TABLE OF CONTENTS
- Assurance Policies
- Runtime Policies
- Image Profiles
- Firewall Policies
- Response Policies
- User Access Control
The Policies area of Workload Protection is accessed from the left-hand menu. It comprises these pages:
Aqua secures your application builds, your infrastructure, and your workloads in accordance with the security policies of your organization (including requirements for regulatory compliance).
Many security-related activities are categorized as either assurance or enforcement. Generally speaking:
- Assurance can scan applications and infrastructure for potential security issues.
- Enforcement can prevent, at runtime, workloads and infrastructure from performing potentially insecure operations.
Because security policies are an integral part of both assurance and enforcement, we recommend that you read the topic Assurance and Enforcement if you are not already familiar with these concepts in Aqua.
Aqua allows you to define, configure, and manage several types of Assurance Policies. Refer to the documentation indicated below for background information on each type of Assurance, and more specific information on the Assurance Policies themselves.
|Background information on Assurance type||Information on Assurance Policies|
|Image Assurance Overview|
(includes VMware Tanzu Application Assurance)
|Image Assurance Policies|
(includes VMware Tanzu Application Assurance Policies)
|Kubernetes Assurance Overview||Kubernetes Assurance Policies|
|Host Assurance Overview||Host Assurance Policies|
|Function Assurance Overview||Function Assurance Policies|
|Information on the Runtime Policies|
|Container Runtime Policies|
|Function Runtime Policies|
|Host Runtime Policies|
You can configure one or more Image Profiles to audit and restrict the runtime activities of containers, according to the security requirements of your organization.
Restriction means preventing a container from executing certain runtime activities. For example, an Image Profile could prevent write access to the root file system, or prevent inbound and/or outbound network activity.
An Aqua Enforcer, a MicroEnforcer, or a Pod Enforcer is required to enforce Image Profiles.
For more information, see Image Profiles Overview.
Firewall Policies, like Runtime Policies and Image Profiles, provide runtime security. They contain rules which either allow or block outbound or inbound network traffic to or from a container or a host (VM). Firewall Policies are associated with containers and hosts via Aqua services.
Aqua allows you to create and configure one or more Response Policies to detect specific events, configured as Trigger in the policy. This event can be a critical vulnerability found on an image, malicious runtime activity on their deployments, and so on. Policy configuration also includes sending event notifications to the external notification systems, such as JIRA, Microsoft Teams, Email, Slack, and so on. For more information, refer to Response Policies.
User Access Control
User Access Control provides another form of runtime security. By defining User Access Control Policies, Aqua can control which users can access specific Docker resources or perform specific Docker commands. For example, you can specify that a member of the "audit" group can only view container log events.
For more information, see User Access Control for Docker.
Did you find it helpful?Send feedback