Aqua adheres strongly to the principle of least privilege and aims to collect the least amount of information necessary to provide its service. Different information is collected from each cloud provider's APIs, as is detailed below.

You have complete control over the permissions given to Aqua via the cloud account connection security enforced by the cloud provider. If the Aqua does not have the required permission, it will simply mark the test with an "unknown" result but will not skip the scan entirely.


TABLE OF CONTENTS

Amazon Web Services (AWS)

  • acm:Describe*
  • acm:List*
  • application-autoscaling:Describe*
  • appmesh:Describe*
  • appmesh:List*
  • appsync:List*
  • athena:List*
  • autoscaling:Describe*
  • batch:DescribeComputeEnvironments
  • batch:DescribeJobDefinitions
  • chime:List*
  • cloud9:Describe*
  • cloud9:ListEnvironments
  • clouddirectory:ListDirectories
  • cloudformation:DescribeStack*
  • cloudformation:GetTemplate
  • cloudformation:ListStack*
  • cloudformation:GetStackPolicy
  • cloudfront:Get*
  • cloudfront:List*
  • cloudhsm:ListHapgs
  • cloudhsm:ListHsms
  • cloudhsm:ListLunaClients
  • cloudsearch:DescribeDomains
  • cloudsearch:DescribeServiceAccessPolicies
  • cloudtrail:DescribeTrails
  • cloudtrail:GetEventSelectors
  • cloudtrail:GetTrailStatus
  • cloudtrail:ListTags
  • cloudtrail:LookupEvents
  • cloudwatch:Describe*
  • codebuild:ListProjects
  • codecommit:BatchGetRepositories
  • codecommit:GetBranch
  • codecommit:GetObjectIdentifier
  • codecommit:GetRepository
  • codecommit:List*
  • codedeploy:Batch*
  • codedeploy:Get*
  • codedeploy:List*
  • codepipeline:ListPipelines
  • codestar:Describe*
  • codestar:List*
  • cognito-identity:ListIdentityPools
  • cognito-idp:ListUserPools
  • cognito-sync:Describe*
  • cognito-sync:List*
  • comprehend:Describe*
  • comprehend:List*
  • config:BatchGetAggregateResourceConfig
  • config:BatchGetResourceConfig
  • config:Deliver*
  • config:Describe*
  • config:Get*
  • config:List*
  • datapipeline:DescribeObjects
  • datapipeline:DescribePipelines
  • datapipeline:EvaluateExpression
  • datapipeline:GetPipelineDefinition
  • datapipeline:ListPipelines
  • datapipeline:QueryObjects
  • datapipeline:ValidatePipelineDefinition
  • datasync:Describe*
  • datasync:List*
  • dax:Describe*
  • dax:ListTags
  • directconnect:Describe*
  • dms:Describe*
  • dms:ListTagsForResource
  • ds:DescribeDirectories
  • dynamodb:DescribeContinuousBackups
  • dynamodb:DescribeGlobalTable
  • dynamodb:DescribeTable
  • dynamodb:DescribeTimeToLive
  • dynamodb:ListBackups
  • dynamodb:ListGlobalTables
  • dynamodb:ListStreams
  • dynamodb:ListTables
  • ec2:Describe*
  • ecr:DescribeRepositories
  • ecr:GetRepositoryPolicy
  • ecs:Describe*
  • ecs:List*
  • eks:DescribeCluster
  • eks:ListClusters
  • elasticache:Describe*
  • elasticbeanstalk:Describe*
  • elasticfilesystem:DescribeFileSystems
  • elasticfilesystem:DescribeMountTargetSecurityGroups
  • elasticfilesystem:DescribeMountTargets
  • elasticloadbalancing:Describe*
  • elasticmapreduce:Describe*
  • elasticmapreduce:ListClusters
  • elasticmapreduce:ListInstances
  • es:Describe*
  • es:ListDomainNames
  • events:Describe*
  • events:List*
  • firehose:Describe*
  • firehose:List*
  • fms:ListComplianceStatus
  • fms:ListPolicies
  • fsx:Describe*
  • fsx:List*
  • gamelift:ListBuilds
  • gamelift:ListFleets
  • glacier:DescribeVault
  • glacier:GetVaultAccessPolicy
  • glacier:ListVaults
  • globalaccelerator:Describe*
  • globalaccelerator:List*
  • greengrass:List*
  • guardduty:Get*
  • guardduty:List*
  • iam:GenerateCredentialReport
  • iam:GenerateServiceLastAccessedDetails
  • iam:Get*
  • iam:List*
