TABLE OF CONTENTS


Overview

Aqua CSPM is divided into two main functionalities:

  1. Scanning
  2. Event Monitoring


Scanning occurs via a pull model; CSPM queries your cloud account APIs to obtain information about resources at that point in time.


Real-Time Events occur via a push model; CSPM connects to event streams to receive a continuous stream of activity occurring in the account, which it evaluates for security risks.


Introduction to Real-Time Events

Real-Time Events is an optional add-on feature for Aqua Premier/Enterprise plan users. Events enable CSPM to monitor additional activity feeds in your infrastructure accounts for suspicious or security-sensitive activity. For example, Events can detect when a user logs into your account without using an MFA device, or when changes are made in unused cloud provider regions.


It is important to note that the CSPM Events feature is not a replacement for logging infrastructure. Events receives a copy of all security-relevant events and saves the ones that it deems to be potentially suspicious.


Cloud Support

Aqua CSPM supports Real-time Events for AWS, Azure, and GCP. The support for AWS events is extended through AWS CloudWatch Events, for Azure events through Azure Monitor events using the activity log and activity log alert rules, and for GCP through GCP log router and Pub/Sub topic.


Event Signatures

Aqua CSPM Events is a proprietary solution that monitors the event activity occurring in your infrastructure accounts for potentially malicious activity. Because the number of services, settings, APIs and threat feeds are changing on an ongoing basis, Aqua does not publish a list of signatures for which it monitors. 


AWS

Listed below are some of the examples of events signatures across several categories of services in AWS:

  • Requesting new TLS certificates through AWS ACM
  • Modifying, deleting, stopping, or otherwise tampering with AWS CloudTrail and CloudWatch logs
  • Modifying, deleting, stopping, or otherwise tampering with AWS ConfigService settings
  • Creating new VPC peering connections with third-party AWS accounts
  • Modifying network ACL settings
  • Modifying EC2 security group settings
  • Changing IAM password configurations and settings
  • Deleting or modifying MFA devices associated with user accounts
  • Creating or modifying S3 buckets and bucket settings
  • Logging into the AWS console
  • Making requests in unused AWS regions or from untrusted IP addresses


Azure

Listed below are some of the examples of events signatures across several categories of services in Azure:

  • Creating, modifying, or deleting activity log alerts 
  • Creating new security rules for network security groups
  • Creating Microsoft storage accounts without https only settings
  • Creating or updating new web applications in the Microsoft website


GCP

Listed below are some of the examples of events signatures across several categories of services in GCP:

  • Inserting, patching, or deleting firewall rules
  • Network peering: if a network is peered to other network
  • Creation or deletion of new service accounts
  • Changing IAM password configurations and settings
  • Changing any property of the storage bucket


Getting Started

If you wish to use the Events feature, please ensure your Aqua account is enrolled as a Premier/Enterprise plan and that you have connected an existing cloud account (AWS, Azure, or GCP).


Next, follow our onboarding guides to enroll your cloud account in Events: