The Policies area of Workload Protection is accessed from the left-hand menu. It comprises these pages:

  • Assurance Policies
  • Runtime Policies
  • Image Profiles
  • Firewall Policies
  • User Access Control

Aqua secures your application builds, your infrastructure, and your workloads in accordance with the security policies of your organization (including requirements for regulatory compliance). 

Many security-related activities are categorized as either assurance or enforcement. Generally speaking:

  • Assurance can scan applications and infrastructure for potential security issues.
  • Enforcement can prevent, at runtime, workloads and infrastructure from performing potentially insecure operations. 

Because security policies are an integral part of both assurance and enforcement, we recommend that you read the topic Assurance and Enforcement if you are not already familiar with these concepts in Aqua.

Assurance Policies

Aqua allows you to define, configure, and manage several types of Assurance Policies. Refer to the documentation indicated below for background information on each type of Assurance, and more specific information on the Assurance Policies themselves.

Background information on Assurance typeInformation on Assurance Policies
Image Assurance Overview
(includes VMware Tanzu Application Assurance)
Image Assurance Policies
(includes VMware Tanzu Application Assurance Policies)
Kubernetes Assurance OverviewKubernetes Assurance Policies
Host Assurance OverviewHost Assurance Policies
Function Assurance OverviewFunction Assurance Policies

Runtime Policies

Aqua allows you to define, configure, and manage these types of Runtime Policies. Refer to the documentation indicated below for more specific information on the Runtime Policies. 

Information on the Runtime Policies
Container Runtime Policies
Function Runtime Policies
Host Runtime Policies

Image Profiles

You can configure one or more Image Profiles to audit and restrict the runtime activities of containers, according to the security requirements of your organization.

Restriction means preventing a container from executing certain runtime activities. For example, an Image Profile could prevent write access to the root file system, or prevent inbound and/or outbound network activity.

An Aqua Enforcer, a MicroEnforcer, or a Pod Enforcer is required to enforce Image Profiles.

For more information, see Image Profiles Overview.

Firewall Policies

Firewall Policies, like Runtime Policies and Image Profiles, provide runtime security. They contain rules which either allow or block outbound or inbound network traffic to or from a container or a host (VM). Firewall Policies are associated with containers and hosts via Aqua services.

For more information, see Aqua Services Overview and Firewall Policies.

User Access Control

User Access Control provides another form of runtime security. By defining User Access Control Policies, Aqua can control which users can access specific Docker resources or perform specific Docker commands. For example, you can specify that a member of the "audit" group can only view container log events.

For more information, see User Access Control for Docker.