The Aqua CSPM integration enables automated onboarding of AWS accounts created via AWS Control Tower by leveraging the inherent account provisioning workflow. This ensures that any newly created cloud account will automatically be audited and monitored according to best practices and compliance standards for AWS.


What is AWS Control Tower?

AWS Control Tower is a service that is intended for organizations with multiple accounts and teams who are looking for the easiest way to set up their new multi-account AWS environment and govern at scale. With AWS Control Tower, cloud administrators get peace of mind knowing accounts in their organization are compliant with established policies while builders provision new AWS accounts quickly in a few clicks. For more information, see AWS Control Tower.

Need for Automatic Onboarding of Aqua CSPM for Your Cloud Accounts

Currently, it is a common practice for single organizations to own multiple AWS accounts to accommodate growing business needs. As this number increases, so does the complexity of managing compliance and security posture of this multi-account framework. Safely onboarding these AWS accounts requires the right authorization permissions, while still upholding the principle of least privileged access. Aqua CSPM solution provides a greatly simplified integration that accelerates the onboarding process by employing automation to minimize human error. Aligning with your multi-account strategy enables your organization to start from a secure foundation right out of the gate.

Aqua CSPM makes sure that the enterprises are using the cloud securely by continuously monitoring and alerting for any identified risks – either accounts out of compliance or exposed to vulnerabilities. It examines a vast array of misconfigurations across user roles and privileges, certificates & MFA, specific service configurations, data encryption, networking, auditing features, usage trends, and also conducts anomaly detection. Additionally, it also provides extensive reporting for PCI-DSS, HIPAA, Well-Architected Framework, GDPR, and also supports custom compliance requirements.

With a cross-account security auditor IAM role, Aqua CSPM can only see the infrastructure configurations and provides useful insights into the security posture of your cloud services. The Aqua CSPM integration automates the creation of this IAM role when a new account is enrolled, ensuring that your AWS accounts are always audited for conformance right out the gate.


Overview of the Solution

Aqua CSPM integration for Control Tower continually audit your cloud accounts for security risks and misconfigurations across hundreds of configuration settings and compliance best practices, enabling consistent, unified multi-account security. It also provides self-securing capabilities to ensure your cloud accounts don’t drift out of compliance by leveraging a policy-driven approach.

The integration comes in the form of a CloudFormation template that is extremely easy to deploy in your AWS Control Tower management account in the home region. The home region would be where the Landing zone is set up. The solution involves a one-time deployment of the CloudFormation StackSet, which gets automatically triggered as a part of the account provisioning workflow.  

Through this integration, you will gain a multi-account security framework that will ensure that all your AWS accounts are always in conformance with cloud infrastructure best practices. For more information, see the Aqua Security section in AWS Control Tower Security.


Enterprises today are faced with the challenge of using the cloud securely and continuously monitoring for any identified risks, which can be either account for out of compliance or exposed to vulnerabilities. Compounding that fact are the research challenges of implementing new cloud-aware security solutions that can provide pre-emptive protection for complex and ever-dynamic Cloud infrastructure followed by remediations - all of which have to be translated into a security strategy to fight against the emerging security threats.

For more information on deploying AWS Control Tower and integrating with Aqua CSPM, see Deployment of AWS Control Tower Solution.