Data Collected From Cloud Providers
Aqua adheres strongly to the principle of least privilege and aims to collect the least amount of information necessary to provide its service. Different information is collected from each cloud provider's APIs, as is detailed below.
You have complete control over the permissions given to Aqua via the cloud account connection security enforced by the cloud provider. If the Aqua does not have the required permission, it will simply mark the test with an "unknown" result but will not skip the scan entirely.
TABLE OF CONTENTS
- Amazon Web Services (AWS)
- Microsoft Azure
- Google Cloud Infrastructure (GCI)
- Oracle Cloud Infrastructure (OCI)
Amazon Web Services (AWS)
- acm:Describe*
- acm:List*
- application-autoscaling:Describe*
- appmesh:Describe*
- appmesh:List*
- appsync:List*
- athena:List*
- autoscaling:Describe*
- batch:DescribeComputeEnvironments
- batch:DescribeJobDefinitions
- chime:List*
- cloud9:Describe*
- cloud9:ListEnvironments
- clouddirectory:ListDirectories
- cloudformation:DescribeStack*
- cloudformation:GetTemplate
- cloudformation:ListStack*
- cloudformation:GetStackPolicy
- cloudfront:Get*
- cloudfront:List*
- cloudhsm:ListHapgs
- cloudhsm:ListHsms
- cloudhsm:ListLunaClients
- cloudsearch:DescribeDomains
- cloudsearch:DescribeServiceAccessPolicies
- cloudtrail:DescribeTrails
- cloudtrail:GetEventSelectors
- cloudtrail:GetTrailStatus
- cloudtrail:ListTags
- cloudtrail:LookupEvents
- cloudwatch:Describe*
- codebuild:ListProjects
- codecommit:BatchGetRepositories
- codecommit:GetBranch
- codecommit:GetObjectIdentifier
- codecommit:GetRepository
- codecommit:List*
- codedeploy:Batch*
- codedeploy:Get*
- codedeploy:List*
- codepipeline:ListPipelines
- codestar:Describe*
- codestar:List*
- cognito-identity:ListIdentityPools
- cognito-idp:ListUserPools
- cognito-sync:Describe*
- cognito-sync:List*
- comprehend:Describe*
- comprehend:List*
- config:BatchGetAggregateResourceConfig
- config:BatchGetResourceConfig
- config:Deliver*
- config:Describe*
- config:Get*
- config:List*
- datapipeline:DescribeObjects
- datapipeline:DescribePipelines
- datapipeline:EvaluateExpression
- datapipeline:GetPipelineDefinition
- datapipeline:ListPipelines
- datapipeline:QueryObjects
- datapipeline:ValidatePipelineDefinition
- datasync:Describe*
- datasync:List*
- dax:Describe*
- dax:ListTags
- directconnect:Describe*
- dms:Describe*
- dms:ListTagsForResource
- ds:DescribeDirectories
- dynamodb:DescribeContinuousBackups
- dynamodb:DescribeGlobalTable
- dynamodb:DescribeTable
- dynamodb:DescribeTimeToLive
- dynamodb:ListBackups
- dynamodb:ListGlobalTables
- dynamodb:ListStreams
- dynamodb:ListTables
- ec2:Describe*
- ecr:DescribeRepositories
- ecr:GetRepositoryPolicy
- ecs:Describe*
- ecs:List*
- eks:DescribeCluster
- eks:ListClusters
- elasticache:Describe*
- elasticbeanstalk:Describe*
- elasticfilesystem:DescribeFileSystems
- elasticfilesystem:DescribeMountTargetSecurityGroups
- elasticfilesystem:DescribeMountTargets
- elasticloadbalancing:Describe*
- elasticmapreduce:Describe*
- elasticmapreduce:ListClusters
- elasticmapreduce:ListInstances
- es:Describe*
- es:ListDomainNames
- events:Describe*
- events:List*
- firehose:Describe*
- firehose:List*
- fms:ListComplianceStatus
- fms:ListPolicies
- fsx:Describe*
- fsx:List*
- gamelift:ListBuilds
- gamelift:ListFleets
- glacier:DescribeVault
- glacier:GetVaultAccessPolicy
