From time to time, additional plugins (tests) are added to Aqua CSPM; at times, this requires the supplemental read-only policy to be updated.


Instructions


Step 1: Go to AWS Console IAM Roles


Step 2: Search for the Aqua Scanner Role

  • Enter Aqua-Scanner in the search box.
  • Click on the Role that begins with "Aqua-Scanner" and enter it into the Permissions tab.
  • Verify if an "aqua-cspm-supplemental-policy" exists.


Step 3: Update via CloudFormation (Recommended)

If your Aqua Scanner Role was deployed via CloudFormation, run an update to the Stack as follows:


Step 4: Update via CloudFormation (Legacy)

If your Aqua Scanner Role was deployed via CloudFormation, then run an update to the Stack as follows:


Step 5: (Optional) Add the Supplemental Policy via CloudFormation

If your Aqua Scanner Role was not deployed via CloudFormation, then you can add the Supplemental Policy directly to IAM and then attach it to the Aqua Scanner role.

  • Download the Supplemental Policy Template found in this URL (Save Target As...).
  • Go to CloudFormation.
  • In the Specify template section, select Upload a template file, and upload the file downloaded.
  • Deploy the stack.
  • Go to IAM.
  • Find the Aqua Scanner Role.
  • Look for the aqua-cspm-supplemental-policy and attach it to the role.


With the above settings, the supplemental policy will be updated and up-to-date scans will be able to run.