Infrastructure as code has become a powerful tool for deploying cloud resources. Unlike "point and click" deployments using the UI, infrastructure as code templates can be checked into source control, versioned, and audited for security vulnerabilities, all before the infrastructure itself is ever deployed.


Aqua can help secure your infrastructure as code templates with its built-in IaC scanning engine.

Introduction to IaC scanning

Aqua supports scanning the following template types:

  • AWS CloudFormation (JSON)
  • AWS CloudFormation (YAML)
  • AWS Terraform
  • Azure Terraform
  • GCP Terraform

IaC scanning works by uploading the source template or folder to Aqua CSPM, either via our UI dashboard, or API. The template is processed server-side and the response to the API call includes a breakdown of potential security risks that could be introduced by the template.

Scanning templates in the Aqua dashboard

Aqua provides a simple interface for uploading and processing IaC templates. To get started:

  1. Log into Aqua and navigate to Tools > CloudFormation Scan (or "Terraform Scan")
  2. Upload your template using the drag-and-drop interface, or copy and paste it into the textbox.
  3. Click Run CloudFormation Scan to begin processing the template (note: when dragging a file, this will occur automatically).
  4. The results will appear at the bottom of the page.

Scanning templates via API in CI/CD

The Aqua IaC scanning service is designed to be consumed via API and can easily be integrated into CLI or API-based CI/CD systems for processing. To get started:

  1. Ensure you have an Aqua API key (generated from the "API Keys" page)
  2. Follow the API access instructions for generating a scan
  3. View the code samples for more examples