Aqua CSPM scan reports can be customized by suppressing certain plugins that may not be applicable to your environment or audit a security control or resource that you prefer not to audit. Using the Suppressionfunctionality, you can control exactly which plugins, regions, and resources are evaluated as part of CSPM scans.


Introduction to Suppressions

Suppressions are a way of telling CSPM not to produce certain results in its scan reports. While CSPM will still query and audit these resources, any failures detected that match a suppression will not trigger "new risk" alerts or impact the security score of the report.

Suppressions can be added, removed, or modified at any time by an Aqua admin or group admin.

Types of Suppressions

Suppressions can take the following forms:

  1. Suppress a plugin across all cloud accounts
  2. Suppress a plugin for a specific cloud account
  3. Suppress a region across all cloud accounts
  4. Suppress a region for a specific cloud account
  5. Suppress a resource for a specific cloud account

Global Suppressions

A global suppression means that the suppression applies to all connected cloud accounts as well as accounts connected in the future. Global suppressions are ideal for when the specific security control (plugin) is not required across the organization and should not be run for any cloud accounts.

Viewing Suppressions

Suppressions can be viewed by following these steps:

  1. Log into the Aqua console.
  2. In the left navigation pane, navigate to Scans and select Suppressions.
  3. Use the filters to search for the cloud account, region, or plugin associated with the suppression.

Creating New Suppressions

Suppressions can be created by following these steps:

  1. Log into the Aqua console.
  2. In the left navigation pane, navigate to Scans and select Suppressions.
  3. Click Create Suppression at the top right.
  4. Choose whether you want to suppress a plugin or a region.
  5. Enter the details for the suppression (expiration date, comment, etc.).
  6. Apply the suppression either to all cloud accounts (global) or specific cloud accounts.

Creating New Suppressions using Regular Expressions (regex)

Suppressing a resource for a specific cloud account can be done in two ways: 

  • By applying a suppression rule on the exact resource name 
  • Using Regular expressions (regex)

Regular expressions are string patterns that provide greater flexibility in matching resource names. Regular expressions performs string processing and skips resources that match the regex pattern.

To create a suppression through Regex:

  1. Login to the Aqua console.
  2. In the left navigation pane, select Suppressions under Scans.
  3. Select Create Suppression at the top right. 
  4. Select the Suppress a Regex option in the pop-up window. You can specify if you want to enable suppression for all plugins or for a particular plugin in selected cloud accounts.
  5. Select the Cloud account and enter the Regex pattern. You can optionally specify a Comment and Expiration detail.
  6. Select the cloud accounts to be suppressed.
  1. You can suppress all the cloud accounts by enabling Suppress plugin globally (for all accounts).
  2. You can suppress only the desired cloud accounts by enabling the Suppressed toggle next to a particular cloud account.

7. You get a message: "successfully created suppression". 

8. The resources that were suppressed using regex would be tick marked for regex attribute as displayed in the screenshot:

Expiring Suppressions

Suppressions can be created with an expiration date. After the suppression expires, it is treated as a deleted suppression and must be re-created.

Accessing Suppressed Results

Although suppressions prevent results from triggering new risk notifications and alerts, the raw results are still stored by Aqua. This is a good way to debug suppressions and ensure that no security risks are accidentally missed because of an errant suppression.

To see the suppressed results, navigate to any scan report and select the Suppressed tab. You can click any row to see more details about why the result was suppressed, including a link to the original suppression.

Removing Suppressions

To remove or delete a suppression, simply locate it on the Suppressions page and select Delete from the drop-down menu to its right. The suppression will be removed for all future scan reports, but existing scan reports will not be impacted.