Welcome to Support Portal

TABLE OF CONTENTS

• What is Auto-Discovery?
  • Continual resource discovery
  • Alternatives
• How can I see the resources discovered?
• Running Auto-Discovery
  • SaaS onboarding (first-time connection)
  • After onboarding (subsequent connections)
  • Cloud-specific instructions
  • AWS Auto-Discovery
    • Prerequisites
    • Procedure
    • Troubleshooting
  • Azure Auto-Discovery
    • Prerequisites
    • Procedure
    • Troubleshooting
  • GCP Auto-Discovery
    • Prerequisites
    • Procedure
    • Troubleshooting
• What should I do next?

What is Auto-Discovery?

Auto-Discovery is a feature of Aqua Platform SaaS Edition that provides simple, automated connection of Aqua to cloud accounts. Once the connection has been established, Aqua will discover cloud account resources in your cluster(s). Resource categories discovered by Aqua are container images (and their registries), VMs, serverless functions, and other cloud resources (e.g., ECR registries).

Once discovered, the resources will be scanned for security risks: malware, sensitive data, vulnerabilities, and misconfigurations. You can use all the security features of Workload Protection and CSPM to protect these resources, remediate risks, and continuously monitor their run-time operation for security threats.

Auto-Discovery currently supports AWS (Amazon Web Services), Microsoft Azure, and GCP (Google Cloud Platform) cloud accounts.

Continual resource discovery

Aqua will continue to discover cloud resources in your cluster(s) and extend security protection to newly discovered assets. Once container image registries are discovered, Aqua will automatically search them for new and changed images, and pull all images found daily (you can modify this behavior later).

Alternatives

Running Auto-Discovery is optional. You can also connect to your cloud account manually, in the same manner that you can connect to Google Cloud Platform accounts.

How can I see the resources discovered?

Cloud resources appear in all Aqua Platform SaaS Edition UI screens (as applicable to the category of resource). To name just a few examples:

• The Aqua Hub Inventory screen provides a convenient way to see your resources. You can filter the list of resources presented by category, risk type, and risk severity. You can also obtain detailed information about the resources and the risks associated with them. Refer to Inventory for more information.
• In the Workload Protection module:
  • The Images screen shows all container images discovered, and detailed information about the images, security risks, recommended remediation actions, and much more information.
  • The Workloads area of the main menu contains pages of information about workloads running in your environment and their associated security issues. In the broader sense, workloads include containers, VMs, Kubernetes resources, and Kubernetes clusters.
• In the CSPM module, the Scan Reports screen displays detailed information about security risks discovered while scanning your cloud resources.

Running Auto-Discovery

SaaS onboarding (first-time connection)

Begin the Auto-Discovery process for AWS, Azure, or GCP by navigating to the Aqua Platform SaaS Edition URL provided by Aqua Security. Login with your email address and password. You should see a welcome screen like this:

After onboarding (subsequent connections)

If you don't see this welcome screen, you may have already connected a cloud account. In this case, you may perform the Auto-Discovery process by navigating to Aqua Hub > Integrations, and selecting any of the tiles with the Auto-Discovery banner:

Cloud-specific instructions

See one of the sections below for cloud-specific instructions and related information:

• AWS Auto-Discovery
• Azure Auto-Discovery
• GCP Auto-Discovery

AWS Auto-Discovery

Prerequisites

Running Auto-Discovery for AWS requires:

• An AWS cloud account with permission to create CloudFormation and IAM resources, and to scan the image registries;
• Working knowledge of AWS resources and CloudFormation stacks

Procedure

1. Select the tile with the AWS logo in the Auto-Discovery banner. You will be taken to the screen shown below; follow the instructions:
   
   
2. After you click Launch Stack, follow all standard AWS instructions. You may change the stack name, as long as it is unique. 
3. Click Create Stack. Aqua will start to discover your AWS resources, analyze them for security risks, and derive insights based on the risks.
4. After you see the CloudFormation Stack Details screen, return to the browser tab running Aqua. Click this button (no longer greyed out) to view the Aqua Hub Dashboard:
   

Troubleshooting

• If launching your stack failed, verify that all prerequisites listed above have been met.
• If you believe that Auto-Discovery has not located all your cloud resources, you can attempt the following.

In your AWS account, navigate to the regions in which you launched the stack > CloudFormation > Stacks > Events/Stack Info, and look for relevant errors in each of the stacks and stack sets.

Azure Auto-Discovery

Prerequisites

Running Auto-Discovery for Azure requires:

• An Azure cloud account with permission to create Azure resources, and to scan the image registries
• Working knowledge of Azure resources

Procedure

1. Select the tile with the Azure logo in the Auto-Discovery banner. You will be taken to the screen shown below; follow the instructions:
   
   
2. Aqua will start to discover your Azure resources, analyze them for security risks, and derive insights based on the risks.
3. When the process has completed, click this button (no longer greyed out) to view the Aqua Hub Dashboard:
   

Troubleshooting

• If launching your stack failed, or you believe that Auto-Discovery has not located all your cloud resources:
  • Verify that all prerequisites listed above have been met.
  • Check the error logs inside Azure CloudShell
• If the connection with Azure failed:
  • Verify that you copied the values as-is from the output of the script to the correct fields.
  • Verify that nobody else from your organization has already connected to the same subscription.

GCP Auto-Discovery

Prerequisites

Running Auto-Discovery for GCP (Google Cloud Platform) requires:

• A GCP cloud account with permission to create GCP resources, and to scan the image registries
• A service account that you create
• Permissions for running VM scripts:
  • Project creator
  • Organization role administrator
  • Organization policy administrator
  • Project IAM Admin / Owner for onboarding the project 
• Working knowledge of GCP resources

Procedure

1. Select the tile with the GCP logo in the Auto-Discovery banner. You will be taken to the screen shown below; follow the instructions:
   
   
2. Aqua will start to discover your GCP resources, analyze them for security risks, and derive insights based on the risks identified.
3. When the process has completed, click this button (no longer greyed out) to view the Aqua Hub Dashboard:
   

Troubleshooting

• If the connection with GCP failed, validate that all resources listed below were created successfully and that a JSON file gets generated after the scripts complete.
• If GCP scripts failed:
  • Verify that all prerequisites listed above have been met.
  • Check the error logs inside Google Cloud Shell.

What should I do next?

The time it takes Aqua to discover and analyze your cloud account resources depends on the size and complexity of your environment. You may need to wait 30 minutes or more to begin to see resources and Insights on the Dashboard and in the Inventory. To see complete results, we suggest that you wait at least 24 hours after launching the Auto-Discovery process.

Refer to these Aqua Hub documentation topics for further information:

• Dashboard: using the Dashboard, and reviewing the Top Insights related to potential security risks
• Inventory: viewing, searching, and filtering your cloud account resources