Aqua CSPM
  • 20 Mar 2025
  • 2 Minutes to read
  • Dark
    Light

Aqua CSPM

  • Dark
    Light

Article summary

Aqua CSPM detects misconfigurations, compliance violations, and vulnerabilities across multi cloud environments. More information can be found on the Introduction to CSPM.

Integration Method: API

Tables: Compliance Finding (2003), Scan Activity (6007), Detection Finding (2004)

This integration supports the following events.

Event

Description

Scans

List all scan results.

Compliances

List all compliances.

This integration supports the following versions.

Aqua CSPM API version

v2

Note:

Aqua Security is a continuously updated SaaS platform. As for this document preparation, the latest release was in January 2025.

Prerequisites

  • The user should have access to the DataBee console.

  • The user should make sure to have below configurations, to use the REST APIs:

    • An Aqua user having Administrator privileges.

    • Aqua requirements for role(s), permission set(s), and application scope(s).

    • A CSPM API key and secret.

Configuration Overview

  1. Generate an API Key from the Aqua Security dashboard.

  2. Add the Aqua CSPM data feed in the DataBee console with the below parameters.

    DataBee Parameter

    Aqua CSPM Parameter

    Integration Key

    API Key

    Secret Key

    Secret

Aqua CSPM Configuration

Configure Role

This role must be configured as follows:

  1. Application Scopes: make sure that Global Application Scope is created.
    Refer to Application Scopes for more information on creating and configuring application scopes.
     

  2. Permission Sets: ensure that a permission set is created with only view permissions applied to the CSPM module. Refer to Permission Sets for more information on creating and configuring permission sets.

  3. Click on Add Permission Set.
     

  4. In theAdd Permission Set” window, make sure to follow the steps:

    1. Enter ‘Nameand relevant ‘Description’ for the Permission Set.

    2. From the Permissions section, click on CSPM module.

      • Make sure that CSPM Module is Enabled.

      • For the permissions, ‘Set all as’ View only from the dropdown.

      • Click Save.

  5. Role: ensure that a role is created with the default Global Application scope and the Permission Set created in the 1st step. Refer to Roles for more information on adding a role.

    1. Click on Add Role.
       

    2. In the ‘New Role’ window, fill in required information:

      • Name: enter Name for a new role.

      • Description: enter Description for a new role.

      • Permission Set: select above created Permission Set.

      • Application Scope(s): select Global Application Scope.

      • Click Save.

Generate a CSPM API key and secret

  1. Login to your Aqua Security dashboard.

  2. In Aqua Security UI, navigate to Account Management.
     

  3. In the Account Management page, navigate to Settings > API Keys and Click on Generate Key.
     Inserting image...

  4. In the New API Key window, create an API Key by entering the necessary Description.
     

  5. Copy and save the API Key and Secret values before closing the pop-up window.
     

    Note:

    Copy and Save the API Key details. The Client Secret will not be shown again.

  6. In the “API Keys” screen, edit the newly generated API key.

    1. Click on Edit API Key.
       

    2. In the Global Permissions section, disable the Enable global admin permission option.

    3. In the Granular Permissions section, enable the tokens:readwrite and roles:assign permissions. While enabling tokens:readwrite, select the role that was created as a part for our user creation process.

    4. Additionally, enable below permissions to fetch required events:

      1. compliances:read

      2. scansv2:read

  7. Click Save.
     

DataBee Configuration

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button. 

  2. Search for the Aqua CSPM and click it as shown below.
     

  3. Click on the API Ingest option for collection method.
     

  4. Enter feed contact information and click Next.
     

  5. In the configuration page, confirm the following:

    • Authorization Method: HMAC Auth

    • API Base URL: this is the base URL that DataBee will interact with.

    • Integration Key: paste the previously generated API key.

    • Secret Key: paste the previously generated Secret.

    • Event Types: preselected for all the event types that integration pulls.
       

  6. Click Submit.

Troubleshooting Tips

  • Ensure that secrets are pasted correctly. Since you cannot view the API secrets after the 1st time, re-create the API Key, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

  • Ensure the Aqua CSPM scopes/permissions are correct.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence