Releases: aquasecurity/cloudsploit
v3.10.0
CloudSploit version 3.10.0 introduces the most latest version on 2024-11-15. The update includes new plugins for Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.
New Plugin
Azure
Storage Account Public Network Access
- Description: Ensure that 'Public Network Access’ is disabled for storage accounts.
- More Info: Disabling public network access for Azure storage accounts enhances security by blocking anonymous access to data in containers and blobs. This restriction ensures that only trusted network sources can access the storage, reducing the risk of unauthorized access and data exposure.
Hot fixes and enhancements
Azure
Plugins divided into specific resource type checks
To correctly map the plugins with compliance controls, these plugins have been divided into specific resource type checks:
Disk Volumes BYOK Encryption Enabled
This plugin ensures that attached Azure virtual machine disks have BYOK (Customer-Managed Key) encryption enabled. The plugin has been divided into two specific versions:
- Attached Disk Volumes BYOK Encryption Enabled : Ensures that attached Azure virtual machine disks have BYOK (Customer-Managed Key) encryption enabled.
- Unattached Disk Volumes BYOK Encryption Enabled : Ensures that unattached Azure virtual machine disks have BYOK (Customer-Managed Key) encryption enabled.
Key Vault Key Expiry
This plugin proactively checks for key vault key expiry dates, and rotates them before expiry is reached. The Key Vault Key Expiry plugin has been split to accommodate different key vault access configurations:
- Key Vault Key Expiry Non RBAC : Ensures that an expiration date is set for all keys within key vaults that do not have Role-Based Access Control (RBAC) enabled.
- Key Vault Key Expiry RBAC : Ensures that an expiration date is set for all keys within RBAC-enabled key vaults.
Key Vault Secret Expiry
Proactively checks for key vault secret expiry dates, and rotates them before expiry is reached. The Key Vault Secret Expiry plugin has also been divided for improved specificity based on key vault access configurations:
- Key Vault Secret Expiry Non RBAC : Ensures that an expiration date is set for all secrets within key vaults that do not have RBAC enabled.
- Key Vault Secret Expiry RBAC : Ensures that an expiration date is set for all secrets within RBAC-enabled key vaults.
Other changes
- Enable Defender For SQL Servers
We added a setting to check for defenders at subscription level as well as at the server level. The default value for the setting is set to check Defender for SQL servers at the subscription level. If the setting is set to ‘resource’, it will check Defender for SQL servers individually.
-The following plugins have been refactored to also include the support for Managed Instances:
- TDE Protector Encrypted
- Transparent Data Encryption Enabled
- Permissions required for the above two plugins:
"Microsoft.Sql/managedInstances/read",
"Microsoft.Sql/managedInstances/encryptionProtector/read",
-
As Microsoft Azure has deprecated the support for TLS 1.0 and TLS 1.1, So we have revisited our plugins to end the support for these versions.
-Event Hubs Minimum TLS Version
-SQL Server Minimum TLS Version
-Storage Accounts Minimum TLS Version
Please refer to the following official documentation for more details.
- We have revisited our compliance for the following controls and updated the plugins for these controls.
To meet compliance control requirements, we have replaced the plugin for this control from Key Vault Logging Enabled to Key Vault Log Analytics Enabled.
To meet compliance control requirements, we have replaced the plugin for this control from TDE Protector Encrypted to Transparent Data Encryption Enabled.
Deprecated plugin
As Azure has deprecated certain policy assignments, Aqua is deprecating this plugin that checks for those outdated assignments:
- Application Whitelisting Enabled
What's Changed
- syncing with saas by @alphadev4 in #2113
- Azure/Storage-Account-Public-Network-Access by @AkhtarAmir in #2112
- Revised TDE Protectors Encrypted Plugin Update by @AkhtarAmir in #2101
- Enable defender for sql servers by @AkhtarAmir in #2102
- Revised diskByokEncryptionEnabled by @AkhtarAmir in #2103
- Revised unAttachedDiskByokEncryptionEnabled by @AkhtarAmir in #2104
- Revised dbTDEEnabled by @AkhtarAmir in #2110
- Revised keyVaultSecretExpiryNonRbac by @AkhtarAmir in #2109
- Revised keyVaultSecretExpiry by @AkhtarAmir in #2108
- Revised keyVaultKeyExpiryNonRbac (2) by @AkhtarAmir in #2106
- Revised keyVaultKeyExpiry by @AkhtarAmir in #2105
- TLS Version Changes by @AkhtarAmir in #2115
Full Changelog: v3.9.0...v3.10.0
v3.9.0
CloudSploit version 3.9.0 introduces the most latest version on 2024-09-18. The update includes new plugins for Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.
