Cloud Account Connection Security
TABLE OF CONTENTS
- Introduction
- AWS Account Connection
- Azure Account Connection
- GCP Account Connection
- Oracle OCI Account Connection
Introduction
When Aqua connects to your cloud accounts, it does so using a secure access mechanism that is specific to the cloud provider being used. For example, in AWS, a third-party cross-account IAM role is used. Additional measures, such as IP address restrictions and shared secrets, are used where possible.
AWS Account Connection
AWS connections are made using a third-party cross-account IAM role with an external ID and IP address condition allowing access only from Aqua's network. The "SecurityAudit" IAM policy is attached to the role, providing read-only access to specific resource types.
Azure Account Connection
Azure connections are made using an Azure Active Directory application with a client secret and the "Security Reader" policy, providing read-only access to specific resource types. Azure accounts can also be restricted to specific Aqua IP addresses.
GCP Account Connection
GCP connections are made using a service account with "Viewer" permissions, providing read-only access to specific resource types.
Oracle OCI Account Connection
OCI connections are made using a user with a secure key and "READ" permissions to specific resource types.
Did you find it helpful? Yes No
Send feedback