This topic explains the purpose and operation of Cloud Workload Scanning. 

The Aqua Cloud Workload Scanning service scans volume snapshots of cloud virtual machines (VMs) running in your AWS environment. It discovers running containers and host images on which these containers are based in these VMs. It detects security issues (runtime events, malware, vulnerabilities, sensitive data, and misconfigurations) in the running hosts, containers, and host images.

This service does not require deploying an Enforcer or accessing the running VMs directly.

Scan results are displayed in the Workloads > VMs screen of the UI. The VMs which are scanned by this service are identified with a "Cloud Workload Scanning" icon before the VM name, as shown below. For more information, refer to VM Scan Results for Cloud Workload Scanning.

Once you analyze the scan results of a VM, you can prioritize your remediation efforts based on the detected risks and their severity. This can help ensure your Enforcer deployment strategy aligns with your current risk posture.

Scanning of VMs is supported by the Aqua CyberCenter, which maintains an up-to-date database of vulnerabilities and malware.

Containers which are running on the VMs are displayed in the UI in these locations:

Container-based host images are displayed in the following tabs of the Images screen:


Aqua admins should integrate the target AWS cloud account with Aqua to start using this service.

Scanning process

Cloud Workload Scanning performs the following actions:

  1. The Aqua scanning service discovers the running EC2 instances and their attached root EBS block volumes in the target AWS account. The Include and Exclude tags of the AWS account are considered when scanning the associated VMs.
  2. The service registers the target VM as a "Cloud Workload Scanning" VM with the Aqua Server, and stores its associated host information and cloud metadata.
  3. The service creates a snapshot of the associated volume from the target AWS account. After scanning, the volume snapshot will be deleted automatically.
  4. The cloud workload scanning engine, which is hosted in the Aqua account of the same AWS region as that of the target AWS account, scans the content of the volume snapshot.
  5. Scan results (vulnerabilities, malware, and sensitive data) of the VMs are registered with the Aqua Server and displayed in the Workloads > VMs screen for each VM. 

Scanning schedule

This service scans the VMs automatically. Aqua admins can schedule the scans at a specific time every day. To configure the schedule, refer to Integrate a Cloud Account for Cloud Workload Scanning.

Current limitation

Scan results of the VMs reported by this service in the Workloads > VMs screen do not display the Compliance Results and Images tabs.


VM scan results