- glacier:ListVaults
- globalaccelerator:Describe*
- globalaccelerator:List*
- greengrass:List*
- guardduty:Get*
- guardduty:List*
- iam:GenerateCredentialReport
- iam:GenerateServiceLastAccessedDetails
- iam:Get*
- iam:List*
- iam:SimulateCustomPolicy
- iam:SimulatePrincipalPolicy
- inspector:Describe*
- inspector:Get*
- inspector:List*
- inspector:Preview*
- iot:Describe*
- iot:GetPolicy
- iot:GetPolicyVersion
- iot:List*
- kinesis:DescribeStream
- kinesis:ListStreams
- kinesis:ListTagsForStream
- kinesisanalytics:ListApplications
- kms:Describe*
- kms:Get*
- kms:List*
- lambda:GetAccountSettings
- lambda:GetFunctionConfiguration
- lambda:GetLayerVersionPolicy
- lambda:GetPolicy
- lambda:List*
- license-manager:List*
- lightsail:GetInstances
- lightsail:GetLoadBalancers
- logs:Describe*
- logs:ListTagsLogGroup
- machinelearning:DescribeMLModels
- mediaconnect:Describe*
- mediaconnect:List*
- mediastore:GetContainerPolicy
- mediastore:ListContainers
- opsworks:DescribeStacks
- opsworks-cm:DescribeServers
- organizations:List*
- organizations:Describe*
- quicksight:Describe*
- quicksight:List*
- ram:List*
- rds:Describe*
- rds:DownloadDBLogFilePortion
- rds:ListTagsForResource
- redshift:Describe*
- rekognition:Describe*
- rekognition:List*
- robomaker:Describe*
- robomaker:List*
- route53:Get*
- route53:List*
- route53domains:GetDomainDetail
- route53domains:GetOperationDetail
- route53domains:ListDomains
- route53domains:ListOperations
- route53domains:ListTagsForDomain
- route53resolver:List*
- route53resolver:Get*
- s3:GetAccelerateConfiguration
- s3:GetAccountPublicAccessBlock
- s3:GetAnalyticsConfiguration
- s3:GetBucket*
- s3:GetEncryptionConfiguration
- s3:GetInventoryConfiguration
- s3:GetLifecycleConfiguration
- s3:GetMetricsConfiguration
- s3:GetObjectAcl
- s3:GetObjectVersionAcl
- s3:GetReplicationConfiguration
- s3:ListAllMyBuckets
- sagemaker:Describe*
- sagemaker:List*
- sdb:DomainMetadata
- sdb:ListDomains
- secretsmanager:GetResourcePolicy
- secretsmanager:ListSecrets
- secretsmanager:ListSecretVersionIds
- securityhub:Describe*
- securityhub:Get*
- securityhub:List*
- serverlessrepo:GetApplicationPolicy
- serverlessrepo:List*
- ses:GetIdentityDkimAttributes
- ses:GetIdentityPolicies
- ses:GetIdentityVerificationAttributes
- ses:ListIdentities
- ses:ListIdentityPolicies
- ses:ListVerifiedEmailAddresses
- shield:Describe*
- shield:List*
- snowball:ListClusters
- snowball:ListJobs
- sns:GetTopicAttributes
- sns:ListSubscriptionsByTopic
- sns:ListTopics
- sqs:GetQueueAttributes
- sqs:ListDeadLetterSourceQueues
- sqs:ListQueues
- sqs:ListQueueTags
- ssm:Describe*
- ssm:GetAutomationExecution
- ssm:ListDocuments
- sso:DescribePermissionsPolicies
- sso:List*
- states:ListStateMachines
- storagegateway:DescribeBandwidthRateLimit
- storagegateway:DescribeCache
- storagegateway:DescribeCachediSCSIVolumes
- storagegateway:DescribeGatewayInformation
- storagegateway:DescribeMaintenanceStartTime
- storagegateway:DescribeNFSFileShares
- storagegateway:DescribeSnapshotSchedule
- storagegateway:DescribeStorediSCSIVolumes
- storagegateway:DescribeTapeArchives
- storagegateway:DescribeTapeRecoveryPoints
- storagegateway:DescribeTapes
- storagegateway:DescribeUploadBuffer
- storagegateway:DescribeVTLDevices
- storagegateway:DescribeWorkingStorage
- storagegateway:List*
- tag:GetResources
- tag:GetTagKeys
- transfer:Describe*
- transfer:List*
