Aqua uses AWS S3 to store data associated with raw response data from cloud providers during the CSPM scan report collection phase. This data contains the full body of the responses from the cloud provider API calls before it is processed and converted to the scan reports seen within the Aqua console.

This S3 bucket, owned by Aqua, is protected by several security controls, including bucket policies, ACL restrictions, and server-side encryption.

For some users, with certain security or regulatory requirements, Aqua supports the ability to "bring your own" bucket and KMS key, which Aqua will use for this storage, rather than using the shared, multi-tenant bucket owned by Aqua.


The "Bring Your Own Key" feature is an advanced feature that requires additional setup and implementation and is not recommended for most users. Consider the following requirements for using this feature:

  • BYOK is available to Premier plan customers
  • This feature requires interaction with support and is not enabled by default.
  • This feature requires you to deploy a CloudFormation template in the us-east-1 region of an AWS account you own.
  • This template will deploy an S3 bucket, S3 bucket policy, and KMS key in your AWS account.
  • The use of this bucket may incur additional (minimal) charges within your AWS account.
  • The continued availability of this bucket is your responsibility and the loss of access to this bucket (e.g. accidental deletion of the stack, modifications to the policy, etc.) may result in failed, missing, or irrecoverable scan reports.
  • The shared S3 bucket is deployed per the Aqua account (not per cloud account).

Technical Details

The BYOK feature works by doing the following:

  • A CloudFormation template is deployed in the user account
  • This template deploys an S3 bucket named "aquawavebyok-{AWS_ACCOUNT_ID}"
  • An S3 bucket policy is attached to this bucket, allowing the Aqua IAM roles to write objects to and read objects from the bucket (cross-account).
  • A CMK KMS key is deployed in the user account.
  • A KMS key policy is attached to the key, allowing Aqua IAM roles to encrypt and decrypt using the KMS key.
  • S3 bucket server-side encryption is enabled using this CMK customer KMS key.

Deployment Process

The deployment of the BYOK feature is straightforward when using the CloudFormation template provided by Aqua (see below). Once the deployment completes, you will provide the name of the S3 bucket to Aqua, who will complete the setup.

  1. Choose an AWS account to own the S3 and KMS resources for your Aqua account.
  2. Log in to the AWS account as either an administrator or a user with permission to deploy CloudFormation, S3, KMS, and S3 bucket policy resources.
  3. Click this link to deploy the CloudFormation template.
  4. Do not change the stack name or other details.
  5. Click Create Stack.
  6. Wait for the stack to complete and then select the "Outputs" tab.
  7. Copy the AquaWaveBYOKBucket value (the bucket name) and provide it to Aqua support.

Revoking Access

WARNING: If you choose to revoke access, please be aware that this will completely disable the ability of Aqua to scan your cloud accounts and that all previous scan reports may be broken or lost.

  1. If you wish to retain the raw data in your AWS account, update the bucket or KMS policies to revoke access to the Aqua AWS account IDs.
  2. If you do not wish to retain the raw data, delete the CloudFormation stack.