The Aqua CSPM integration is completely automated from end to end and can be deployed in a few simple steps as described in this article.

The CloudFormation template retrieved from Aqua's GitHub repository is triggered by AWS Organizations and can be used for any AWS multi-account setup in addition to AWS Control Tower.



1. AWS management account

To deploy this integration, you will need access to the AWS Management account. If you are using Control Tower, you will need admin access to the Control Tower Management account. The solution leverages AWS Organizations to trigger the automation and doesn’t require any additional resources to be enabled.

2. Aqua CSPM account

You will need an active subscription with Aqua CSPM for Developer or any higher pricing tier plan. Don’t have an account yet? See Signing Up for Aqua.

3. Aqua API key and secret keys

Once registered, you can sign into the Aqua Platform portal and generate the API key. Make a note of the API key and the secret key. For more information, see Generating a CSPM API Key and Secret.

4. Aqua group

Aqua CSPM comes with a Default group, which can be used to add the newly provisioned account. Additionally, you can create a new group and provide it as a parameter to the CloudFormation StackSet to which the newly created cloud accounts will be automatically onboarded. For more information, see Aqua platform Groups Overview.  

Ideally, you will want to maintain group parity between the AWS Organization Units and the Aqua CSPM groups. It is recommended that you name the groups based on Business Unit or Organization Unit names (e.g., R&D or Sales).

Step 1: Create the StackSet for this integration

  1. Retrieve the CloudFormation template for the solution from our GitHub repository as per the user's Aqua CSPM account region.
  2. Log into your Management account and navigate to AWS Control Tower home region.
  3. Navigate to the AWS CloudFormation console.
  4. On the left navigation bar, select StackSets and click Create StackSet.
  5. In the Choose a template step, either upload the YAML template or paste in the S3 URL for the template.
  6. In the Specify StackSet details section, enter the StackSet name and input the AquaCSPMAPIKey and AquaCSPMSecretKey that you captured in Step 1.2 along with the AquaGroupName from Step 1.3. For AquaGroupName, we are providing the input as R&D to align with the Aqua CSPM Group created in the previous section. Click Next.
  7. On the Configure StackSetoptions page under the Permissions section, select Service-managed permissions. Click Next
  8. On the Set deployment options page:
    •  Under Deployment targets, select Deploy to organizational units (OUs) and input the appropriate AWS Organization Unit ID.
Selecting an Organizational Unit (OU) allows you to create a mapping to a corresponding Group in Aqua CSPM for better management. You can choose deploying to Organization as well, but that will lead to all the accounts being onboarded to the same Aqua CSPM Group. We have chosen the OU ID for the AWS OU named R&D in our example, to maintain Group parity between the Aqua CSPM Group and AWS Organizations.
  • For Automatic deployment, select Enabled.
  • For Account removal behavior, select Delete stacks.
  • For Specify regions, select the home region.
  • Leave the deployment options as default.
  • Click Next.

9. Review the StackSet details and acknowledge the creation of IAM resources by clicking the checkbox.

10. Click Submit.

11. You will be taken to the StackSet details page, under the Operations tab, where you can monitor the progress of the stack set that you just attempted to create. Wait until you are sure that the Status is SUCCEEDED.

12. You can also verify the Stack instances that are kicked off for onboarding the AWS accounts under the R&D Organizational Unit (OU).

Step 2: Verify the automated onboarding of newly enrolled accounts into CSPM

  1. Once a new account is enrolled from AWS Control Tower, it is automatically set up to allow your Aqua CSPM to scan, monitor, and audit the account for compliance standards. 
  2. You can log into your Aqua Platform account and verify that the new account has been registered. Filter the cloud accounts by R&D. All newly created cloud accounts using AWS Control Tower will be listed under the R&D group.
  3. Click Scan to scan the desired cloud account.

4. To view the scan report of a particular cloud account, select Scan Reports under the Scans drop-down menu, and select View Report. The scan report summary will be displayed as shown here::

5. You can then go ahead and enable the Real-time events and Remediations for the accounts as needed.