New Plugins
AWS
EKS
- EKS GuardDuty Enabled
QLDB
- Ledger Deletion Protection
- Ledger Has Tags
Managed Blockchain
- Managed Blockchain Network Member CloudWatch Logs
Azure
Batch Account
- Batch Account Managed Identity
Container Apps
- Container Apps IP Restriction Configured
Machine Learning
- Machine Learning Registry Has Tags
- Machine Learning Registry Public Access Disabled
- Machine Learning Workspace Data CMK Encrypted
- Machine Learning Workspace High Business Impact Enabled
MySQL
- MySQL Flexible Server CMK Encrypted
- MySQL Flexible Server Logging Enabled
Synapse
- Synapse Workspace Diagnostic Logging Enabled
- Synapse Workspace Double Encryption Enabled
- Synapse Workspace Has Tags
Hot fixes and enhancements
AWS
Encryption Level Setting
Updated the default value of the encryption level setting to awskms for all AWS encryption plugins that have a desired encryption
level setting. This ensures that resources are checked to verify that they meet the required encryption level of awskms by default.
Domain Transfer Lock
The plugin logic has been updated to verify supported domains.
EBS Snapshot Collection Limitation
Starting next month, EBS snapshot collection will be limited to 30,000 snapshots from the most recent month. No snapshots older
than one month will be collected.
ELBv2 WAF Enabled
Updated the plugin logic to check WAF status explicitly for Application Load Balancers only, rather than for all load balancers.
ELBv2 Unhealthy Instances
Previously, the plugin did not show the resource ARN in the result. The plugin logic has been updated to correctly populate the
resource and provide accurate results.
Azure
App Service Plugins
Updated to include new whitelist settings, ensuring that specific resources are exempt from checks. This update applies to the f
following plugins:
- Authentication Enabled
- HTTPS Only Enabled
- Guest Level Diagnostics Enabled
- Permissions Update
Azure has renamed Security Center to Defender for Cloud. As a result, the following Azure plugins have been refactored to support Defender for Cloud:
- Application Whitelisting Enabled
- Auto Provisioning Enabled
- High Severity Alerts Enabled
- Monitor Endpoint Protection
- Monitor External Accounts with Write Permissions
- Monitor IP Forwarding
- Monitor JIT Network Access
- Monitor Next Generation Firewall
- Monitor System Updates
- Monitor Total Number of Subscription Owners
- Security Configuration Monitoring
- Security Contact Additional Email
- Security Contact Enabled for Subscription Owner
- Security Contacts Enabled
- Standard Pricing Enabled
v3.5.0
CloudSploit version 3.5.0 introduces the most latest version on 2024-05-28. The update includes new plugins for Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.
New Plugins
AWS
Bedrock
- AWS Bedrock In Use
Neptune
- Neptune Database IAM Authentication Enabled
- Neptune Database Deletion Protection Enabled
- Neptune Database Multiple AZ
- Neptune Database Instance Backup Retention
DocumentDB
- DocumentDB Has Tags
- DocumentDB Cluster Deletion Protection
SQS
- SQS Has Tags
WAFV2
- Web ACL Logging Enabled
Azure
Batch Account
- Batch Account CMK Encrypted
App Configuration
- App Configuration Access Key Authentication Disabled
Container App
- Container Apps Volume Mount Configured
- Container Apps Has Tags
Cosmos DB
- Cosmos DB Local Authentication Disabled
DataBricks
- Databricks Workspace Managed Disk CMK Encrypted
- Databricks Workspace Has Tags
Event Hub
- Event Hubs Namespace Has Tags
- Event Hubs Namespace Diagnostic Logs
- Event Hub Namespace Local Auth Disabled
- Event Hubs Namespace Managed Identity
Front Door
- Front Door Managed Identity Enabled
Machine Learning
- Machine Learning Workspace Has Tags
- Machine Learning Workspace Public Access Disabled
- Machine Learning Workspace Diagnostic Logs
Log Alerts
- PostgreSQL Flexible Server Logging Enabled
PostgreSQL Server
- PostgreSQL FLexible Server Log Duration Enabled
Hot fixes and enhancements
Aws
KMS Key Rotation
Key rotation feature is only available on key type SYMMETRIC_DEFAULT , updated the plugin to produce passing results for the key
type that does not have key rotation feature available.
