TABLE OF CONTENTS


What is Auto-Discovery?


Auto-Discovery is a feature available to users of the Enterprise plan of Aqua Platform SaaS Edition, who want to connect Aqua to an Amazon AWS and/or Microsoft Azure cloud account. When the connection is made, Aqua will automatically discover cloud account resources in your cluster(s). Resource categories discovered by Aqua are container images (and their registries), VMs, serverless functions, and other cloud resources (e.g., ECR registries).


Once discovered, the resources will be scanned for security risks: malware, sensitive data, vulnerabilities, and misconfigurations. You can use all the security features of Workload Protection and CSPM to protect these resources, remediate risks, and continuously monitor their run-time operation for security threats.


Continual resource discovery


Aqua will continue to discover cloud resources in your cluster(s) and extend security protection to newly discovered assets. Once container image registries are discovered, Aqua will automatically search them for new and changed images, and pull all images found daily (you can modify this behavior later).


Alternatives


Running Auto-Discovery is optional. You can also connect to your cloud account manually, in the same manner that you can connect to Google Cloud Platform accounts.


How can I see the resources discovered?


Cloud resources appear in all Aqua Platform SaaS Edition UI screens (as applicable to the category of resource). To name just a few examples:

  • The Inventory screen, also found within Aqua Hub, provides a convenient way to see your resources. You can filter the list of resources presented by category, risk type, and risk severity. You can also obtain detailed information about the resources and the risks associated with them. Refer to Inventory for more information.
  • In the Workload Protection module:
    • The Images screen shows all container images discovered, and detailed information about the images, security risks, recommended remediation actions, and much more information.
    • The Workloads area of the main menu contains pages of information about workloads running in your environment and their associated security issues. In the broader sense, workloads include containers, VMs, Kubernetes resources, and Kubernetes clusters.
  • In the CSPM module, the Scan Reports screen displays detailed information about security risks discovered while scanning your cloud resources.


Running Auto-Discovery


Prerequisites


Running Auto-Discovery requires:

  • Aqua Platform SaaS Edition, Enterprise plan
  • For AWS
    • An AWS cloud account with permission to create CloudFormation and IAM resources, and to scan the image registries
    • Working knowledge of AWS resources and CloudFormation stacks
  • For Azure
    • An Azure cloud account with permission to create Azure resources, and to scan the image registries
    • Working knowledge of Azure resources


Begin the Auto-Discovery process for either AWS or Azure by navigating to the Aqua Platform SaaS Edition URL provided by Aqua Security. Login with your email address and password. You should see a welcome screen like this:


Note: If you don't see this welcome screen, you may have already connected a cloud account. In this case, Auto-Discovery is no longer available (see above); you may proceed with standard (manual) cloud account connections or integrations.


Specific instructions for follow, respectively, for AWS and Azure.


AWS

  1. Click the tile with the AWS logo and the Auto-Discovery banner. You will be taken to the screen shown below; follow the instructions:

  2. After you click Launch Stack, follow all standard AWS instructions. You may change the stack name, as long as it is unique. Click Create Stack. Aqua will start to discover your AWS resources, analyze them for security risks, and derive insights based on the risks.
  3. After you see the CloudFormation Stack Details screen, return to the browser tab running Aqua. Click this button (no longer greyed out) to view the Aqua Hub Dashboard:


Azure

  1. Click the tile with the Azure logo and the Auto-Discovery banner. You will be taken to the screen shown below; follow the instructions:

  2. After you click Connect, follow all standard Azure instructions. You may change the stack name, as long as it is unique. Aqua will start to discover your Azure resources, analyze them for security risks, and derive insights based on the risks.
  3. When the process has completed, click this button (no longer greyed out) to view the Aqua Hub Dashboard:


What should I do next?


The time it takes Aqua to discover and analyze your cloud account resources depends on the size and complexity of your environment. You may need to wait 30 minutes or more to begin to see resources and Insights on the Dashboard. To see complete results, we suggest that you wait at least 24 hours after launching the Auto-Discovery process.


Refer to the Dashboard documentation for instructions on using the Dashboard, and reviewing the Top Insights related to potential security risks.