The Administration area of Workload Protection is accessed from the left-hand menu (under Configuration). It comprises the pages listed below.


The Integrations section of the Aqua UI allows you to configure integrations with several third-party systems.

For information on configuring image registries, see Image Registries.

For all other kinds of integrations, start here, and read the appropriate topic.


The Scanners page allows you to add, view, and manage Scanners that are connected to Aqua. See Scanners for more information.

Application Scopes

Application scopes are one of the fundamental building blocks of Role-Based Access Control (RBAC), which is designed to support enterprises consisting of multiple teams working on different projects, with different sets of system resources. RBAC allows system administrators to precisely control, for all users, which system resources the user can edit (create, modify, and delete); view; or not access at all.

Refer to RBAC Overview and Application Scopes for more information.


The Enforcers screen lists all Enforcer groups of all types. 

See Enforcers Screen (UI) for more information about the use of this screen.

For comprehensive information on Enforcers, see Enforcers Overview.

Aqua Gateways

Aqua Gateway(s) handle communication between the Aqua Server and the Aqua Enforcer(s), and use the Aqua Database. The Gateway(s) also interface the Aqua Server with any SIEM/Analytics systems you have integrated with Aqua.

There must be at least one Aqua gateway instance in your environment. Multiple gateways can be deployed for redundancy and load balancing.

The Aqua Gateways page of the UI lists the Aqua gateways deployed in your environment. Starting with this list, you can modify certain Gateway parameters, delete gateways from your environment, or obtain more detailed information about any given Gateway.

See Aqua Gateways for more information.


An Aqua service is a group of workloads, which can be either (but not both) of these types:

  • Containers
  • Hosts (VMs)

The workloads that comprise a service at any given time are defined by the scope of the service. Therefore, the workloads (members) of a service can vary over time as workloads are created and terminated.

The main purpose of a service is to apply one or more Firewall Policies to its workloads. These policies contain rules, which either allow or deny (block) outbound or inbound network traffic. The Firewall Policies associated with a service can include predefined (default) policies or custom policies that you have defined.

See Aqua Services Overview.


In many environments there is a need to pass sensitive information like passwords, connection strings, or tokens into a container. A sensitive piece of information is called a secret. Aqua provides central management and secure distribution of secrets into running containers.

After you integrate Aqua with a secret key store, you can define a secret for that key store in the Aqua Server, and assign access control policies that authorize users or groups to run containers that make use of the secret.

When a secret is used, its value will be automatically injected into the container, either as an environment variable or as a file. The value of the secret is encrypted in transit, and will not be visible outside the container.

For more information, see Secrets.

Aqua Labels

You can define one or more Aqua labels to tag images and secrets. See Aqua Labels for more information.