Introduction: Understanding Aqua Security
Aqua Security is a comprehensive cloud-native security platform that protects applications throughout their lifecycle. It secures containerized, serverless, and virtual machine (VM) workloads across public clouds, private data centers, and hybrid environments. The platform offers protection from development to production with vulnerability scanning, runtime protection, and compliance management.
This cheatsheet provides essential commands, configurations, and best practices for effectively using Aqua Security to secure your cloud-native applications.
Core Components of Aqua Security Platform
| Component | Description | Primary Function |
|---|---|---|
| Aqua Console | Central management dashboard | Configuration and monitoring hub |
| Aqua Enforcer | Runtime security agent | Enforces policies and monitors containers |
| Aqua Scanner | Vulnerability scanner | Identifies vulnerabilities in images and artifacts |
| Aqua MicroEnforcer | Lightweight security agent | Secures serverless and CaaS environments |
| Aqua KubeEnforcer | Kubernetes admission controller | Enforces policies at admission control |
| Aqua CSPM | Cloud Security Posture Management | Assesses cloud infrastructure compliance |
| Aqua KSPM | Kubernetes Security Posture Management | Manages K8s security posture |
| Aqua SaaS | Cloud-based management | Hosted version of Aqua Platform |
Installation & Deployment
Platform Deployment Options
# Helm installation for Kubernetes
helm repo add aqua-helm https://helm.aquasec.com
helm repo update
helm install aqua aqua-helm/server --namespace aqua \
--set imageCredentials.username=<username> \
--set imageCredentials.password=<password>
# Operator-based installation
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/aqua-operator/master/deploy/crds/operator.aquasec.com_aquacsp_crd.yaml
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/aqua-operator/master/deploy/service_account.yaml
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/aqua-operator/master/deploy/role.yaml
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/aqua-operator/master/deploy/role_binding.yaml
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/aqua-operator/master/deploy/operator.yaml
Enforcer Deployment
# Deploy Aqua Enforcer in Kubernetes
helm install aqua-enforcer aqua-helm/enforcer \
--namespace aqua \
--set enforcerToken=<token> \
--set enforcerLogicalName=<cluster_name>
# Deploy Aqua Enforcer in Docker
docker run -d --name aqua-agent \
--restart unless-stopped \
--privileged \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /opt/aquasec:/var/lib/aquasec \
-v /proc:/host/proc:ro \
-v /sys/fs/cgroup:/host/cgroup:ro \
-v /var/lib/aquasec/audit:/var/lib/aquasec/audit \
-e AQUA_SERVER=<aqua_server_address> \
-e AQUA_TOKEN=<token> \
registry.aquasec.com/enforcer:latest
Image Scanning & Security
Command Line Scanner (CLI)
# Install Aqua Scanner CLI
curl -s https://get.aquasec.com/aquascanctl | bash
# Scan a local image
aquascanctl scan --host <aqua_server> --user <username> --password <password> <image_name>
# Scan with HTML report
aquascanctl scan --host <aqua_server> --user <username> --password <password> \
--html --output-path ./reports <image_name>
# Jenkins pipeline integration
aquascanctl scan --host $AQUA_SERVER --user $AQUA_USER --password $AQUA_PASSWORD \
--registry "Docker Hub" --image-name myapp:latest \
--register-image --block-failed
# Scan Kubernetes manifests
aquascanctl scan --host $AQUA_SERVER --user $AQUA_USER --password $AQUA_PASSWORD \
--local-dir ./k8s-manifests --as-k8s
Vulnerability Management
# Sample vulnerability policy (YAML format)
name: Block Critical Vulnerabilities
author: security-admin
scope:
expression: image.vulnerabilities.critical > 0
actions:
- block
- notify:
- securityTeam@example.com
Image Assurance Policies
| Policy Type | Use Case | Example Setting |
