CloudSploit version 3.9.0 introduces the most latest version on 2024-09-18. The update includes new plugins for Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.

New Plugins

AWS

EKS

• EKS GuardDuty Enabled

QLDB

• Ledger Deletion Protection
• Ledger Has Tags

Managed Blockchain

• Managed Blockchain Network Member CloudWatch Logs

Azure

Batch Account

• Batch Account Managed Identity

Container Apps

• Container Apps IP Restriction Configured

Machine Learning

• Machine Learning Registry Has Tags
• Machine Learning Registry Public Access Disabled
• Machine Learning Workspace Data CMK Encrypted
• Machine Learning Workspace High Business Impact Enabled

MySQL

• MySQL Flexible Server CMK Encrypted
• MySQL Flexible Server Logging Enabled

Synapse

• Synapse Workspace Diagnostic Logging Enabled
• Synapse Workspace Double Encryption Enabled
• Synapse Workspace Has Tags

Hot fixes and enhancements

AWS

Encryption Level Setting
Updated the default value of the encryption level setting to awskms for all AWS encryption plugins that have a desired encryption
level setting. This ensures that resources are checked to verify that they meet the required encryption level of awskms by default.

Domain Transfer Lock
The plugin logic has been updated to verify supported domains.

EBS Snapshot Collection Limitation
Starting next month, EBS snapshot collection will be limited to 30,000 snapshots from the most recent month. No snapshots older
than one month will be collected.

ELBv2 WAF Enabled
Updated the plugin logic to check WAF status explicitly for Application Load Balancers only, rather than for all load balancers.

ELBv2 Unhealthy Instances
Previously, the plugin did not show the resource ARN in the result. The plugin logic has been updated to correctly populate the
resource and provide accurate results.

Azure

App Service Plugins
Updated to include new whitelist settings, ensuring that specific resources are exempt from checks. This update applies to the f
following plugins:

• Authentication Enabled
• HTTPS Only Enabled
• Guest Level Diagnostics Enabled
• Permissions Update

Azure has renamed Security Center to Defender for Cloud. As a result, the following Azure plugins have been refactored to support Defender for Cloud:

• Application Whitelisting Enabled
• Auto Provisioning Enabled
• High Severity Alerts Enabled
• Monitor Endpoint Protection
• Monitor External Accounts with Write Permissions
• Monitor IP Forwarding
• Monitor JIT Network Access
• Monitor Next Generation Firewall
• Monitor System Updates
• Monitor Total Number of Subscription Owners
• Security Configuration Monitoring
• Security Contact Additional Email
• Security Contact Enabled for Subscription Owner
• Security Contacts Enabled
• Standard Pricing Enabled

CloudSploit version 3.5.0 introduces the most latest version on 2024-05-28. The update includes new plugins for Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.

New Plugins

AWS

Bedrock

• AWS Bedrock In Use

Neptune

• Neptune Database IAM Authentication Enabled
• Neptune Database Deletion Protection Enabled
• Neptune Database Multiple AZ
• Neptune Database Instance Backup Retention

DocumentDB

• DocumentDB Has Tags
• DocumentDB Cluster Deletion Protection

SQS

• SQS Has Tags

WAFV2

• Web ACL Logging Enabled

Azure

Batch Account

• Batch Account CMK Encrypted

App Configuration

• App Configuration Access Key Authentication Disabled

Container App

• Container Apps Volume Mount Configured
• Container Apps Has Tags

Cosmos DB

• Cosmos DB Local Authentication Disabled

DataBricks

• Databricks Workspace Managed Disk CMK Encrypted
• Databricks Workspace Has Tags

Event Hub

• Event Hubs Namespace Has Tags
• Event Hubs Namespace Diagnostic Logs
• Event Hub Namespace Local Auth Disabled
• Event Hubs Namespace Managed Identity

Front Door

• Front Door Managed Identity Enabled

Machine Learning

• Machine Learning Workspace Has Tags
• Machine Learning Workspace Public Access Disabled
• Machine Learning Workspace Diagnostic Logs

Log Alerts

• PostgreSQL Flexible Server Logging Enabled

PostgreSQL Server

• PostgreSQL FLexible Server Log Duration Enabled

Hot fixes and enhancements

Aws

KMS Key Rotation
Key rotation feature is only available on key type SYMMETRIC_DEFAULT , updated the plugin to produce passing results for the key
type that does not have key rotation feature available.