- translate:List*
- trustedadvisor:Describe*
- waf:ListWebACLs
- waf-regional:ListWebACLs
- workspaces:Describe*
- athena:GetWorkGroup
- cloudwatchlogs:DescribeLogGroups
- cloudwatchlogs:DescribeMetricFilters
- efs:DescribeFileSystems
- elastictranscoder:ListPipelines
- ses:DescribeActiveReceiptRuleSet
Microsoft Azure
- activitylogalerts:ListByResourceGroup
- activitylogalerts:ListBySubscriptionId
- autoprovisioningsettings:List
- autoscalesettings:ListByResourceGroup
- availabilitysets:List
- blobcontainers:List
- blobservice:ListContainersSegmented
- configurations:ListByServer
- databaseblobauditingpolicies:Get
- databases:ListByServer
- diagnosticsettingsoperations:Kv
- diagnosticsettingsoperations:Lb
- diagnosticsettingsoperations:List
- diagnosticsettingsoperations:Nsg
- disks:List
- encryptionprotectors:Get
- endpoints:ListByProfile
- fileservice:GetShareAcl
- fileservice:ListSharesSegmented
- firewallrules:ListByServer
- keyvaultclient:GetKeys
- keyvaultclient:GetSecrets
- loadbalancers:List
- loadbalancers:ListAll
- logprofiles:List
- managedclusters:GetUpgradeProfile
- managedclusters:List
- managementlocks:ListAtSubscriptionLevel
- networksecuritygroups:ListAll
- networkwatchers:ListAll
- origins:ListByEndpoint
- policyassignments:List
- pricings:List
- profiles:List
- queueservice:GetQueueAcl
- queueservice:ListQueuesSegmented
- registries:List
- resourcegroups:List
- resources:List
- roledefinitions:List
- securitycontacts:List
- serverazureadadministrators:ListByServer
- serverblobauditingpolicies:Get
- servers:ListByResourceGroup
- servers:Mysql
- servers:Postgres
- servers:Sql
- serversecurityalertpolicies:ListByServer
- storageaccounts:List
- storageaccounts:ListKeys
- subscriptions:ListLocations
- tableservice:GetTableAcl
- tableservice:ListTablesSegmented
- usages:List
- users:List
- vaults:Get
- vaults:List
- virtualmachineextensions:List
- virtualmachines:ListAll
- virtualmachinescalesets:List
- virtualnetworks:ListAll
- webapps:GetAuthSettings
- webapps:List
- webapps:ListConfigurations
Google Cloud Infrastructure (GCI)
- alertpolicies:List
- autoscalers:AggregatedList
- backendservices:List
- buckets:GetIamPolicy
- buckets:List
- clusters:List
- cryptokeys:List
- disks:List
- firewalls:List
- instancegroups:AggregatedList
- instances:Compute
- instances:Sql
- keyrings:List
- keys:List
- managedzones:List
- metrics:List
- networks:List
- projects:Get
- projects:GetIamPolicy
- serviceaccounts:List
- sinks:List
- subnetworks:List
- targethttpproxies:List
- users:List
Oracle Cloud Infrastructure (OCI)
- authenticationpolicy:Get
- autoscaleconfiguration:List
- bootvolume:List
- bootvolumeattachment:List
- bootvolumebackup:List
- bucket:Get
- bucket:List
- configuration:Get
- database:List
- dbhome:List
- dbsystem:List
- exportsummary:List
- exprt:Get
- group:List
- instance:List
- instancepool:List
- loadbalancer:List
- networksecuritygroup:List
- policy:List
- preauthenticatedrequest:List
- publicip:List
- securitylist:List
- securityrule:List
- subnet:List
- user:List
- usergroupmembership:List
- vcn:Get
- vcn:List
- volume:List
- volumebackup:List
- volumebackuppolicyassignment:BootVolume
- volumebackuppolicyassignment:Volume
- volumegroup:List
- volumegroupbackup:List
- waaspolicy:Get
- waaspolicy:List
Did you find it helpful? Yes No
Send feedbackSorry we couldn't be helpful. Help us improve this article with your feedback.