This topic explains the procedure for integrating an AWS cloud account and set up the scan configuration to support Cloud Workload Scanning. You can integrate multiple AWS accounts for scanning VMs automatically, on a daily schedule.


Ensure that your Aqua admin has granted you the edit permission on the Integrations page. For more information, refer to Overview of Permission Sets

Create a new cloud connection 

You can create a new cloud connection by applying the following configurations:

  • Connection Details
  • Scan Configuration

Connection Details

  1. Navigate to Administration > Integrations > Workload Scanning.
  2. Click Add Cloud Connection.
  3. In the Connection Details tab, enter the following details: 
  • * Account Name
  • Description
  • * Cloud Provider: Select AWS from the drop-down menu.
  • External ID: This field is filled in automatically.
  • * Role ARN: Enter the ARN value from the IAM role, as explained in Step 6.

        4. In a separate browser tab, sign in to the target AWS account as an Administrator.

        5. Click Launch Stack to deploy the AWS CloudFormation Template in the target AWS account.

        6. Copy the ARN of the IAM role created during the Launch Stack step in the CloudFormation stack "Outputs" and paste it into the Role ARN field. 

        7. Click Test Connection. This will perform a live check to validate that the IAM role in the target account is configured correctly.


Scan Configuration

In the Scan Configuration tab, apply the following configurations:

  1. General Settings: Select one or more AWS regions as required to scan hosts (e.g., us-east-1 and/or us-west-2).
  2. Scan Filters: Select the Include and Exclude tags which were configured in your AWS account. If you select a specific Include tag, VMs having this tag will be scanned by this service. If you select a specific Exclude tag, VMs having this tag will not be scanned by this service. Combination of multiple Include and Exclude tags will ensure that the selected VMs will be scanned. This will reduce the number of VMs scanned and assist with cost optimization.

    Note: The Exclude tag aqua-excluded:true is selected by default; do not remove it.

  3. Enable Automatically register new cloud host as required.
  4. Daily Scan Time: Select a specific time of day for automatic host scanning.

    Note: Server time zone UTC is considered for the scan time.

  5. Click Save in the upper right corner of the page.