2. ELBv2 TLS Version and Cipher Header Enabled
   Updated the plugin logic to check that TLS version and Cipher should be disabled in headers. Enabling these headers may leak
   sensitive information, so updating the plugin to check the TLS version and Cipher header should not be enabled. Updated the title,
   description and output message . The plugin title is renamed to ELBv2 TLS Version and Cipher Header Disabled.

3. EKS Kubernetes Version
   Modified the depreciation date for EKS versions. For list of updated EKS versions, refer
   https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html

4. EKS Latest Platform Version
   Modified the depreciation date and latest platform version for EKS versions. For list of updated latest platform, refer to
   https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html

5. Lambda Old Runtimes
   Modified the end of life dates for lambda runtimes versions. For list of updated end of life dates for lambda runtimes versions,
   refer , https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html#runtime-support-policy

Azure

1. Load Balancer Public IP
   Revised title, description, more info, recommended actions, and output message of the plugin to ensure that Azure Load Balancers
   are public to meet your organization's security compliance and availability needs. The plugin title is renamed to Public Load
   Balancer.

2. PostgreSQL Flexible Server Version
   Earlier, the plugin was checking for the latest version, which was 13. Modified the latest version of the flexible server from 13 to 16.

3. Microsoft Support Operations Auditing Enabled
   Updated the plugin to produce unknown results if it’s unable to get audit policies, previously it was producing failed results if there
   were no audit policies in data.

4. Previously, the following plugins were responsible for checking the diagnostic logs of blob, queue, and table for both V1 and V2
   storage account types. But as in V1 (premium) type the diagnostic logs can only be enabled for that specific storage account kind
   service, so updated the plugins to produce pass results if the storage account type is premium.

Storage Account Blob Service Logging Enabled
Storage Account Queue Service Logging Enabled
Storage Account Table Service Logging Enabled

Google

1. PostgreSQL Latest Version
   Earlier, the plugin checking for the latest version, which was 14. Modified the latest version of PostgreSQL server from 14 to 15.

CloudSploit version 3.4.0 introduces the most latest version on 2024-04-25. The update includes new plugins for Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.

New Plugins

AWS

Bedrock

• Custom Model Has Tags

CloudFormation

• CloudFormation Deletion Policy In Use

Comprehend

• Amazon Comprehend Flywheel In VPC

DynamoDB

• DynamoDB Deletion Protection Enabled

Guard duty

• GuardDuty RDS Protection Enabled

Lambda

• Lambda Dead Letter Queue
• Lambda Enhanced Monitoring Enabled
• Lambda Code Signing Enabled

Route 53

• Route 53 In Use

OpenSearch

• OpenSearch Audit Logs Enabled

WorkSpaces

• WorkSpaces Healthy Instances

Azure

Automation Account

• Automation Account Approved Certificates Only

Container Apps

• Container Apps Authentication Enabled
• Container Apps External Network Access
• Container Apps Managed Identity
• Container Apps Authentication Enabled

Cosmos DB

• Cosmos DB Diagnostic Logs
• Cosmos DB Managed Identity

DataBricks

• Databricks Workspace DBFS Infrastructure Encryption
• Databricks Workspace Managed Services CMK Encrypted
• Databricks Workspace Diagnostic Logs
• Databricks Workspace Secure Cluster

Event Grid

• Event Grid Domain Diagnostic Logs
• Event Grid Domain Minimum TLS Version
• Event Grid Domain Local Authentication Disabled
• Event Grid Domain Managed Identity

Event Hub

• Event Hubs Namespace CMK Encrypted

PostgreSQL Server

• PostgreSQL Flexible Server Connection Throttling Enabled
• PostgreSQL Flexible Server Log Disconnections Enabled

Hot fixes and enhancements

Aws

1. Earlier the following plugins were generating unknowns for the regions in which Bedrock Custom model service was not available. Updated the plugin logic to produce pass results for those regions.

• Custom Model Encryption Enabled
• Custom Model In VPC
• Private Custom Model

2. RDS Public Subnets
   Fixed the bug for which the plugin was generating false negative results in case where the RDS instance was not connected to the
   public subnet.

3. Instance Limit
   Earlier the plugin was checking the max instance limit provided by AWS. As of now max_limit attribute is no longer supported by AWS so added the setting for Max Instance Count from which users can set the desired value for max number of utilised instances in a region.

