The Aqua CSPM integration enables automated onboarding of AWS accounts created via AWS Control Tower by leveraging the inherent account provisioning workflow. This ensures that any newly created cloud account will automatically be audited and monitored according to best practices and compliance standards for AWS.


What is AWS Control Tower?

AWS Control Tower is a service intended for organizations with multiple accounts and teams who are looking for the easiest way to set up their new multi-account AWS environment and govern it at scale. With AWS Control Tower, cloud administrators get peace of mind knowing that the accounts in their organization are compliant with established policies, while builders provision new AWS accounts quickly in a few clicks. For more information, see AWS Control Tower.

Automatic onboarding of Aqua CSPM for your cloud accounts

Currently, it is common practice for single organizations to own multiple AWS accounts to accommodate growing business needs. As this number increases, so does the complexity of managing compliance and security posture of this multi-account framework. Safely onboarding these AWS accounts requires the right authorization permissions, while still upholding the principle of least privileged access. The Aqua CSPM solution provides a greatly simplified integration that accelerates the onboarding process by employing automation to minimize human error. Aligning with your multi-account strategy enables your organization to start from a secure foundation right out of the gate.

Aqua CSPM makes sure that enterprises use the cloud securely by continuously monitoring and providing alerts for any identified risks: accounts that are either out of compliance or exposed to vulnerabilities. It examines a vast array of misconfigurations across user roles and privileges, certificates & MFA, specific service configurations, data encryption, networking, auditing features, and usage trends. CSPM also conducts anomaly detection, and provides extensive reporting for PCI-DSS, HIPAA, Well-Architected Framework, and GDPR. CSPM also supports custom compliance requirements.

With a cross-account security auditor IAM role, CSPM can only see the infrastructure configurations and provides useful insights into the security posture of your cloud services. The CSPM integration automates the creation of this IAM role when a new account is enrolled, ensuring that your AWS accounts are always audited for conformance right out the gate.


Solution overview

CSPM integration for Control Tower continually audits your cloud accounts for security risks and misconfigurations across hundreds of configuration settings and compliance best practices, enabling consistent, unified multi-account security. It also provides self-securing capabilities to ensure your cloud accounts don’t drift out of compliance by leveraging a policy-driven approach.

The integration comes in the form of a CloudFormation template that is extremely easy to deploy in your Control Tower management account in the home region. The home region would be where the landing zone is set up. The solution involves a one-time deployment of the CloudFormation StackSet, which gets automatically triggered as a part of the account provisioning workflow.  

Through this integration, you will gain a multi-account security framework that will ensure that all your AWS accounts are always in conformance with cloud infrastructure best practices. For more information, see the Aqua Security section in AWS Control Tower Security.


Enterprises today are faced with the challenge of using the cloud securely and continuously monitoring for any identified risks, which can be either out of compliance or exposed to vulnerabilities. Compounding that fact are the research challenges of implementing new cloud-aware security solutions that can provide pre-emptive protection for complex and ever-dynamic cloud infrastructure followed by remediations: all of which must be translated into a security strategy to fight against emerging security threats.

For more information on deploying AWS Control Tower and integrating with Aqua CSPM, see Deployment of the AWS Control Tower Solution.