-
ELBv2 TLS Version and Cipher Header Enabled
Updated the plugin logic to check that TLS version and Cipher should be disabled in headers. Enabling these headers may leak
sensitive information, so updating the plugin to check the TLS version and Cipher header should not be enabled. Updated the title,
description and output message . The plugin title is renamed to ELBv2 TLS Version and Cipher Header Disabled. -
EKS Kubernetes Version
Modified the depreciation date for EKS versions. For list of updated EKS versions, refer
https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html -
EKS Latest Platform Version
Modified the depreciation date and latest platform version for EKS versions. For list of updated latest platform, refer to
https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html -
Lambda Old Runtimes
Modified the end of life dates for lambda runtimes versions. For list of updated end of life dates for lambda runtimes versions,
refer , https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html#runtime-support-policy
Azure
-
Load Balancer Public IP
Revised title, description, more info, recommended actions, and output message of the plugin to ensure that Azure Load Balancers
are public to meet your organization's security compliance and availability needs. The plugin title is renamed to Public Load
Balancer. -
PostgreSQL Flexible Server Version
Earlier, the plugin was checking for the latest version, which was 13. Modified the latest version of the flexible server from 13 to 16. -
Microsoft Support Operations Auditing Enabled
Updated the plugin to produce unknown results if it’s unable to get audit policies, previously it was producing failed results if there
were no audit policies in data. -
Previously, the following plugins were responsible for checking the diagnostic logs of blob, queue, and table for both V1 and V2
storage account types. But as in V1 (premium) type the diagnostic logs can only be enabled for that specific storage account kind
service, so updated the plugins to produce pass results if the storage account type is premium.
Storage Account Blob Service Logging Enabled
Storage Account Queue Service Logging Enabled
Storage Account Table Service Logging Enabled
- PostgreSQL Latest Version
Earlier, the plugin checking for the latest version, which was 14. Modified the latest version of PostgreSQL server from 14 to 15.
v3.4.0
CloudSploit version 3.4.0 introduces the most latest version on 2024-04-25. The update includes new plugins for Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.
New Plugins
AWS
Bedrock
- Custom Model Has Tags
CloudFormation
- CloudFormation Deletion Policy In Use
Comprehend
- Amazon Comprehend Flywheel In VPC
DynamoDB
- DynamoDB Deletion Protection Enabled
Guard duty
- GuardDuty RDS Protection Enabled
Lambda
- Lambda Dead Letter Queue
- Lambda Enhanced Monitoring Enabled
- Lambda Code Signing Enabled
Route 53
- Route 53 In Use
OpenSearch
- OpenSearch Audit Logs Enabled
WorkSpaces
- WorkSpaces Healthy Instances
Azure
Automation Account
- Automation Account Approved Certificates Only
Container Apps
- Container Apps Authentication Enabled
- Container Apps External Network Access
- Container Apps Managed Identity
- Container Apps Authentication Enabled
Cosmos DB
- Cosmos DB Diagnostic Logs
- Cosmos DB Managed Identity
DataBricks
- Databricks Workspace DBFS Infrastructure Encryption
- Databricks Workspace Managed Services CMK Encrypted
- Databricks Workspace Diagnostic Logs
- Databricks Workspace Secure Cluster
Event Grid
- Event Grid Domain Diagnostic Logs
- Event Grid Domain Minimum TLS Version
- Event Grid Domain Local Authentication Disabled
- Event Grid Domain Managed Identity
Event Hub
- Event Hubs Namespace CMK Encrypted
PostgreSQL Server
- PostgreSQL Flexible Server Connection Throttling Enabled
- PostgreSQL Flexible Server Log Disconnections Enabled
Hot fixes and enhancements
Aws
- Earlier the following plugins were generating unknowns for the regions in which Bedrock Custom model service was not available. Updated the plugin logic to produce pass results for those regions.
- Custom Model Encryption Enabled
- Custom Model In VPC
- Private Custom Model
-
RDS Public Subnets
Fixed the bug for which the plugin was generating false negative results in case where the RDS instance was not connected to the
public subnet. -
Instance Limit
Earlier the plugin was checking the max instance limit provided by AWS. As of now max_limit attribute is no longer supported by AWS so added the setting for Max Instance Count from which users can set the desired value for max number of utilised instances in a region.
