AWS and Azure plugins. Along with this there are new plugins for existing services of Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.

Severities

Added severities for all plugins of following clouds:

  • Alibaba
  • AWS
  • Azure
  • GCP
  • GitHub
  • Oracle

Severities were assigned based on careful analysis of services, taking into account compliance rules, thorough documentation review, addressing customer complaints, and incorporating their suggestions.This approach ensures accurate representation of the impact and importance of each plugin and service across AWS, Azure, GCP, Oracle, Alibaba, and GitHub platforms, aligning with compliance standards.

New regions

AWS Added support for the following regions:

  • il-central-1
  • ca-west-1

Azure Added support for the following regions:

  • italynorth
  • israelcentral

Category changes

AWS Changed category of the following AWS services to AI and ML:

  • Amazon Bedrock
  • Amazon Comprehend
  • Amazon DevOps Guru
  • Amazon Forecast
  • Amazon Fraud Detector
  • Amazon Kendra
  • Amazon Lex
  • Amazon Lookout for Equipment
  • Amazon Lookout for Metrics
  • Amazon Lookout for Vision
  • Amazon SageMaker
  • Amazon Translate
  • Amazon HealthLake

Plugin title changes

Changed the title, description, and output messages for the following plugins:

AWS

  1. Firehose Delivery Streams CMK Encrypted is renamed to Firehose Delivery Stream Destination CMK Encrypted
  2. DynamoDB Unused Table is renamed to DynamoDB Empty Table

Azure

  1. PostgreSQL Server Services Access Disabled is renamed to PostgreSQL Server Services Network Access Disabled
  2. PostgreSQL Flexible Server Services Access Disabled is renamed to PostgreSQL Flexible Server Services Public Network Access Disabled

New Plugins

AWS

CodeStar

  • Code Star Has Tags

Azure

App Service

  • App Service Diagnostic Logging Enabled
  • Web Apps VNet Integrated
  • Web Apps Private Endpoints Configured
  • Web Apps Security Logging Enabled
  • Secure Azure Http Triggered Function
  • Node.js Version
  • Access Control Allow Credential Enabled

Application Gateway

  • Application Gateway HTTPS Listener
  • Application Gateway Request Body Size

App Configurations

  • App Configurations Has Tags
  • App Configuration Encryption At Rest with CMK

Automation Account

  • Automation Account Has Tags
  • Automation Account Valid Source Controls
  • Automation Account Expired Webhooks
  • Automation Account Public Access Disabled
  • Automation Account Encrypted Variables
  • Automation Account Private Endpoints Configured

Bastion

  • Bastion Host Diagnostic Logs Enabled
  • Bastion Host Has Tags

Blob Service

  • Blob Container CMK Encrypted

Container Registry

  • ACR Trusted Services Enabled

Defender

  • Enable Defender For Resource Manager
  • Enable Defender For CSPM
  • Enable Defender For APIs
  • Enable Defender For SQL Servers On Machines
  • Enable Defender For Cosmos DBs

Event Hub

  • Event Hub Public Access

Front Door

  • Front Door WAF Latest Default Rule Set

Key Vaults

  • Key Vaults Private Endpoint

Kubernetes Services

  • AKS API Server Authorized IP Ranges
  • AKS Cluster Host Based Encryption
  • AKS Cluster Managed Identity Enabled

Load Balancer

  • Load Balancer Public IP

Monitor

  • Log Analytics Public Workspace

Network Security Groups

  • NSG Flow Logs Enabled

Open AI

  • OpenAI Account CMK Encrypted
  • OpenAI Account Managed Identity Enabled
  • OpenAI Account Public Access Disabled
  • OpenAI Account Has Tags
  • OpenAI Account Diagnostic Logging Enabled

PostgreSQL Server

  • PostgreSQL Flexible Server Advanced Threat Protection

Redis Cache

  • Redis Cache VNet Integrated

Service Bus

  • Namespace Managed Identity
  • Service Bus Namespace Has Tags

SQL Databases

  • SQL Database Diagnostic Logging Enabled
  • SQL Database Data Discovery and Classification

SQL Server

  • SQL Server Managed Identity Enabled
  • SQL Server VNet Rules Integrated
  • SQL Server Services Access Disabled
  • SQL Server Connection Policy
  • Auditing Storage Authentication Type

Virtual Machines

  • Compute Gallery RBAC Sharing
  • VM Disk Public Access
  • VM Disk CMK Rotation
  • VM Disk Double Encryption

