Aqua CSPM is divided into two main functionalities:

  1. Scanning
  2. Event Monitoring

Scanning occurs via a pull model; CSPM queries your cloud account APIs to obtain information about resources at that point in time.

Real-Time Events occur via a push model; CSPM connects to event streams, such as AWS CloudTrail, to receive a continuous stream of activity occurring in the account, which it evaluates for security risks.


Introduction to Real-Time Events

Real-Time Events is an optional add-on feature for Aqua Enterprise plan users. Events enable CSPM to monitor additional activity feeds in your infrastructure accounts for suspicious or security-sensitive activity. For example, Events can detect when a user logs into your account without using an MFA device, or when changes are made in unused cloud provider regions.

It is important to note that the CSPM Events feature is not a replacement for logging infrastructure. Events receives a copy of all security-relevant events and saves the ones that it deems to be potentially suspicious.

Event Signatures

Aqua CSPM Events is a proprietary solution that monitors the event activity occurring in your infrastructure accounts for potentially malicious activity. Because the number of services, settings, APIs, and threat feeds are changing on an ongoing basis, Aqua does not publish a list of signatures for which it monitors. However, the below are examples of some signatures across several categories of services:

  • Requesting new TLS certificates through AWS ACM
  • Modifying, deleting, stopping, or otherwise tampering with AWS CloudTrail and CloudWatch logs
  • Modifying, deleting, stopping, or otherwise tampering with AWS ConfigService settings
  • Creating new VPC peering connections with third-party AWS accounts
  • Modifying network ACL settings
  • Modifying EC2 security group settings
  • Changing IAM password configurations and settings
  • Deleting or modifying MFA devices associated with user accounts
  • Creating or modifying S3 buckets and bucket settings
  • Logging into the AWS console
  • Making requests in unused AWS regions or from untrusted IP addresses

Cloud Support

Currently, Events supports AWS via AWS CloudWatch Events (which utilizes AWS CloudTrail behind the scenes).

Support is being added for Azure Monitor events in Q3 2020.

Getting Started

If you wish to use the Events feature, please ensure your Aqua account is enrolled as a Premier plan and that you have connected an existing AWS cloud account.

Next, follow our onboarding guide to enroll your account in Events.