Azure
-
SQL Databases Data Masking Enabled
Updated the plugin logic to remove the unnecessary unknown form the results -
Updated the plugin info link for following plugins
- Storage Account Queue Service Logging Enable
- Storage Account Blob Service Logging Enable
- Service Account Key Rotation
Update the plugin to generate pass results if there is no user managed service account key found, earlier the plugin results were getting skipped if there was no user managed key found.
v3.3.0
CloudSploit version 3.3.0 introduces the most latest version on 2024-03-25. The update includes severities added for all clouds plugins, new regions of AWS and Azure clouds and new category plugins for Azure Open AI Service and Vertex AI Service for GCP , category change of AWS Services to 'AI &ML' and title and description change of AWS and Azure plugins. Along with this there are new plugins for existing services of Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.
Severities
Added severities for all plugins of following clouds:
- Alibaba
- AWS
- Azure
- GCP
- GitHub
- Oracle
Severities were assigned based on careful analysis of services, taking into account compliance rules, thorough documentation review, addressing customer complaints, and incorporating their suggestions.This approach ensures accurate representation of the impact and importance of each plugin and service across AWS, Azure, GCP, Oracle, Alibaba, and GitHub platforms, aligning with compliance standards.
New regions
AWS
Added support for the following regions:
- il-central-1
- ca-west-1
Azure
Added support for the following regions:
- italynorth
- israelcentral
Category changes
AWS
Changed category of the following AWS services to AI and ML:
- Amazon Bedrock
- Amazon Comprehend
- Amazon DevOps Guru
- Amazon Forecast
- Amazon Fraud Detector
- Amazon Kendra
- Amazon Lex
- Amazon Lookout for Equipment
- Amazon Lookout for Metrics
- Amazon Lookout for Vision
- Amazon SageMaker
- Amazon Translate
- Amazon HealthLake
Plugin title changes
Changed the title, description, and output messages for the following plugins:
AWS
- Firehose Delivery Streams CMK Encrypted is renamed to Firehose Delivery Stream Destination CMK Encrypted
- DynamoDB Unused Table is renamed to DynamoDB Empty Table
Azure
- PostgreSQL Server Services Access Disabled is renamed to PostgreSQL Server Services Network Access Disabled
- PostgreSQL Flexible Server Services Access Disabled is renamed to PostgreSQL Flexible Server Services Public Network Access Disabled
New Plugins
AWS
CodeStar
- Code Star Has Tags
Azure
App Service
- App Service Diagnostic Logging Enabled
- Web Apps VNet Integrated
- Web Apps Private Endpoints Configured
- Web Apps Security Logging Enabled
- Secure Azure Http Triggered Function
- Node.js Version
- Access Control Allow Credential Enabled
Application Gateway
- Application Gateway HTTPS Listener
- Application Gateway Request Body Size
App Configurations
- App Configurations Has Tags
- App Configuration Encryption At Rest with CMK
Automation Account
- Automation Account Has Tags
- Automation Account Valid Source Controls
- Automation Account Expired Webhooks
- Automation Account Public Access Disabled
- Automation Account Encrypted Variables
- Automation Account Private Endpoints Configured
Bastion
- Bastion Host Diagnostic Logs Enabled
- Bastion Host Has Tags
Blob Service
- Blob Container CMK Encrypted
Container Registry
- ACR Trusted Services Enabled
Defender
- Enable Defender For Resource Manager
- Enable Defender For CSPM
- Enable Defender For APIs
- Enable Defender For SQL Servers On Machines
- Enable Defender For Cosmos DBs
Event Hub
- Event Hub Public Access
Front Door
- Front Door WAF Latest Default Rule Set
Key Vaults
- Key Vaults Private Endpoint
Kubernetes Services
- AKS API Server Authorized IP Ranges
- AKS Cluster Host Based Encryption
- AKS Cluster Managed Identity Enabled
Load Balancer
- Load Balancer Public IP
Monitor
- Log Analytics Public Workspace
Network Security Groups
- NSG Flow Logs Enabled
Open AI
- OpenAI Account CMK Encrypted
- OpenAI Account Managed Identity Enabled
- OpenAI Account Public Access Disabled
- OpenAI Account Has Tags
- OpenAI Account Diagnostic Logging Enabled
PostgreSQL Server
- PostgreSQL Flexible Server Advanced Threat Protection
Redis Cache
- Redis Cache VNet Integrated
Service Bus
- Namespace Managed Identity
- Service Bus Namespace Has Tags
SQL Databases
- SQL Database Diagnostic Logging Enabled
- SQL Database Data Discovery and Classification
SQL Server
- SQL Server Managed Identity Enabled
- SQL Server VNet Rules Integrated
- SQL Server Services Access Disabled