Virtual Machines Scale Sets

  • VMSS Windows AntiMalware Extension
  • Health Monitoring Extension HTTPS Enabled
  • Scale Sets Boot Diagnostics Enabled

Virtual Networks

  • Public IP Address DDos Protection
  • VNET Flow Logs Enabled

GCP

Vertex AI

  • Vertex AI Model Encryption
  • Vertex AI Model Labels Added
  • Vertex AI Dataset Encryption
  • Vertex AI Dataset Labels Added

Hot fixes and enhancements

Aws

  1. As per AWS document, AWS now provides the SSE to all bucket objects by default. Previously, the following plugins were failing in case SSE was not enabled on s3. However, the logic of the following plugins are modified to produce pass result by default when checking for server side encryption:

    • S3 Bucket Enforce Object Encryption
    • Firehose Delivery Stream Destination CMK Encrypted

  2. Open RFC 1918 Updated the output message of plugin so it provides a more accurate description when RFC IP ranges are utilized.

  3. EKS Kubernetes Version Modified the depreciation date for following eks versions. 1.23, 1.24, and 1.27.

  4. Lambda Old Runtimes Modified the deprecation date for following runtime environments, Node.js 16, Go 1, Java 8.

  5. SES Email Messages Encrypted Added logic to exclude regions that don't have SES enabled.

Azure

  1. VM Security Type Previously, the plugin was checking for only trusted launch type configured, added the setting to the check desired security type for Azure virtual machines.

  2. No Network Gateways In Use Previously, the plugin was checking for only network gateway in use. Added the Virtual Network Gateway Type setting with empty default value. The setting can be used to the check for desired type for network gateways in use.

  3. Added setting Ignore Internal Load Balancers in plugins with default value set to false. When set to true the plugin ignores internal load balancers.

    • LB HTTPS Only
    • Load Balancer Has Tags
    • Load Balancer Log Analytics Enabled
    • LB No Instances

v3.2.0

5 months ago

CloudSploit version 3.2.0 introduces the most latest version on 2023-12-08. The update includes new category plugins for Azure Media Services and Service Bus for Azure. And new category plugins for Bedrock for AWS. Along with this there are new plugins for existing services of Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.

New Plugins

AWS

Bedrock

  • Custom Model Encryption Enabled
  • Private Custom Model
  • Custom Model In VPC
  • Bedrock Model Invocation Logging Enabled

Azure

Application Gateway

  • Application Gateway SSL Policy
  • Application Gateway Security Logging
  • Application Gateway Request Body Inspection

Front Door

  • Front Door HTTPS only
  • Front Door Security Logging
  • Front Door Waf Enabled
  • Front Door WAF Bot Protection
  • Front Door Request Body Inspection
  • Front Door WAF Detection Mode
  • Front Door WAF Rate limit
  • Front Door Domain Managed DNS

Media Services

  • Media Services Public Access Disabled
  • Media Services Diagnostic Logs Enabled
  • Media Services Managed Identity Enabled
  • Media Services Storage Account Managed Identity
  • Media Services Classic API Disabled

PostgreSQL Server

  • PostgreSQL Flexible Server SCRAM Enabled
  • PostgreSQL Diagnostic Logging Enabled
  • PostgreSQL Minimum TLS Version
  • PostgreSQL Server Private Endpoints Configured
  • PostgreSQL Encryption At Rest with BYOK
  • PostgreSQL Flexible Server Services Access Disabled
  • PostgreSQL Flexible Server Diagnostic Logging

Redis Cache

  • Redis Cache Private Endpoint

Service Bus

  • Namespace Encryption At Rest with CMK
  • Namespace Minimum TLS Version
  • Namespace Local Authentication Disabled
  • Namespace Logging Enabled

SQL Databases

  • Transparent Data Encryption Enabled
  • Database Private Link Enabled
  • Ledger Automatic Digest Storage
  • Database Secure Enclaves Encryption Enabled
  • Database Ledger Enabled
  • SQL Databases Data Masking Enabled

SQL Server

  • Microsoft Support Operations Auditing Enabled
  • Server Outbound Networking Restricted

Virtual Machines

  • VM vTPM Enabled
  • VM Security Type
  • VM Secure Boot Enabled
  • VM Disks Deletion Config

Hot fixes and enhancements

Aws

  • All Open Ports Plugins Added settings to check for associated ENIs with open ports security groups. Enabling this setting produces fail result. if ENI is exposed to public.
  • S3 Bucket Has Tags Updated the plugin to produce the result on regional basis instead of global.
  • SSM Managed Instances Updated the plugin to produce pass results if the instance is not in running state.

