This topic explains Aqua’s Cloud Workload Scanning and the scanning process. 

Aqua Cloud Workload Scanning (called as “service” in this document) scans running hosts in the cloud Virtual Machine (VM) disks integrated with your AWS account(s). It does not require deploying an Enforcer or accessing the running VMs directly. It detects security issues such as vulnerabilities, malware, and sensitive data in the running hosts. 

Scan results are displayed in the Workloads > VMs page. The VMs which are scanned by this service are identified with an 'Cloud Workload Scanning’ icon before the VM name, as shown below. Once you analyze scan results of a VM, you can prioritize your remediation efforts based on the detected risks and their severity.  This can help ensure your Enforcer deployment strategy aligns with your current risk posture.

Scanning of VMs is supported by the Aqua CyberCenter, which maintains up-to-date database on vulnerabilities and malware.


Aqua admin should integrate the target AWS cloud account with Aqua to start using this service.

Scanning process

Cloud Workload Scanning performs the following actions in a sequence, while scanning the VMs:

  1. The Aqua scanning service discovers the running EC2 instances and their attached root EBS block volume in the target AWS account. The ‘Include’ and ‘Exclude’ tags of the AWS account are considered for scanning the associated VMs.
  2. It registers the target VM as ‘Cloud Workload Scanning’ VM with the Aqua Server and stores its associated host information and cloud metadata.
  3. It creates a snapshot of the associated volume from the target AWS account. After scanning, this volume snapshot will be deleted automatically.
  4. Cloud workload scan engine which is hosted in the Aqua account of the same AWS region as that of the target AWS account, scans the content of the volume snapshot.
  5. Scan results (vulnerabilities, malware, and sensitive data) of the VMs are registered with the Aqua Server and displayed in the Workloads > VMs page for each VM. 

Scanning schedule

This service scans the VMs automatically on a daily schedule. Aqua admins can schedule scanning the VMs at a specific time every day. To configure the schedule, refer to Integrate a Cloud Account.


  • This service currently supports scanning AWS EBS (Elastic Block Store) Root Block Volumes attached to the running EC2 instances visible in the target AWS cloud account.
  • The service currently supports scanning cloud VM disks in the following AWS regions:
    • us-east-1: N Virginia, VA, USA
    • us-east-1: N Virginia, VA, USA

           Aqua plans to add more AWS regions in future.

  • Scan results of the VMs reported by this service in the Workloads > VMs page do not currently display the tabs ‘Compliance Results’ and ‘Images’.

Configurations and VM scan results


VM scan results