- SQL Server Connection Policy
- Auditing Storage Authentication Type
Virtual Machines
- Compute Gallery RBAC Sharing
- VM Disk Public Access
- VM Disk CMK Rotation
- VM Disk Double Encryption
Virtual Machines Scale Sets
- VMSS Windows AntiMalware Extension
- Health Monitoring Extension HTTPS Enabled
- Scale Sets Boot Diagnostics Enabled
Virtual Networks
- Public IP Address DDos Protection
- VNET Flow Logs Enabled
GCP
Vertex AI
- Vertex AI Model Encryption
- Vertex AI Model Labels Added
- Vertex AI Dataset Encryption
- Vertex AI Dataset Labels Added
Hot fixes and enhancements
Aws
-
As per AWS document, AWS now provides the SSE to all bucket objects by default. Previously, the following plugins were failing in case SSE was not enabled on s3. However, the logic of the following plugins are modified to produce pass result by default when checking for server side encryption:
- S3 Bucket Enforce Object Encryption
- Firehose Delivery Stream Destination CMK Encrypted
-
Open RFC 1918
Updated the output message of plugin so it provides a more accurate description when RFC IP ranges are utilized. -
EKS Kubernetes Version
Modified the depreciation date for following eks versions. 1.23, 1.24, and 1.27. -
Lambda Old Runtimes
Modified the deprecation date for following runtime environments, Node.js 16, Go 1, Java 8. -
SES Email Messages Encrypted
Added logic to exclude regions that don't have SES enabled.
Azure
-
VM Security Type
Previously, the plugin was checking for only trusted launch type configured, added the setting to the check desired security type for Azure virtual machines. -
No Network Gateways In Use
Previously, the plugin was checking for only network gateway in use. Added the Virtual Network Gateway Type setting with empty default value. The setting can be used to the check for desired type for network gateways in use. -
Added setting Ignore Internal Load Balancers in plugins with default value set to false. When set to true the plugin ignores internal load balancers.
- LB HTTPS Only
- Load Balancer Has Tags
- Load Balancer Log Analytics Enabled
- LB No Instances
v3.2.0
CloudSploit version 3.2.0 introduces the most latest version on 2023-12-08. The update includes new category plugins for Azure Media Services and Service Bus for Azure. And new category plugins for Bedrock for AWS. Along with this there are new plugins for existing services of Azure, AWS with the hotfixes and enhancements in the existing plugins. The details are as follows.
New Plugins
AWS
Bedrock
- Custom Model Encryption Enabled
- Private Custom Model
- Custom Model In VPC
- Bedrock Model Invocation Logging Enabled
Azure
Application Gateway
- Application Gateway SSL Policy
- Application Gateway Security Logging
- Application Gateway Request Body Inspection
Front Door
- Front Door HTTPS only
- Front Door Security Logging
- Front Door Waf Enabled
- Front Door WAF Bot Protection
- Front Door Request Body Inspection
- Front Door WAF Detection Mode
- Front Door WAF Rate limit
- Front Door Domain Managed DNS
Media Services
- Media Services Public Access Disabled
- Media Services Diagnostic Logs Enabled
- Media Services Managed Identity Enabled
- Media Services Storage Account Managed Identity
- Media Services Classic API Disabled
PostgreSQL Server
- PostgreSQL Flexible Server SCRAM Enabled
- PostgreSQL Diagnostic Logging Enabled
- PostgreSQL Minimum TLS Version
- PostgreSQL Server Private Endpoints Configured
- PostgreSQL Encryption At Rest with BYOK
- PostgreSQL Flexible Server Services Access Disabled
- PostgreSQL Flexible Server Diagnostic Logging
Redis Cache
- Redis Cache Private Endpoint
Service Bus
- Namespace Encryption At Rest with CMK
- Namespace Minimum TLS Version
- Namespace Local Authentication Disabled
- Namespace Logging Enabled
SQL Databases
- Transparent Data Encryption Enabled
- Database Private Link Enabled
- Ledger Automatic Digest Storage
- Database Secure Enclaves Encryption Enabled
- Database Ledger Enabled
- SQL Databases Data Masking Enabled
SQL Server
- Microsoft Support Operations Auditing Enabled
- Server Outbound Networking Restricted
Virtual Machines
- VM vTPM Enabled
- VM Security Type
- VM Secure Boot Enabled
- VM Disks Deletion Config
Hot fixes and enhancements
Aws
- All Open Ports Plugins
Added settings to check for associated ENIs with open ports security groups. Enabling this setting produces fail result. if ENI is exposed to public. - S3 Bucket Has Tags
Updated the plugin to produce the result on regional basis instead of global. - SSM Managed Instances
Updated the plugin to produce pass results if the instance is not in running state.
