From time to time additional plugins (tests) are added to Aqua CSPM, at times this requires the supplemental read-only policy to be updated.


Step 1: Go to AWS Console IAM Roles

Step 2: Search for the Aqua Scanner Role

  • Enter Aqua-Scanner in the search box.
  • Click on the Role that begins with "Aqua-Scanner" and enter into the Permissions tab.
  • Verify if  an "aqua-cspm-supplemental-policy" exists.

Step 3: Update via CloudFormation

If your Aqua Scanner Role was deployed via CloudFormation, then run an update to the Stack as follows:

Step 4: (Optional) Add the Supplemental Policy via CloudFormation

If your Aqua Scanner Role was not deployed via CloudFormation, then you can add the Supplemental Policy directly to IAM and then attach it to the Aqua Scanner role.

  • Download the Supplemental Policy Template found in this URL (Save Target As...).
  • Go to CloudFormation.
  • In the Specify template section, select Upload a template file, and upload the file downloaded.
  • Deploy the stack.
  • Go to IAM.
  • Find the Aqua Scanner Role.
  • Look for the aqua-cspm-supplemental-policy and attach it to the role.

With the above settings the supplemental policy will be updated and up to date scans will be able to run.