|---|---|---|
| Vulnerability | Block critical CVEs | Block if CVSS score > 7.0 |
| Malware | Prevent malware | Block if malware detected |
| Sensitive Data | Prevent secrets in images | Block if AWS keys found |
| Resource | Control resource usage | Require memory limits |
| Configuration | Enforce secure configs | Require non-root user |
| CIS Benchmarks | Ensure compliance | Block if Docker CIS fails |
| Custom Scripts | Custom security checks | Run custom validation scripts |
Runtime Protection & Monitoring
Enforcer Configuration
# Sample enforcer configuration in Kubernetes
apiVersion: operator.aquasec.com/v1alpha1
kind: AquaEnforcer
metadata:
name: aqua-enforcer
namespace: aqua
spec:
infra:
serviceAccount: aqua-sa
common:
activeActive: false
envs:
- name: AQUA_LOGICAL_NAME
value: "my-cluster"
deploy:
image:
repository: registry.aquasec.com/enforcer
tag: "6.5"
imagePullPolicy: IfNotPresent
gateway:
host: aqua-gateway
port: 3622
token: "your-enforcer-token"
Runtime Policies
# Sample runtime security policy
name: Block Unauthorized Process Execution
author: security-admin
scope:
expression: process.name == "bash" && container.privileged == true
actions:
- block
- alert:
severity: critical
Common Runtime Protection Controls
| Protection | Purpose | Example Rule |
|---|---|---|
| Process Control | Whitelist allowed processes | Block execution of unauthorized binaries |
| Network Control | Limit network connections | Block outbound connections to mining pools |
| File System Control | Protect sensitive files | Block writes to /etc/passwd |
| Drift Prevention | Prevent unauthorized changes | Block execution of binaries not in original image |
| Syscall Monitoring | Block dangerous syscalls | Block container escapes via syscalls |
| User Monitoring | Control user privileges | Block running as root |
| Kubernetes Controls | Protect K8s resources | Block privilege escalation in pods |
Kubernetes Security
KubeEnforcer Deployment
# Deploy KubeEnforcer with Helm
helm install --namespace aqua kube-enforcer aqua-helm/kube-enforcer \
--set enforcerToken=<token> \
--set serverHost=aqua-server \
--set serverPort=443
Kubernetes Admission Control
# Sample Kubernetes admission control policy
name: Block Privileged Containers
author: security-admin
scope:
expression: kubernetes.resource.kind == "Pod" && kubernetes.container.privileged == true
actions:
- block
- alert:
severity: critical
Kubernetes Posture Management
# Example KSPM configuration
apiVersion: operator.aquasec.com/v1alpha1
kind: AquaKubeEnforcer
metadata:
name: aqua-kube-enforcer
namespace: aqua
spec:
config:
gateway:
host: aqua-gateway
port: 3622
tokenSecretName: aqua-kube-enforcer-token
cspcScanner:
enabled: true
schedule: "0 * * * *"
Cloud Security Posture Management (CSPM)
Cloud Account Integration
# AWS integration example
name: AWS Production Account
type: aws
credentials:
type: role
roleArn: arn:aws:iam::123456789012:role/AquaCSPMRole
externalId: aqua-cspm-12345
scanRegions:
- us-east-1
- us-west-2
scanFrequency: daily
Common CSPM Policies
| Cloud | Control Category | Example Check |
|---|---|---|
| AWS | IAM | Ensure MFA is enabled for root account |
| AWS | S3 | Ensure S3 buckets have encryption enabled |
| AWS | Networking | Ensure security groups don’t allow unrestricted access |
| Azure | Storage | Ensure storage accounts restrict network access |
| Azure | Identity | Ensure MFA is enabled for privileged accounts |
| GCP | Networking | Ensure default firewall rules restrict traffic |
| GCP | IAM | Ensure service accounts have minimal privileges |
Cloud Native Application Protection Platform (CNAPP)
CNAPP Key Components
| Component | Function | Key Features |
|---|---|---|
| Supply Chain Security | Secure build pipeline | SCA, SBOM, CI/CD scanning |
| Cloud Security | Secure cloud infrastructure | CSPM, KSPM, drift prevention |
