TABLE OF CONTENTS


Introduction

When Aqua connects to your cloud accounts, it does so using a secure access mechanism that is specific to the cloud provider being used. For example, in AWS, a third-party cross-account IAM role is used. Additional measures, such as IP address restrictions and shared secrets, are used where possible.


AWS Account Connection

AWS connections are made using a third-party cross-account IAM role with an external ID and IP address condition allowing access only from Aqua's network. The "SecurityAudit" IAM policy is attached to the role, providing read-only access to specific resource types.


Azure Account Connection

Azure connections are made using an Azure Active Directory application with a client secret and the "Security Reader" policy, providing read-only access to specific resource types. Azure accounts can also be restricted to specific Aqua IP addresses.


GCP Account Connection

GCP connections are made using a service account with "Viewer" permissions, providing read-only access to specific resource types.


Oracle OCI Account Connection

OCI connections are made using a user with a secure key and "READ" permissions to specific resource types.