From time to time additional plugins (tests) are added to Aqua CSPM, at times this requires the supplemental read-only policy to be updated.


Step 1: Go to AWS Console IAM Roles

Step 2: Search for the Aqua Scanner Role

  • Enter Aqua-Scanner in the search box
  • Click on the Role that begins with "Aqua-Scanner" and enter into the Permissions tab
  • Verify an "aqua-cspm-supplemental-policy" exists

Step 3: Update via CloudFormation

If your Aqua Scanner Role was deployed via CloudFormation, then run an update to the Stack as follows:

  • Go to CloudFormation in the region you deployed the stack

                        For example for us-east-1 go to

  • Look for the Aqua-Scanner Stack
  • Open it and click "Update"
  • Select "Replace current template"
  • Copy and Paste the following URL in the Amazon S3 URL field:
  • Click on Next
  • Then click Next to continue to use the existing External Id
  • Then click Next one more time
  • Wait for the "Change set preview" to load, at the bottom of the screen, once it loads, if the policy requires updates, an "Action" will show the status "Modify"
  • Acknowledge the change and click on "Update stack"

Step 4: (Optional) Add the Supplemental Policy via CloudFormation

If your Aqua Scanner Role was not deployed via CloudFormation, then you can add the Supplemental Policy directly to IAM and then attach it to the Aqua Scanner role.

With the above settings the supplemental policy will be updated and up to date scans will be able to run.