CloudSploit version 3.3.0 introduces the most latest version on 2024-03-25. The update includes severities added for all clouds plugins, new regions of AWS and Azure clouds and new category plugins for Azure Open AI Service and Vertex AI Service for GCP , category change of AWS Services to 'AI &ML' and title and description change of AWS and Azure plugins. Along with this there are new plugins for existing services of Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.

---

Severities

Added severities for all plugins of following clouds:

• Alibaba
• AWS
• Azure
• GCP
• GitHub
• Oracle

Severities were assigned based on careful analysis of services, taking into account compliance rules, thorough documentation review, addressing customer complaints, and incorporating their suggestions.This approach ensures accurate representation of the impact and importance of each plugin and service across AWS, Azure, GCP, Oracle, Alibaba, and GitHub platforms, aligning with compliance standards.

New regions

AWS Added support for the following regions:

• il-central-1
• ca-west-1

Azure Added support for the following regions:

• italynorth
• israelcentral

Category changes

AWS Changed category of the following AWS services to AI and ML:

• Amazon Bedrock
• Amazon Comprehend
• Amazon DevOps Guru
• Amazon Forecast
• Amazon Fraud Detector
• Amazon Kendra
• Amazon Lex
• Amazon Lookout for Equipment
• Amazon Lookout for Metrics
• Amazon Lookout for Vision
• Amazon SageMaker
• Amazon Translate
• Amazon HealthLake

Plugin title changes

Changed the title, description, and output messages for the following plugins:

AWS

1. Firehose Delivery Streams CMK Encrypted is renamed to Firehose Delivery Stream Destination CMK Encrypted
2. DynamoDB Unused Table is renamed to DynamoDB Empty Table

Azure

1. PostgreSQL Server Services Access Disabled is renamed to PostgreSQL Server Services Network Access Disabled
2. PostgreSQL Flexible Server Services Access Disabled is renamed to PostgreSQL Flexible Server Services Public Network Access Disabled

New Plugins

AWS

CodeStar

• Code Star Has Tags

Azure

App Service

• App Service Diagnostic Logging Enabled
• Web Apps VNet Integrated
• Web Apps Private Endpoints Configured
• Web Apps Security Logging Enabled
• Secure Azure Http Triggered Function
• Node.js Version
• Access Control Allow Credential Enabled

Application Gateway

• Application Gateway HTTPS Listener
• Application Gateway Request Body Size

App Configurations

• App Configurations Has Tags
• App Configuration Encryption At Rest with CMK

Automation Account

• Automation Account Has Tags
• Automation Account Valid Source Controls
• Automation Account Expired Webhooks
• Automation Account Public Access Disabled
• Automation Account Encrypted Variables
• Automation Account Private Endpoints Configured

Bastion

• Bastion Host Diagnostic Logs Enabled
• Bastion Host Has Tags

Blob Service

• Blob Container CMK Encrypted

Container Registry

• ACR Trusted Services Enabled

Defender

• Enable Defender For Resource Manager
• Enable Defender For CSPM
• Enable Defender For APIs
• Enable Defender For SQL Servers On Machines
• Enable Defender For Cosmos DBs

Event Hub

• Event Hub Public Access

Front Door

• Front Door WAF Latest Default Rule Set

Key Vaults

• Key Vaults Private Endpoint

Kubernetes Services

• AKS API Server Authorized IP Ranges
• AKS Cluster Host Based Encryption
• AKS Cluster Managed Identity Enabled

Load Balancer

• Load Balancer Public IP

Monitor

• Log Analytics Public Workspace

Network Security Groups

• NSG Flow Logs Enabled

Open AI

• OpenAI Account CMK Encrypted
• OpenAI Account Managed Identity Enabled
• OpenAI Account Public Access Disabled
• OpenAI Account Has Tags
• OpenAI Account Diagnostic Logging Enabled

PostgreSQL Server

• PostgreSQL Flexible Server Advanced Threat Protection

Redis Cache

• Redis Cache VNet Integrated

Service Bus

• Namespace Managed Identity
• Service Bus Namespace Has Tags

SQL Databases

• SQL Database Diagnostic Logging Enabled
• SQL Database Data Discovery and Classification

SQL Server

• SQL Server Managed Identity Enabled
• SQL Server VNet Rules Integrated
• SQL Server Services Access Disabled
• SQL Server Connection Policy
• Auditing Storage Authentication Type

Virtual Machines

• Compute Gallery RBAC Sharing
• VM Disk Public Access
• VM Disk CMK Rotation
• VM Disk Double Encryption

Virtual Machines Scale Sets

• VMSS Windows AntiMalware Extension
• Health Monitoring Extension HTTPS Enabled
• Scale Sets Boot Diagnostics Enabled

Virtual Networks

• Public IP Address DDos Protection
• VNET Flow Logs Enabled

GCP

Vertex AI

• Vertex AI Model Encryption
• Vertex AI Model Labels Added
• Vertex AI Dataset Encryption
• Vertex AI Dataset Labels Added

Hot fixes and enhancements

Aws

1. As per AWS document, AWS now provides the SSE to all bucket objects by default. Previously, the following plugins were failing in case SSE was not enabled on s3. However, the logic of the following plugins are modified to produce pass result by default when checking for server side encryption:

   • S3 Bucket Enforce Object Encryption
   • Firehose Delivery Stream Destination CMK Encrypted

2. Open RFC 1918 Updated the output message of plugin so it provides a more accurate description when RFC IP ranges are utilized.

3. EKS Kubernetes Version Modified the depreciation date for following eks versions. 1.23, 1.24, and 1.27.

4. Lambda Old Runtimes Modified the deprecation date for following runtime environments, Node.js 16, Go 1, Java 8.

5. SES Email Messages Encrypted Added logic to exclude regions that don't have SES enabled.

Azure

1. VM Security Type Previously, the plugin was checking for only trusted launch type configured, added the setting to the check desired security type for Azure virtual machines.

2. No Network Gateways In Use Previously, the plugin was checking for only network gateway in use. Added the Virtual Network Gateway Type setting with empty default value. The setting can be used to the check for desired type for network gateways in use.

3. Added setting Ignore Internal Load Balancers in plugins with default value set to false. When set to true the plugin ignores internal load balancers.

   • LB HTTPS Only
   • Load Balancer Has Tags
   • Load Balancer Log Analytics Enabled
   • LB No Instances