Azure

  • Client Certificates Enabled When HTTP version 2.0 is enabled, client certificates are ignored by default from azure. Updated the plugin to only check for Client Certificates when HTTP2.0 is not enabled. In case of HTTP2.0 plugin produces pass result.

v.3.1.0

8 months ago

CloudSploit version 3.1.0 introduces the most latest version on 2023-09-06. The update brings new plugins for Azure, AWS, and GCP along with the hotfixes and enhancements in the existing plugins. The details are as follows.

New Plugins

AWS

  • App Mesh VG Health Check Policies
  • MQ Latest Engine Version
  • RDS Idle Instance Status
  • RDS CPU Alarm Threshold Exceeded
  • RDS Default Port
  • RDS Public Subnet
  • MQ Broker Public Accessibility
  • Password Policy Exists

Azure

  • VM Windows AntiMalware Extension
  • Virtual Networks Logging Enabled

Google

  • Open All Ports Egress
  • PostgreSQL Log Planner Stats Disabled
  • PostgreSQL Log Executor Stats Disabled
  • PostgreSQL Log Parser Stats Disabled

Hot fixes and enhancements

Aws

  • Email DKIM Enabled Adding pagination for the related AWS API to avoid unknown results.

Azure

  • These plugins were updated to check for default values from the ASC default policy:
  • Application Whitelisting Enabled
  • Monitor Blob Encryption
  • Monitor Disk Encryption
  • Monitor Endpoint Protection
  • Monitor External Accounts with Write Permissions
  • Monitor IP Forwarding
  • Monitor JIT Network Access
  • Monitor Next Generation Firewall
  • Monitor NSG Enabled
  • Monitor SQL Auditing
  • Monitor SQL Encryption
  • Monitor Total Number of Subscription Owners
  • Monitor System Updates
  • Monitor VM Vulnerability
  • Security Configuration Monitoring

Deprecated plugins

Azure Log Profile Retention Policy

v3.0.0

9 months ago

CloudSploit version 3.0.0 introduces the most latest version on 2023-08-10. Version 3.0.0 introduced a number of changes from the v.2.0.0, including the change in the number of plugins for each cloud, and introducing Alibaba Cloud

Alibaba

Version 3.0.0 introduces the scanning of Alibaba Cloud. To run it locally you would need to replace the config for Alibaba .

  • After replacing the credentials for alibaba, copy the credentials in config.js file cp config_example.js config.js

  • To run the alibaba plugins run the following ./index.js --config=./config.js

New Plugins

The following summarizes the changes in plugins The updates in plugin configurations for various cloud providers are as follows:

- AWS Plugins added: 379 Total plugins now: 550

- Azure Plugins added: 155 Total plugins now: 286

- GitHub No new plugins added. Total plugins remain: 10

- Oracle Plugins added: 34 Total plugins now: 99

- Google Plugins added: 162 Total plugins now: 250

v2.0.0

3 years ago

CloudSploit version 2.0.0 introduced a number of changes from the original CloudSploit release, designed to make running CloudSploit easier in multiple environment types, including command line and CI/CD systems.

Changes

  • The addition of the argparse library to enhance CLI option support
  • Formalizing several previously-hidden settings and options (e.g. saving the JSON collection, multiple output formats, suppressions, etc.)
  • The addition of the tty-table library for pretty-print CLI output of results. This is now the default output, but it can be changed to text-only via the --console=text flag.
  • Improved documentation across the AWS, Azure, GCP, and OCI providers.
  • The use of a config.js file for storing cloud provider configuration options, making it easier to run CloudSploit against multiple accounts by passing the --config flag.
  • Fallback to the AWS credential chain, allowing users to get started running CloudSploit more quickly.
  • Addition of an .eslint file for developers of CloudSploit and CloudSploit plugins.
  • Formalizing CIS Benchmark options in the plugins using the compliance property.
  • Added the ability to run a single plugin directly from the CLI, without editing the exports.js file by passing the flag --plugin pluginName.

Upgrade Guide

Please see the Upgrade Guide if you are moving from < 2.0.0 to 2.0.0.