| Runtime Security | Protect running workloads | Behavioral monitoring, zero-day detection |
| Risk Prioritization | Focus on critical issues | Risk-based vulnerability management |
| Compliance | Meet regulatory requirements | PCI DSS, HIPAA, SOC 2, etc. |
Supply Chain Security
# Supply Chain Policy Example
name: Block Images with No SBOM
author: security-admin
scope:
expression: image.sbom.exists == false
actions:
- block
- notify:
- securityTeam@example.com
Vulnerability Management Best Practices
Risk-Based Prioritization
- Focus on exploitable vulnerabilities first
- Consider exposure and asset criticality
- Prioritize based on EPSS scores and threat intelligence
Automated Remediation Workflows
- Create tickets automatically for critical findings
- Set up approval workflows for exceptions
- Track time-to-remediation metrics
Exception Management
- Implement formal exception process
- Require business justification
- Set expiration dates for all exceptions
Image Assurance
- Implement policy-as-code for image security
- Block non-compliant images at build time
- Enforce image signing and verification
Shift-Left Security
- Scan during development
- Integrate with IDEs and CI/CD
- Provide developer-friendly security feedback
Compliance Management
Supported Compliance Frameworks
| Framework | Description | Key Controls |
|---|---|---|
| PCI DSS | Payment Card Industry Data Security Standard | Vulnerability management, access control |
| HIPAA | Health Insurance Portability and Accountability Act | PHI protection, access controls |
| GDPR | General Data Protection Regulation | Data protection, privacy controls |
| SOC 2 | Service Organization Control 2 | Security, availability, processing integrity |
| NIST 800-53 | Security Controls for Federal Systems | Comprehensive security controls |
| CIS Benchmarks | Center for Internet Security | Configuration best practices |
Compliance Automation
# Example compliance automation for PCI DSS
name: PCI DSS Compliance
scans:
- name: "PCI DSS 6.2 - Vulnerability Management"
schedule: "0 0 * * *"
scope:
- production-environment
controls:
- id: pci-dss-6.2
enabled: true
severity: critical
- name: "PCI DSS 2.2 - Configuration Standards"
schedule: "0 12 * * *"
scope:
- payment-processing
controls:
- id: pci-dss-2.2
enabled: true
severity: high
Risk Management & Reporting
Risk Assessment Matrix
| Severity | Exposure | CVSS Score | Business Impact | Priority |
|---|---|---|---|---|
| Critical | Internet-facing | 9.0-10.0 | High | P0 – Immediate |
| High | Internal network | 7.0-8.9 | Medium | P1 – 7 days |
| Medium | Limited access | 4.0-6.9 | Low | P2 – 30 days |
| Low | Isolated | 0.1-3.9 | Minimal | P3 – 90 days |
Key Metrics & Reports
| Metric | Purpose | Target |
|---|---|---|
| Mean Time to Remediate (MTTR) | Measure remediation efficiency | < 15 days |
| Vulnerability Density | Measure security quality | < 5 critical per image |
| Policy Violation Rate | Measure compliance | < 5% of deployments |
| Security Debt | Track unresolved issues | Decreasing month-over-month |
| Failed Builds | Measure shift-left effectiveness | < 10% of builds |
Integration Ecosystem
DevOps Integrations
| Tool Type | Examples | Integration Method |
|---|---|---|
| CI/CD Tools | Jenkins, GitLab CI, GitHub Actions | Plugin or CLI integration |
| Container Registries | Docker Hub, ECR, GCR, ACR | Registry scanner |
| Kubernetes | EKS, AKS, GKE, OpenShift | Helm charts, Operators |
| Infrastructure as Code | Terraform, CloudFormation | Policy validation |
| Issue Tracking | Jira, ServiceNow | Webhook integration |
| SIEM | Splunk, ELK, Sumo Logic | Log forwarding |
API Integration Examples
# Get vulnerability scan results via API
curl -X GET "https://<aqua-server>/api/v2/images/<image_id>/vulnerabilities" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json"
