Aqua secures your application builds, your infrastructure, and your workloads in accordance with the security policies of your organization (including requirements for regulatory compliance).


Many security-related activities are categorized as either assurance or enforcement. Generally speaking, assurance can scan applications and infrastructure for potential security issues, and enforcement can prevent, at runtime, workloads and infrastructure from performing potentially insecure operations.


This section provides an overview of both assurance and enforcement. You can follow the links to documentation of more comprehensive information on functionality, configuration, and usage. You can also refer to Securing Kubernetes Applications for an overview specifically related to Kubernetes security.


Assurance

Aqua assurance secures your applications and infrastructure before runtime. Assurance includes the following activities (and a few others):

  • Scanning your applications and infrastructure for security issues (defined below)

  • Evaluating applications and infrastructure for compliance with your organization's Assurance Policies

  • Providing various means to mitigate the risk of the security issues discovered

  • Reporting and logging audit events for the aforementioned activities and findings

Aqua assurance alone does not block potentially harmful activities. However, Assurance Policy assessments of non-compliance can be used to provide this protection. For example:

  • You can integrate Aqua image and function scanning in the pipelines of your external CI/CD system(s). If Aqua determines that an image or a function is non-compliant with your organization's policies, Aqua can report the related build step to the CI/CD system as failed.
  • You can configure Aqua enforcement to block the deployment of non-compliant images, functions, and Kubernetes workloads.


The tables below list the kinds of applications and infrastructure elements covered by assurance, the types of assurance (and Assurance Policies) you can configure, and the kinds of security issues Aqua can scan for.


Application types


Application typeAssurance and Policy typeSecurity issues
Container images including VMware Tanzu applicationsImage Assurance (Policies)Vulnerabilities; sensitive data; malware
AWS Lambda and Microsoft Azure serverless functionsFunction Assurance (Policies)Vulnerabilities; sensitive data; excessive permissions


Infrastructure types


Infrastructure typeAssurance and Policy typeSecurity issues
Hosts (VMs)Host Assurance (Policies)Vulnerabilities; malware; open-source licenses; compliance with CIS benchmarks
KubernetesKubernetes Assurance (Policies)Security issues in workload configurations


Enforcement


Aqua enforcement secures your workloads and infrastructure during runtime. It includes the following activities (and a few others):

  • Deciding, based on assurance compliance findings, whether to allow or block your workloads (containers and serverless functions) from running
  • Monitoring, restricting, and/or blocking specific runtime activities of workloads and hosts (VMs), as determined by your organization's Runtime Policies and Firewall Policies
  • Reporting and logging audit events for the aforementioned activities and findings


For further information, see the Enforcers Overview in the Aqua Enforcement section. This section describes:

  • The types of runtime security provided for your workloads and infrastructure
  • How to configure and deploy Enforcers, the Aqua components that implement enforcement-related functionality

The tables below list the kinds of workloads and infrastructure elements covered by enforcement, the types of security policies you can configure, and the kinds of security issues Aqua can detect and/or block. You can click on the links for further information on security policy types.


Workload types


Workload typeSecurity PoliciesSecurity issues
Containers including VMware Tanzu applicationsContainer Runtime PoliciesSee the list of policy controls
"Image ProfilesSee the list of policy controls
"Firewall Policies, associated with Aqua servicesInbound and outbound network access to and from undesired endpoints
AWS Lambda serverless functionsFunction Runtime PoliciesSee the list of policy controls



Infrastructure types


Infrastructure typeSecurity PoliciesSecurity issues
Hosts (VMs)Host Runtime PoliciesSee the list of policy controls
"Firewall Policies, associated with Aqua servicesInbound and outbound network access to and from undesired endpoints