Azure
- Client Certificates Enabled
When HTTP version 2.0 is enabled, client certificates are ignored by default from azure. Updated the plugin to only check for Client Certificates when HTTP2.0 is not enabled. In case of HTTP2.0 plugin produces pass result.
v3.1.0
CloudSploit version 3.1.0 introduces the most latest version on 2023-09-06. The update brings new plugins for Azure, AWS, and GCP along with the hotfixes and enhancements in the existing plugins. The details are as follows.
New Plugins
AWS
- App Mesh VG Health Check Policies
- MQ Latest Engine Version
- RDS Idle Instance Status
- RDS CPU Alarm Threshold Exceeded
- RDS Default Port
- RDS Public Subnet
- MQ Broker Public Accessibility
- Password Policy Exists
Azure
- VM Windows AntiMalware Extension
- Virtual Networks Logging Enabled
- Open All Ports Egress
- PostgreSQL Log Planner Stats Disabled
- PostgreSQL Log Executor Stats Disabled
- PostgreSQL Log Parser Stats Disabled
Hot fixes and enhancements
Aws
- Email DKIM Enabled
Adding pagination for the related AWS API to avoid unknown results.
Azure
- These plugins were updated to check for default values from the ASC default policy:
- Application Whitelisting Enabled
- Monitor Blob Encryption
- Monitor Disk Encryption
- Monitor Endpoint Protection
- Monitor External Accounts with Write Permissions
- Monitor IP Forwarding
- Monitor JIT Network Access
- Monitor Next Generation Firewall
- Monitor NSG Enabled
- Monitor SQL Auditing
- Monitor SQL Encryption
- Monitor Total Number of Subscription Owners
- Monitor System Updates
- Monitor VM Vulnerability
- Security Configuration Monitoring
Deprecated plugins
Azure
Log Profile Retention Policy
v3.0.0
CloudSploit version 3.0.0 introduces the most latest version on 2023-08-10. Version 3.0.0 introduced a number of changes from the v.2.0.0, including the change in the number of plugins for each cloud, and introducing Alibaba Cloud
Alibaba
Version 3.0.0 introduces the scanning of Alibaba Cloud. To run it locally you would need to replace the config for Alibaba .
-
After replacing the credentials for alibaba, copy the credentials in config.js file
cp config_example.js config.js
-
To run the alibaba plugins run the following
./index.js --config=./config.js
New Plugins
The following summarizes the changes in plugins
The updates in plugin configurations for various cloud providers are as follows:
- AWS
Plugins added: 379
Total plugins now: 550
- Azure
Plugins added: 155
Total plugins now: 286
- GitHub
No new plugins added.
Total plugins remain: 10
- Oracle
Plugins added: 34
Total plugins now: 99
- Google
Plugins added: 162
Total plugins now: 250
v2.0.0
CloudSploit version 2.0.0 introduced a number of changes from the original CloudSploit release, designed to make running CloudSploit easier in multiple environment types, including command line and CI/CD systems.
Changes
- The addition of the
argparse
library to enhance CLI option support - Formalizing several previously-hidden settings and options (e.g. saving the JSON collection, multiple output formats, suppressions, etc.)
- The addition of the
tty-table
library for pretty-print CLI output of results. This is now the default output, but it can be changed to text-only via the--console=text
flag. - Improved documentation across the AWS, Azure, GCP, and OCI providers.
- The use of a
config.js
file for storing cloud provider configuration options, making it easier to run CloudSploit against multiple accounts by passing the--config
flag. - Fallback to the AWS credential chain, allowing users to get started running CloudSploit more quickly.
- Addition of an .eslint file for developers of CloudSploit and CloudSploit plugins.
- Formalizing CIS Benchmark options in the plugins using the
compliance
property. - Added the ability to run a single plugin directly from the CLI, without editing the
exports.js
file by passing the flag--plugin pluginName
.
Upgrade Guide
Please see the Upgrade Guide if you are moving from < 2.0.0 to 2.0.0.