  • iam:SimulateCustomPolicy
  • iam:SimulatePrincipalPolicy
  • inspector:Describe*
  • inspector:Get*
  • inspector:List*
  • inspector:Preview*
  • iot:Describe*
  • iot:GetPolicy
  • iot:GetPolicyVersion
  • iot:List*
  • kinesis:DescribeStream
  • kinesis:ListStreams
  • kinesis:ListTagsForStream
  • kinesisanalytics:ListApplications
  • kms:Describe*
  • kms:Get*
  • kms:List*
  • lambda:GetAccountSettings
  • lambda:GetFunctionConfiguration
  • lambda:GetLayerVersionPolicy
  • lambda:GetPolicy
  • lambda:List*
  • license-manager:List*
  • lightsail:GetInstances
  • lightsail:GetLoadBalancers
  • logs:Describe*
  • logs:ListTagsLogGroup
  • machinelearning:DescribeMLModels
  • mediaconnect:Describe*
  • mediaconnect:List*
  • mediastore:GetContainerPolicy
  • mediastore:ListContainers
  • opsworks:DescribeStacks
  • opsworks-cm:DescribeServers
  • organizations:List*
  • organizations:Describe*
  • quicksight:Describe*
  • quicksight:List*
  • ram:List*
  • rds:Describe*
  • rds:DownloadDBLogFilePortion
  • rds:ListTagsForResource
  • redshift:Describe*
  • rekognition:Describe*
  • rekognition:List*
  • robomaker:Describe*
  • robomaker:List*
  • route53:Get*
  • route53:List*
  • route53domains:GetDomainDetail
  • route53domains:GetOperationDetail
  • route53domains:ListDomains
  • route53domains:ListOperations
  • route53domains:ListTagsForDomain
  • route53resolver:List*
  • route53resolver:Get*
  • s3:GetAccelerateConfiguration
  • s3:GetAccountPublicAccessBlock
  • s3:GetAnalyticsConfiguration
  • s3:GetBucket*
  • s3:GetEncryptionConfiguration
  • s3:GetInventoryConfiguration
  • s3:GetLifecycleConfiguration
  • s3:GetMetricsConfiguration
  • s3:GetObjectAcl
  • s3:GetObjectVersionAcl
  • s3:GetReplicationConfiguration
  • s3:ListAllMyBuckets
  • sagemaker:Describe*
  • sagemaker:List*
  • sdb:DomainMetadata
  • sdb:ListDomains
  • secretsmanager:GetResourcePolicy
  • secretsmanager:ListSecrets
  • secretsmanager:ListSecretVersionIds
  • securityhub:Describe*
  • securityhub:Get*
  • securityhub:List*
  • serverlessrepo:GetApplicationPolicy
  • serverlessrepo:List*
  • ses:GetIdentityDkimAttributes
  • ses:GetIdentityPolicies
  • ses:GetIdentityVerificationAttributes
  • ses:ListIdentities
  • ses:ListIdentityPolicies
  • ses:ListVerifiedEmailAddresses
  • shield:Describe*
  • shield:List*
  • snowball:ListClusters
  • snowball:ListJobs
  • sns:GetTopicAttributes
  • sns:ListSubscriptionsByTopic
  • sns:ListTopics
  • sqs:GetQueueAttributes
  • sqs:ListDeadLetterSourceQueues
  • sqs:ListQueues
  • sqs:ListQueueTags
  • ssm:Describe*
  • ssm:GetAutomationExecution
  • ssm:ListDocuments
  • sso:DescribePermissionsPolicies
  • sso:List*
  • states:ListStateMachines
  • storagegateway:DescribeBandwidthRateLimit
  • storagegateway:DescribeCache
  • storagegateway:DescribeCachediSCSIVolumes
  • storagegateway:DescribeGatewayInformation
  • storagegateway:DescribeMaintenanceStartTime
  • storagegateway:DescribeNFSFileShares
  • storagegateway:DescribeSnapshotSchedule
  • storagegateway:DescribeStorediSCSIVolumes
  • storagegateway:DescribeTapeArchives
  • storagegateway:DescribeTapeRecoveryPoints
  • storagegateway:DescribeTapes
  • storagegateway:DescribeUploadBuffer
  • storagegateway:DescribeVTLDevices
  • storagegateway:DescribeWorkingStorage
  • storagegateway:List*
  • tag:GetResources
  • tag:GetTagKeys
  • transfer:Describe*
  • transfer:List*
  • translate:List*
  • trustedadvisor:Describe*
  • waf:ListWebACLs
  • waf-regional:ListWebACLs
  • workspaces:Describe*
  • athena:GetWorkGroup
  • cloudwatchlogs:DescribeLogGroups
  • cloudwatchlogs:DescribeMetricFilters
  • efs:DescribeFileSystems
  • elastictranscoder:ListPipelines
  • ses:DescribeActiveReceiptRuleSet

