Like other aspects of Aqua CSPM, all Remediation actions are driven by REST APIs, including the onboarding. Because the process of deploying the remediator is slightly more complex than the standard audit role, this guide will walk you through the steps.


Fetch The Required Secrets

For each AWS account you wish to onboard, you will need:

  1. A pre-generated external ID (note: each generated ID is only valid for 1 cloud connection. If you wish to connect multiple accounts, you must request multiple generated IDs).
  2. A pre-generated OTP secret (note: you can generate these yourself, but we strongly recommend using our helper API, which allows you to generate up to 50 secrets at once).

To get these, use the following endpoints:

  1. Generated IDs
  2. OTP Secrets

Deploy the CloudFormation Stack

Use the link above to deploy the CloudFormation stack in your environment. Use the following settings:

  • "Type" - Choose "Automated" or "Manual" accordingly
  • "ExternalID" - Enter the external ID fetched above
  • "TokenCode" - (Manual only) Enter any random 6 digit number
  • "MFASecret" - (Automated only) Enter the OTP secret fetched above

PUT the Remediator to Aqua

Once the stack finishes creating, you will need the role ARN (available in the stack outputs), external ID, and version (available in the stack parameters) for the stack you just deployed. Then, use the following API: "Aqua CSPM Keys PUT."

(Note: On the right side of the API docs, scroll down to the second request titled "Connecting a Remediator".