The Policies area of Workload Protection comprises these pages:

  • Assurance Policies
  • Runtime Policies
  • Image Profiles
  • Firewall Policies


Aqua secures your application builds, your infrastructure, and your workloads in accordance with the security policies of your organization (including requirements for regulatory compliance). 


Many security-related activities are categorized as either assurance or enforcement. Generally speaking:

  • Assurance can scan applications and infrastructure for potential security issues.
  • Enforcement can prevent, at runtime, workloads and infrastructure from performing potentially insecure operations. 


Because security policies are an integral part of both assurance and enforcement, we recommend that you read the topic Assurance and Enforcement if you are not already familiar with these concepts in Aqua.


Assurance Policies


Aqua allows you to define, configure, and manage several types of Assurance Policies. Refer to the documentation indicated below for background information on each type of Assurance, and more specific information on the Assurance Policies themselves.


Background information on Assurance typeInformation on Assurance Policies
Image Assurance Overview
(includes VMware Tanzu Application Assurance)
Image Assurance Policies
(includes VMware Tanzu Application Assurance Policies)
Kubernetes Assurance OverviewKubernetes Assurance Policies
Host Assurance OverviewHost Assurance Policies
Function Assurance OverviewFunction Assurance Policies


Runtime Policies


Aqua offers two distinct modes for runtime protection: Lightning Runtime Protection Mode and Classic Runtime Protection Mode (previously named Custom Mode). Each section has its own set of specific security controls. See Runtime Protection: Lightning and Classic Modes for an overview.


Lightning Mode is the default for new deployments of Aqua SaaS Edition, and is the recommended runtime protection configuration for most users and use cases. This said, you can change your Aqua Platform deployment from Lightning to Classic Mode should you require more extensive and granular runtime security protection; see Switch to Classic Runtime Protection Mode.


Image Profiles


You can configure one or more Image Profiles to audit and restrict the runtime activities of containers, according to the security requirements of your organization.


Restriction means preventing a container from executing certain runtime activities. For example, an Image Profile could prevent write access to the root file system, or prevent inbound and/or outbound network activity.


An Aqua Enforcer, a MicroEnforcer, or a Pod Enforcer is required to enforce Image Profiles.


For more information, see Image Profiles Overview.


Firewall Policies


Firewall Policies, like Runtime Policies and Image Profiles, provide runtime security. They contain rules which either allow or block outbound or inbound network traffic to or from a container or a host (VM). Firewall Policies are associated with containers and hosts via Aqua services.


For more information, see Aqua Services Overview and Firewall Policies.


Response Policies


Aqua allows you to create and configure one or more Response Policies to detect specific events, configured as Trigger in the policy. This event can be a critical vulnerability found on an image, malicious runtime activity on their deployments, and so on. Policy configuration also includes sending event notifications to the external notification systems, such as email, Jira, Microsoft Teams, and Slack.  For more information, refer to Response Policies.