Azure

1. SQL Databases Data Masking Enabled
   Updated the plugin logic to remove the unnecessary unknown form the results

2. Updated the plugin info link for following plugins

• Storage Account Queue Service Logging Enable
• Storage Account Blob Service Logging Enable

Google

1. Service Account Key Rotation
   Update the plugin to generate pass results if there is no user managed service account key found, earlier the plugin results were getting skipped if there was no user managed key found.

CloudSploit version 3.3.0 introduces the most latest version on 2024-03-25. The update includes severities added for all clouds plugins, new regions of AWS and Azure clouds and new category plugins for Azure Open AI Service and Vertex AI Service for GCP , category change of AWS Services to 'AI &ML' and title and description change of AWS and Azure plugins. Along with this there are new plugins for existing services of Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.

Severities

Added severities for all plugins of following clouds:

• Alibaba
• AWS
• Azure
• GCP
• GitHub
• Oracle

Severities were assigned based on careful analysis of services, taking into account compliance rules, thorough documentation review, addressing customer complaints, and incorporating their suggestions.This approach ensures accurate representation of the impact and importance of each plugin and service across AWS, Azure, GCP, Oracle, Alibaba, and GitHub platforms, aligning with compliance standards.

New regions

AWS
Added support for the following regions:

• il-central-1
• ca-west-1

Azure
Added support for the following regions:

• italynorth
• israelcentral

Category changes

AWS
Changed category of the following AWS services to AI and ML:

• Amazon Bedrock
• Amazon Comprehend
• Amazon DevOps Guru
• Amazon Forecast
• Amazon Fraud Detector
• Amazon Kendra
• Amazon Lex
• Amazon Lookout for Equipment
• Amazon Lookout for Metrics
• Amazon Lookout for Vision
• Amazon SageMaker
• Amazon Translate
• Amazon HealthLake

Plugin title changes

Changed the title, description, and output messages for the following plugins:

AWS

1. Firehose Delivery Streams CMK Encrypted is renamed to Firehose Delivery Stream Destination CMK Encrypted
2. DynamoDB Unused Table is renamed to DynamoDB Empty Table

Azure

1. PostgreSQL Server Services Access Disabled is renamed to PostgreSQL Server Services Network Access Disabled
2. PostgreSQL Flexible Server Services Access Disabled is renamed to PostgreSQL Flexible Server Services Public Network Access Disabled

New Plugins

AWS

CodeStar

• Code Star Has Tags

Azure

App Service

• App Service Diagnostic Logging Enabled
• Web Apps VNet Integrated
• Web Apps Private Endpoints Configured
• Web Apps Security Logging Enabled
• Secure Azure Http Triggered Function
• Node.js Version
• Access Control Allow Credential Enabled

Application Gateway

• Application Gateway HTTPS Listener
• Application Gateway Request Body Size

App Configurations

• App Configurations Has Tags
• App Configuration Encryption At Rest with CMK

Automation Account

• Automation Account Has Tags
• Automation Account Valid Source Controls
• Automation Account Expired Webhooks
• Automation Account Public Access Disabled
• Automation Account Encrypted Variables
• Automation Account Private Endpoints Configured

Bastion

• Bastion Host Diagnostic Logs Enabled
• Bastion Host Has Tags

Blob Service

• Blob Container CMK Encrypted

Container Registry

• ACR Trusted Services Enabled

Defender

• Enable Defender For Resource Manager
• Enable Defender For CSPM
• Enable Defender For APIs
• Enable Defender For SQL Servers On Machines
• Enable Defender For Cosmos DBs

Event Hub

• Event Hub Public Access

Front Door

• Front Door WAF Latest Default Rule Set

Key Vaults

• Key Vaults Private Endpoint

Kubernetes Services

• AKS API Server Authorized IP Ranges
• AKS Cluster Host Based Encryption
• AKS Cluster Managed Identity Enabled

Load Balancer

• Load Balancer Public IP

Monitor

• Log Analytics Public Workspace

Network Security Groups

• NSG Flow Logs Enabled

Open AI

• OpenAI Account CMK Encrypted
• OpenAI Account Managed Identity Enabled
• OpenAI Account Public Access Disabled
• OpenAI Account Has Tags
• OpenAI Account Diagnostic Logging Enabled

PostgreSQL Server

• PostgreSQL Flexible Server Advanced Threat Protection

Redis Cache

• Redis Cache VNet Integrated

Service Bus

• Namespace Managed Identity
• Service Bus Namespace Has Tags

SQL Databases

• SQL Database Diagnostic Logging Enabled
• SQL Database Data Discovery and Classification

