From time to time, additional plugins (tests) are added to Aqua CSPM; at times, this requires the supplemental read-only policy to be updated.

Instructions

Step 1: Go to AWS Console IAM Roles

• With your AWS Console Logged in, visit: https://console.aws.amazon.com/iam/home?region=us-east-1#/roles.

Step 2: Search for the Aqua Scanner Role

• Enter Aqua-Scanner in the search box.
• Click on the Role that begins with "Aqua-Scanner" and enter it into the Permissions tab.
• Verify if an "aqua-cspm-supplemental-policy" exists.

Step 3: Update via CloudFormation (Recommended)

If your Aqua Scanner Role was deployed via CloudFormation, run an update to the Stack as follows:

• Go to CloudFormation in the region you deployed the stack. For example: for us-east-1 go to https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/
• Look for the Aqua-Scanner Stack.
• Open it and click Update.
• Select Replace current template.
• Copy and paste the following URL in the Amazon S3 URL field: https://aqua-cspm-resources.s3.us-east-1.amazonaws.com/cloudformation/cfn-audit-autodeploy.json. 
• Click Next.
• Then click Next to continue to use the existing External ID.
• Then click Next one more time.
• Wait for the Change set preview to load, at the bottom of the screen, once it loads, if the policy requires updates, an Action will show the status Modify.
• Acknowledge the change and click on Update stack.

Step 4: Update via CloudFormation (Legacy)

If your Aqua Scanner Role was deployed via CloudFormation, then run an update to the Stack as follows:

• Go to CloudFormation in the region you deployed the stack. For example: For us-east-1, go to https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/
• Look for the Aqua-Scanner Stack.
• Open it and click Update.
• Select Replace current template.
• Copy and paste the following URL in the Amazon S3 URL field: https://aqua-cspm-resources.s3.amazonaws.com/cloudformation/cfn-audit.json.
• Click Next.
• Then click Next to continue to use the existing External ID.
• Then click Next one more time.
• Wait for the Change set preview to load, at the bottom of the screen, once it loads, if the policy requires updates, an Action will show the status Modify.
• Acknowledge the change and click on Update stack.

Step 5: (Optional) Add the Supplemental Policy via CloudFormation

If your Aqua Scanner Role was not deployed via CloudFormation, then you can add the Supplemental Policy directly to IAM and then attach it to the Aqua Scanner role.

• Download the Supplemental Policy Template found in this URL (Save Target As...).
• Go to CloudFormation.
• In the Specify template section, select Upload a template file, and upload the file downloaded.
• Deploy the stack.
• Go to IAM.
• Find the Aqua Scanner Role.
• Look for the aqua-cspm-supplemental-policy and attach it to the role.

With the above settings, the supplemental policy will be updated and up-to-date scans will be able to run.