# Create policy via API
curl -X POST "https://<aqua-server>/api/v2/policies" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Block Critical Vulnerabilities",
"description": "Block images with critical vulnerabilities",
"author": "admin",
"type": "registry",
"scope": {
"expression": "vulnerability.severity == 'critical'"
},
"actions": [
{
"name": "block"
}
]
}'
Troubleshooting & Common Issues
| Issue | Symptoms | Resolution |
|---|---|---|
| Enforcer Connectivity | Enforcer not appearing in console | Check network connectivity, token validity |
| Scan Failures | Images fail to scan | Verify registry credentials, check image format |
| High CPU Usage | Enforcer consuming resources | Adjust profiling settings, update version |
| False Positives | Too many alerts | Tune policies, implement exceptions for known issues |
| Access Denied | API calls failing | Check RBAC settings, verify token permissions |
| Image Blocking | CI/CD pipeline failures | Review policy settings, implement exceptions |
Diagnostic Commands
# Check Aqua server status
kubectl get pods -n aqua
kubectl logs -f deployment/aqua-server -n aqua
# Check Enforcer status
kubectl logs -f daemonset/aqua-enforcer -n aqua
# Check KubeEnforcer status
kubectl logs -f deployment/aqua-kube-enforcer -n aqua
# Test connectivity to Aqua server
curl -k https://<aqua-server>:8443/api/v1/ping
# View Aqua component versions
kubectl describe pod -n aqua -l app=aqua-server
Best Practices for Aqua Security
Security Posture Optimization
Implement Defense-in-Depth
- Scan during build, registry, and runtime
- Enable drift prevention
- Implement network segmentation
Follow Least Privilege Principle
- Block containers running as root
- Use read-only filesystems where possible
- Implement pod security standards
Enable Behavioral Protection
- Use machine learning profiles
- Enable drift prevention
- Block suspicious activities
Implement Zero Trust
- Enable micro-segmentation
- Enforce mutual TLS
- Implement pod-to-pod authentication
Automate Security
- Integrate with CI/CD
- Implement policy-as-code
- Automate remediation workflows
Security Program Maturity
| Maturity Level | Characteristics | Next Steps |
|---|---|---|
| Level 1: Basic | Vulnerability scanning, basic policies | Implement CI/CD integration |
| Level 2: Intermediate | CI/CD integration, runtime protection | Enable CSPM, implement compliance |
| Level 3: Advanced | Complete visibility, automated remediation | Implement zero trust, risk-based approach |
| Level 4: Optimized | Risk-based approach, full automation | Continuous improvement, threat hunting |
Resources for Further Learning
- Aqua Security Documentation – Official documentation
- Aqua Security Blog – Latest security research and best practices
- Aqua GitHub – Open source tools and examples
- Aqua Security Academy – Training and certifications
- Cloud Native Security Hub – Remediation guides
- Trivy Documentation – Open source vulnerability scanner
- Aqua Technical Community – Forums and community resources
Glossary of Key Terms
- CSPM: Cloud Security Posture Management
- KSPM: Kubernetes Security Posture Management
- CNAPP: Cloud Native Application Protection Platform
- SBOM: Software Bill of Materials
- CVE: Common Vulnerabilities and Exposures
- CVSS: Common Vulnerability Scoring System
- CIS: Center for Internet Security
- Drift Prevention: Blocking runtime changes to containers
- Admission Control: Security enforcement at K8s admission
- SCA: Software Composition Analysis
- RBAC: Role-Based Access Control
- PCI DSS: Payment Card Industry Data Security Standard
- SAST: Static Application Security Testing
- DAST: Dynamic Application Security Testing
- IAST: Interactive Application Security Testing
This comprehensive cheatsheet provides the key information you need to effectively implement and manage Aqua Security across your cloud-native environment, helping you secure your applications from development to production.