The Policies area of Workload Protection is accessed from the left-hand menu. It comprises these pages:

  • Assurance Policies
  • Runtime Policies
  • Image Profiles
  • Firewall Policies
  • User Access Control

Aqua secures your application builds, your infrastructure, and your workloads in accordance with the security policies of your organization (including requirements for regulatory compliance). 

Many security-related activities are categorized as either assurance or enforcement. Generally speaking:

  • Assurance can scan applications and infrastructure for potential security issues.
  • Enforcement can prevent, at runtime, workloads and infrastructure from performing potentially insecure operations. 

Because security policies are an integral part of both assurance and enforcement, we recommend that you read the topic Assurance and Enforcement if you are not already familiar with these concepts in Aqua.

Assurance Policies

Aqua allows you to define, configure, and manage several types of Assurance Policies. Refer to the documentation indicated below for background information on each type of Assurance, and more specific information on the Assurance Policies themselves.

Background information on Assurance typeInformation on Assurance Policies
Image Assurance Overview
(includes VMware Tanzu Application Assurance)
Image Assurance Policies
(includes VMware Tanzu Application Assurance Policies)
Kubernetes Assurance OverviewKubernetes Assurance Policies
Host Assurance OverviewHost Assurance Policies
Function Assurance OverviewFunction Assurance Policies

Runtime Policies

Aqua offers two distinct modes for runtime protection: Express Runtime Protection Mode and Custom Runtime Protection Mode. Each section has its own set of specific security controls. See Runtime Protection Modes: Express and Custom for an overview.

Express Mode provides low-friction, recommended best-practices runtime protection for containers, VM workloads, and Kubernetes clusters. It is configured with these Runtime Policies: Container Workload Protection, VM Workload Protection, and Kubernetes Cluster Protection. While some controls allow you to configure the related system response action, the Express Mode security configuration is mostly unchangeable. See Express Mode Security Configuration for further information.

If you run in Custom Mode, Aqua allows you to define, configure, and manage these types of Runtime Policies. Refer to the documentation indicated below for more specific information on the Runtime Policies. 

Information on the Runtime Policies
Container Runtime Policies
Function Runtime Policies 
Host Runtime Policies

Image Profiles

You can configure one or more Image Profiles to audit and restrict the runtime activities of containers, according to the security requirements of your organization.

Restriction means preventing a container from executing certain runtime activities. For example, an Image Profile could prevent write access to the root file system, or prevent inbound and/or outbound network activity.

An Aqua Enforcer, a MicroEnforcer, or a Pod Enforcer is required to enforce Image Profiles.

For more information, see Image Profiles Overview.

Firewall Policies

Firewall Policies, like Runtime Policies and Image Profiles, provide runtime security. They contain rules which either allow or block outbound or inbound network traffic to or from a container or a host (VM). Firewall Policies are associated with containers and hosts via Aqua services.

For more information, see Aqua Services Overview and Firewall Policies.

Response Policies

Aqua allows you to create and configure one or more Response Policies to detect specific events, configured as Trigger in the policy. This event can be a critical vulnerability found on an image, malicious runtime activity on their deployments, and so on. Policy configuration also includes sending event notifications to the external notification systems, such as JIRA, Microsoft Teams, Email, Slack, and so on.  For more information, refer to Response Policies.