Microsoft Azure

  • activitylogalerts:ListByResourceGroup
  • activitylogalerts:ListBySubscriptionId
  • autoprovisioningsettings:List
  • autoscalesettings:ListByResourceGroup
  • availabilitysets:List
  • blobcontainers:List
  • blobservice:ListContainersSegmented
  • configurations:ListByServer
  • databaseblobauditingpolicies:Get
  • databases:ListByServer
  • diagnosticsettingsoperations:Kv
  • diagnosticsettingsoperations:Lb
  • diagnosticsettingsoperations:List
  • diagnosticsettingsoperations:Nsg
  • disks:List
  • encryptionprotectors:Get
  • endpoints:ListByProfile
  • fileservice:GetShareAcl
  • fileservice:ListSharesSegmented
  • firewallrules:ListByServer
  • keyvaultclient:GetKeys
  • keyvaultclient:GetSecrets
  • loadbalancers:List
  • loadbalancers:ListAll
  • logprofiles:List
  • managedclusters:GetUpgradeProfile
  • managedclusters:List
  • managementlocks:ListAtSubscriptionLevel
  • networksecuritygroups:ListAll
  • networkwatchers:ListAll
  • origins:ListByEndpoint
  • policyassignments:List
  • pricings:List
  • profiles:List
  • queueservice:GetQueueAcl
  • queueservice:ListQueuesSegmented
  • registries:List
  • resourcegroups:List
  • resources:List
  • roledefinitions:List
  • securitycontacts:List
  • serverazureadadministrators:ListByServer
  • serverblobauditingpolicies:Get
  • servers:ListByResourceGroup
  • servers:Mysql
  • servers:Postgres
  • servers:Sql
  • serversecurityalertpolicies:ListByServer
  • storageaccounts:List
  • storageaccounts:ListKeys
  • subscriptions:ListLocations
  • tableservice:GetTableAcl
  • tableservice:ListTablesSegmented
  • usages:List
  • users:List
  • vaults:Get
  • vaults:List
  • virtualmachineextensions:List
  • virtualmachines:ListAll
  • virtualmachinescalesets:List
  • virtualnetworks:ListAll
  • webapps:GetAuthSettings
  • webapps:List
  • webapps:ListConfigurations

Google Cloud Infrastructure (GCI)

  • alertpolicies:List
  • autoscalers:AggregatedList
  • backendservices:List
  • buckets:GetIamPolicy
  • buckets:List
  • clusters:List
  • cryptokeys:List
  • disks:List
  • firewalls:List
  • instancegroups:AggregatedList
  • instances:Compute
  • instances:Sql
  • keyrings:List
  • keys:List
  • managedzones:List
  • metrics:List
  • networks:List
  • projects:Get
  • projects:GetIamPolicy
  • serviceaccounts:List
  • sinks:List
  • subnetworks:List
  • targethttpproxies:List
  • users:List

Oracle Cloud Infrastructure (OCI)

  • authenticationpolicy:Get
  • autoscaleconfiguration:List
  • bootvolume:List
  • bootvolumeattachment:List
  • bootvolumebackup:List
  • bucket:Get
  • bucket:List
  • configuration:Get
  • database:List
  • dbhome:List
  • dbsystem:List
  • exportsummary:List
  • exprt:Get
  • group:List
  • instance:List
  • instancepool:List
  • loadbalancer:List
  • networksecuritygroup:List
  • policy:List
  • preauthenticatedrequest:List
  • publicip:List
  • securitylist:List
  • securityrule:List
  • subnet:List
  • user:List
  • usergroupmembership:List
  • vcn:Get
  • vcn:List
  • volume:List
  • volumebackup:List
  • volumebackuppolicyassignment:BootVolume
  • volumebackuppolicyassignment:Volume
  • volumegroup:List
  • volumegroupbackup:List
  • waaspolicy:Get
  • waaspolicy:List