SQL Server

• SQL Server Managed Identity Enabled
• SQL Server VNet Rules Integrated
• SQL Server Services Access Disabled
• SQL Server Connection Policy
• Auditing Storage Authentication Type

Virtual Machines

• Compute Gallery RBAC Sharing
• VM Disk Public Access
• VM Disk CMK Rotation
• VM Disk Double Encryption

Virtual Machines Scale Sets

• VMSS Windows AntiMalware Extension
• Health Monitoring Extension HTTPS Enabled
• Scale Sets Boot Diagnostics Enabled

Virtual Networks

• Public IP Address DDos Protection
• VNET Flow Logs Enabled

GCP

Vertex AI

• Vertex AI Model Encryption
• Vertex AI Model Labels Added
• Vertex AI Dataset Encryption
• Vertex AI Dataset Labels Added

Hot fixes and enhancements

Aws

1. As per AWS document, AWS now provides the SSE to all bucket objects by default. Previously, the following plugins were failing in case SSE was not enabled on s3. However, the logic of the following plugins are modified to produce pass result by default when checking for server side encryption:

   • S3 Bucket Enforce Object Encryption
   • Firehose Delivery Stream Destination CMK Encrypted

2. Open RFC 1918
   Updated the output message of plugin so it provides a more accurate description when RFC IP ranges are utilized.

3. EKS Kubernetes Version
   Modified the depreciation date for following eks versions. 1.23, 1.24, and 1.27.

4. Lambda Old Runtimes
   Modified the deprecation date for following runtime environments, Node.js 16, Go 1, Java 8.

5. SES Email Messages Encrypted
   Added logic to exclude regions that don't have SES enabled.

Azure

1. VM Security Type
   Previously, the plugin was checking for only trusted launch type configured, added the setting to the check desired security type for Azure virtual machines.

2. No Network Gateways In Use
   Previously, the plugin was checking for only network gateway in use. Added the Virtual Network Gateway Type setting with empty default value. The setting can be used to the check for desired type for network gateways in use.

3. Added setting Ignore Internal Load Balancers in plugins with default value set to false. When set to true the plugin ignores internal load balancers.

   • LB HTTPS Only
   • Load Balancer Has Tags
   • Load Balancer Log Analytics Enabled
   • LB No Instances

CloudSploit version 3.2.0 introduces the most latest version on 2023-12-08. The update includes new category plugins for Azure Media Services and Service Bus for Azure. And new category plugins for Bedrock for AWS. Along with this there are new plugins for existing services of Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.

New Plugins

AWS

Bedrock

• Custom Model Encryption Enabled
• Private Custom Model
• Custom Model In VPC
• Bedrock Model Invocation Logging Enabled

Azure

Application Gateway

• Application Gateway SSL Policy
• Application Gateway Security Logging
• Application Gateway Request Body Inspection

Front Door

• Front Door HTTPS only
• Front Door Security Logging
• Front Door Waf Enabled
• Front Door WAF Bot Protection
• Front Door Request Body Inspection
• Front Door WAF Detection Mode
• Front Door WAF Rate limit
• Front Door Domain Managed DNS

Media Services

• Media Services Public Access Disabled
• Media Services Diagnostic Logs Enabled
• Media Services Managed Identity Enabled
• Media Services Storage Account Managed Identity
• Media Services Classic API Disabled

PostgreSQL Server

• PostgreSQL Flexible Server SCRAM Enabled
• PostgreSQL Diagnostic Logging Enabled
• PostgreSQL Minimum TLS Version
• PostgreSQL Server Private Endpoints Configured
• PostgreSQL Encryption At Rest with BYOK
• PostgreSQL Flexible Server Services Access Disabled
• PostgreSQL Flexible Server Diagnostic Logging

Redis Cache

• Redis Cache Private Endpoint

Service Bus

• Namespace Encryption At Rest with CMK
• Namespace Minimum TLS Version
• Namespace Local Authentication Disabled
• Namespace Logging Enabled

SQL Databases

• Transparent Data Encryption Enabled
• Database Private Link Enabled
• Ledger Automatic Digest Storage
• Database Secure Enclaves Encryption Enabled
• Database Ledger Enabled
• SQL Databases Data Masking Enabled

SQL Server

• Microsoft Support Operations Auditing Enabled
• Server Outbound Networking Restricted

Virtual Machines

• VM vTPM Enabled
• VM Security Type
• VM Secure Boot Enabled
• VM Disks Deletion Config

Hot fixes and enhancements

Aws

• All Open Ports Plugins
  Added settings to check for associated ENIs with open ports security groups. Enabling this setting produces fail result. if ENI is exposed to public.
• S3 Bucket Has Tags
  Updated the plugin to produce the result on regional basis instead of global.
• SSM Managed Instances
  Updated the plugin to produce pass results if the instance is not in running state.

