TABLE OF CONTENTS

Overview

This topic explains the procedure to integrate an AWS cloud account and set up the scan configuration to support Cloud Workload Scanning. You can integrate multiple AWS accounts for scanning VMs automatically, on a daily schedule.

Prerequisite

Ensure that your Aqua admin granted you the edit permission on the Integrations page. For more information, refer to Overview of Permissions Sets


Create a new cloud connection 

You can create a new cloud connection by applying the following configurations:

  • Connection Details
  • Scan Configuration


Connection Details

To create a new cloud connection:

  1. Navigate to Administration > Integrations > Workload Scanning.
  2. Click Add Cloud Connection.
  3. In the Connection Details tab, enter the following details: 
  • * Account Name
  • Description
  • * Cloud Provider: From the dropdown, select AWS
  • External ID: This field is populated with a value automatically
  • * Role ARN: Enter ARN value from the IAM role, as explained in the step 6.

        4. In a separate browser tab, sign in to the target AWS account as an Administrator.

        5. Click Launch Stack to deploy the AWS CloudFormation Template in the target AWS account.

        6. Copy the ARN of the IAM role created during the Launch Stack step in the CloudFormation stack "Outputs" and paste it into the Role ARN field. 

        7. Click Test Connection. This will Perform a live check to validate that the IAM role in the target account is configured correctly.


 

Scan Configuration

In the Scan Configuration tab, apply the following configurations:

  1. General Settings: Select AWS regions as required to scan hosts: us-east-1 and/or us-west-2
  2. Scan Filters: Select the ‘Include’ and ‘Exclude’ tags which were configured in your AWS account. If you select a specific ‘Include’ tag, VMs having this tag will be considered scanning by this service. If you select a specific ‘Exclude’ tag, VMs having this tag will not be considered scanning by this service. Combination of multiple ‘Include’ and ‘Exclude’ tags will ensure the selected VMs will be considered for scanning. This will reduce the number of VMs required for scanning and ensure cost optimization.

    Note: Exclude tag: aqua-excluded:true is selected by default, do not remove it.

  3. Enable Automatically register new cloud host as required.
  4. Daily Scan Time: Select specific time of a day to scan hosts automatically.

    Note: Server time zone UTC is considered for the scan time.

  5. Click Save in the upper right corner of the page.