Aqua CSPM scan reports contain a wealth of information related to the security posture of your cloud infrastructure environments. These reports contain security findings and results that indicate the status and severity of these security risks.


TABLE OF CONTENTS


Overview

Every scan report result is comprised of the following pieces of information:



StatusSeverityRegionResourceMessage
ExamplesPASS, WARN, FAIL, UNKNOWNLow, Medium, High, Criticalus-east-1, ap-northeast-1arn:aws:s3:::example-bucket"The S3 bucket is not encrypted"


Status

Each scan report result contains one of the following status codes:

  • PASS: A passing result, indicating that the security risk is not present
  • WARN: A warning result, indicating that a security risk may be present
  • FAIL: A failing result, indicating that a security risk is present
  • UNKNOWN: An unknown result, indicating that the security risk could not be determined


Severity

Each scan report result also contains one of the following severity levels:

  • Low: The risk of a compromise is not significant
  • Medium: There is a moderate chance of compromise, depending on other mitigating factors
  • High: There is a considerable risk of compromise
  • Critical: There is an immediate risk of compromise, or a compromise may have already occurred


New risks

The first scan report that runs in your account is used as a baseline for the second report, which becomes a baseline for the third and so on. As scans are run, new risks are detected and highlighted in your scan reports using the New Risk label. A new risk is a risk that was previously not present or passing in the previous report and is now warning or failing.


Examples of CSPM scan results

In general, the Result of a scan is explained in the "More Info" section of the Plugin Details window.

For example, in the following screenshot, you can see the result for "Open Kibana" plugin is "Pass", and the Plugin details explain that this plugin requires TCP port 5801 to not be exposed. Therefore, this check is passed because no ports are open for this instance:


 

Similarly, in the following screenshot, the "Audit Logging Enabled" check is failed, because Audit logging is in fact disabled:



WARN results are usually non-critical alerts and settings that are outside the guidelines, but do not violate standards. 

The reasons for a WARN result may vary. The following screenshot shows one specific example. The "IAM User Admins" produces a warning because the recommendation is to have two administrator users, but the checked instance has only one. While this doesn't pose a security risk (as it would if there were multiple administrators) it's still something you might want to change.


 

Anything that couldn't be successfully scanned will be marked "unknown". For example, this plugin checks that the Vision model data is encrypted; but this instance doesn't have any, so there is no resource to be checked for compliance, and the scan result remains unknown.

 
Aqua assigns a set severity ranking to each plugin that reflects our interpretation of the plugin's risk to the cloud account and its likelihood of exploitability. A severity ranking can be "low", "medium", "high", or "critical". Every severity ranking can also be overridden on a global or per-IaaS account basis if you determine that Aqua CSPM's assigned severity is not appropriate.

Aqua CSPM severity rankings are provided "out-of-the-box" based on the following:
  • Cloud provider (e.g., AWS, Azure, or GCP) documentation, white papers, and blog posts
  • Common industry best practices
  • Public benchmark programs, such as CIS
  • Compliance programs, such as PCI and HIPAA


In general, you can see how the severity is assigned in the screenshots above. For example:
  • Audit logging being enabled is a crucial part of security monitoring, and its being disabled poses some high security risks; therefore, Aqua considers it as a risk of "High" severity. 
  • Looking at the "Open Kibana" policy, it only applies to a specific port used by a specific service, so it doesn't a risk as important as that of disabling Audit logging; therefore, Aqua assigns it a "low" severity ranking.