Assurance and Enforcement
Aqua secures your application builds, your infrastructure, and your workloads in accordance with the security policies of your organization (including requirements for regulatory compliance).
Many security-related activities are categorized as either assurance or enforcement. Generally speaking, assurance can scan applications and infrastructure for potential security issues, and enforcement can prevent, at runtime, workloads and infrastructure from performing potentially insecure operations.
This section provides an overview of both assurance and enforcement. You can follow the links to documentation of more comprehensive information on functionality, configuration, and usage. You can also refer to Securing Kubernetes Applications for an overview specifically related to Kubernetes security.
Assurance
Aqua assurance secures your applications and infrastructure before runtime. Assurance includes the following activities (and a few others):
Scanning your applications and infrastructure for security issues (defined below)
Evaluating applications and infrastructure for compliance with your organization's Assurance Policies
Providing various means to mitigate the risk of the security issues discovered
Reporting and logging audit events for the aforementioned activities and findings
Aqua assurance alone does not block potentially harmful activities. However, Assurance Policy assessments of non-compliance can be used to provide this protection. For example:
- You can integrate Aqua image and function scanning in the pipelines of your external CI/CD system(s). If Aqua determines that an image or a function is non-compliant with your organization's policies, Aqua can report the related build step to the CI/CD system as failed.
- You can configure Aqua enforcement to block the deployment of non-compliant images, functions, and Kubernetes workloads.
The tables below list the kinds of applications and infrastructure elements covered by assurance, the types of assurance (and Assurance Policies) you can configure, and the kinds of security issues Aqua can scan for.
Application types
| Application type | Assurance and Policy type | Security issues |
|---|---|---|
| Container images including VMware Tanzu applications | Image Assurance (Policies) | Vulnerabilities; sensitive data; malware |
| AWS Lambda and Microsoft Azure serverless functions | Function Assurance (Policies) | Vulnerabilities; sensitive data; excessive permissions |
Infrastructure types
| Infrastructure type | Assurance and Policy type | Security issues |
|---|---|---|
| Hosts (VMs) | Host Assurance (Policies) | Vulnerabilities; malware; open-source licenses; compliance with CIS benchmarks |
| Kubernetes | Kubernetes Assurance (Policies) | Security issues in workload configurations |
Enforcement
Aqua enforcement secures your workloads and infrastructure during runtime. It includes the following activities (and a few others):
- Deciding, based on assurance compliance findings, whether to allow or block your workloads (containers and serverless functions) from running
- Monitoring, restricting, and/or blocking specific runtime activities of workloads and hosts (VMs), as determined by your organization's Runtime Policies and Firewall Policies
- Reporting and logging audit events for the aforementioned activities and findings
For further information, see the Enforcers Overview in the Aqua Enforcement section. This section describes:
- The types of runtime security provided for your workloads and infrastructure
- How to configure and deploy Enforcers, the Aqua components that implement enforcement-related functionality
The tables below list the kinds of workloads and infrastructure elements covered by enforcement, the types of security policies you can configure, and the kinds of security issues Aqua can detect and/or block. You can click on the links for further information on security policy types.
Workload types
| Workload type | Security Policies | Security issues |
|---|---|---|
| Containers including VMware Tanzu applications | Container Runtime Policies | See the list of policy controls |
| " | Image Profiles | See the list of policy controls |
| " | Firewall Policies, associated with Aqua services | Inbound and outbound network access to and from undesired endpoints |
| AWS Lambda serverless functions | Function Runtime Policies | See the list of policy controls |
Infrastructure types
| Infrastructure type | Security Policies | Security issues |
|---|---|---|
| Hosts (VMs) | Host Runtime Policies | See the list of policy controls |
| " | Firewall Policies, associated with Aqua services | Inbound and outbound network access to and from undesired endpoints |
Did you find it helpful? Yes No
Send feedback