From time to time additional plugins (tests) are added to Aqua CSPM, at times this requires the supplemental read-only policy to be updated.
Step 1: Go to AWS Console IAM Roles
- With your AWS Console Logged in, visit: https://console.aws.amazon.com/iam/home?region=us-east-1#/roles
Step 2: Search for the Aqua Scanner Role
- Enter Aqua-Scanner in the search box
- Click on the Role that begins with "Aqua-Scanner" and enter into the Permissions tab
- Verify an "aqua-cspm-supplemental-policy" exists
Step 3: Update via CloudFormation
If your Aqua Scanner Role was deployed via CloudFormation, then run an update to the Stack as follows:
- Go to CloudFormation in the region you deployed the stack
For example for us-east-1 go to https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/
- Look for the Aqua-Scanner Stack
- Open it and click "Update"
- Select "Replace current template"
- Copy and Paste the following URL in the Amazon S3 URL field: https://aqua-cspm-resources.s3.amazonaws.com/cloudformation/cfn-audit.json
- Click on Next
- Then click Next to continue to use the existing External Id
- Then click Next one more time
- Wait for the "Change set preview" to load, at the bottom of the screen, once it loads, if the policy requires updates, an "Action" will show the status "Modify"
- Acknowledge the change and click on "Update stack"
Step 4: (Optional) Add the Supplemental Policy via CloudFormation
If your Aqua Scanner Role was not deployed via CloudFormation, then you can add the Supplemental Policy directly to IAM and then attach it to the Aqua Scanner role.
- Download the Supplemental Policy Template found here (Save Target As...)
- Go to CloudFormation https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/
- In the Specify template section, select "Upload a template file", and upload the file downloaded
- Deploy the stack
- Go to IAM https://console.aws.amazon.com/iam/home?region=us-east-1#/roles
- Find the Aqua Scanner Role
- Look for the "aqua-cspm-supplemental-policy" and attach it to the role
With the above settings the supplemental policy will be updated and up to date scans will be able to run.