Azure

• Client Certificates Enabled
  When HTTP version 2.0 is enabled, client certificates are ignored by default from azure. Updated the plugin to only check for Client Certificates when HTTP2.0 is not enabled. In case of HTTP2.0 plugin produces pass result.

CloudSploit version 3.1.0 introduces the most latest version on 2023-09-06. The update brings new plugins for Azure, AWS, and GCP along with the hotfixes and enhancements in the existing plugins. The details are as follows.

New Plugins

AWS

• App Mesh VG Health Check Policies
• MQ Latest Engine Version
• RDS Idle Instance Status
• RDS CPU Alarm Threshold Exceeded
• RDS Default Port
• RDS Public Subnet
• MQ Broker Public Accessibility
• Password Policy Exists

Azure

• VM Windows AntiMalware Extension
• Virtual Networks Logging Enabled

Google

• Open All Ports Egress
• PostgreSQL Log Planner Stats Disabled
• PostgreSQL Log Executor Stats Disabled
• PostgreSQL Log Parser Stats Disabled

Hot fixes and enhancements

Aws

• Email DKIM Enabled
  Adding pagination for the related AWS API to avoid unknown results.

Azure

• These plugins were updated to check for default values from the ASC default policy:
• Application Whitelisting Enabled
• Monitor Blob Encryption
• Monitor Disk Encryption
• Monitor Endpoint Protection
• Monitor External Accounts with Write Permissions
• Monitor IP Forwarding
• Monitor JIT Network Access
• Monitor Next Generation Firewall
• Monitor NSG Enabled
• Monitor SQL Auditing
• Monitor SQL Encryption
• Monitor Total Number of Subscription Owners
• Monitor System Updates
• Monitor VM Vulnerability
• Security Configuration Monitoring

Deprecated plugins

Azure
Log Profile Retention Policy

CloudSploit version 3.0.0 introduces the most latest version on 2023-08-10. Version 3.0.0 introduced a number of changes from the v.2.0.0, including the change in the number of plugins for each cloud, and introducing Alibaba Cloud

Alibaba

Version 3.0.0 introduces the scanning of Alibaba Cloud. To run it locally you would need to replace the config for Alibaba .

• After replacing the credentials for alibaba, copy the credentials in config.js file cp config_example.js config.js

• To run the alibaba plugins run the following ./index.js --config=./config.js

New Plugins

The following summarizes the changes in plugins
The updates in plugin configurations for various cloud providers are as follows:

- AWS
Plugins added: 379
Total plugins now: 550

- Azure
Plugins added: 155
Total plugins now: 286

- GitHub
No new plugins added.
Total plugins remain: 10

- Oracle
Plugins added: 34
Total plugins now: 99

- Google
Plugins added: 162
Total plugins now: 250

CloudSploit version 2.0.0 introduced a number of changes from the original CloudSploit release, designed to make running CloudSploit easier in multiple environment types, including command line and CI/CD systems.

Changes

• The addition of the argparse library to enhance CLI option support
• Formalizing several previously-hidden settings and options (e.g. saving the JSON collection, multiple output formats, suppressions, etc.)
• The addition of the tty-table library for pretty-print CLI output of results. This is now the default output, but it can be changed to text-only via the --console=text flag.
• Improved documentation across the AWS, Azure, GCP, and OCI providers.
• The use of a config.js file for storing cloud provider configuration options, making it easier to run CloudSploit against multiple accounts by passing the --config flag.
• Fallback to the AWS credential chain, allowing users to get started running CloudSploit more quickly.
• Addition of an .eslint file for developers of CloudSploit and CloudSploit plugins.
• Formalizing CIS Benchmark options in the plugins using the compliance property.
• Added the ability to run a single plugin directly from the CLI, without editing the exports.js file by passing the flag --plugin pluginName.

Upgrade Guide

Please see the Upgrade Guide if you are moving from < 2.0.0 to 2.0.0.