Aqua CSPM scans can take one of several forms, depending on who (or what) initiated them and what the focus of the report is. For example, background scans cover a full snapshot of the entire infrastructure environment using all available plugins, while live-run scans are used for debugging and only test one plugin at a time.


TABLE OF CONTENTS


Background Scans

Background scans are full (i.e. all plugins are run) scans of your entire cloud account infrastructure that is run on a periodic basis, depending on the scan interval setting of the cloud account. Background scan results are saved as a report, which is accessible via the Scan Reports page in the Aqua console. To view detailed reports, navigate to Scans > Scan Reports, locate the desired cloud account and click View Report


On-Demand Scans

On-demand scans are initiated by a user via the Aqua console or an API call. Unlike background scans, the results of an on-demand scan are returned in the browser and are not saved. On-demand scans can be triggered from the Cloud Accounts page by clicking the Scan button next to any cloud account that has background scanning disabled.


Live Run Scans

Live Run scans are a useful debugging tool that enables you to run a specific plugin (security check) against a connected cloud account and see the full response data from the cloud provider. These scans are run directly from the browser or API and contain the full CSPM scan results, along with source API data (e.g. the full response body from the "ec2:describeInstances" call).


Event Scans

When using CSPM's automated Remediations feature, Aqua performs a real-time event-based scan of specific resources whenever a supported API call is observed.


For example, if Remediations is configured to automatically remediate unencrypted S3 buckets, then when CSPM detects the S3:CreateBucket" API call in your AWS account, it triggers an event scan of that specific S3 bucket for the S3 Bucket Encrypted plugin. If the result is FAIL for the impacted resource, then the remediation is executed.


Scan Type Comparison


Background Scan
On-Demand ScanLive Run ScanEvent Scan
Runs regularly based on a pre-defined intervalYesNoNo
No
Can be triggered by a user at any timeNoYesYesNo
Runs all plugins across the infrastructure
Yes
Yes
NoNo
Sends scan summary reports to email and third-party integrationsYesNoNoNo
Triggers alerts to third-party integrationsYesNoNoNo
Triggered by an API call event in the cloud accountNoNoNoYes
Returns the full cloud provider API response dataNoNoYesNo
Results are saved for future referenceYesNoNoYes