Aqua CSPM is divided into two main functionalities:
- Event Monitoring
Scanning occurs via a pull model; CSPM queries your cloud account APIs to obtain information about resources at that point in time.
Real-Time Events occur via a push model; CSPM connects to event streams, such as AWS CloudTrail, to receive a continuous stream of activity occurring in the account, which it evaluates for security risks.
TABLE OF CONTENTS
Introduction to Real-Time Events
Real-Time Events is an optional add-on feature for Aqua Enterprise plan users. Events enable CSPM to monitor additional activity feeds in your infrastructure accounts for suspicious or security-sensitive activity. For example, Events can detect when a user logs into your account without using an MFA device, or when changes are made in unused cloud provider regions.
It is important to note that the CSPM Events feature is not a replacement for logging infrastructure. Events receives a copy of all security-relevant events and saves the ones that it deems to be potentially suspicious.
Aqua CSPM Events is a proprietary solution that monitors the event activity occurring in your infrastructure accounts for potentially malicious activity. Because the number of services, settings, APIs, and threat feeds are changing on an ongoing basis, Aqua does not publish a list of signatures for which it monitors. However, the below are examples of some signatures across several categories of services:
- Requesting new TLS certificates through AWS ACM
- Modifying, deleting, stopping, or otherwise tampering with AWS CloudTrail and CloudWatch logs
- Modifying, deleting, stopping, or otherwise tampering with AWS ConfigService settings
- Creating new VPC peering connections with third-party AWS accounts
- Modifying network ACL settings
- Modifying EC2 security group settings
- Changing IAM password configurations and settings
- Deleting or modifying MFA devices associated with user accounts
- Creating or modifying S3 buckets and bucket settings
- Logging into the AWS console
- Making requests in unused AWS regions or from untrusted IP addresses
Currently, Events supports AWS via AWS CloudWatch Events (which utilizes AWS CloudTrail behind the scenes).
Support is being added for Azure Monitor events in Q3 2020.
If you wish to use the Events feature, please ensure your Aqua account is enrolled as a Premier plan and that you have connected an existing AWS cloud account.
Next, follow our onboarding guide to enroll your account in Events.