- 20 Mar 2025
- 2 Minutes to read
- Print
- DarkLight
Aqua CSPM
- Updated on 20 Mar 2025
- 2 Minutes to read
- Print
- DarkLight
Aqua CSPM detects misconfigurations, compliance violations, and vulnerabilities across multi cloud environments. More information can be found on the Introduction to CSPM.
Integration Method: API
Tables: Compliance Finding (2003), Scan Activity (6007), Detection Finding (2004)
This integration supports the following events.
Event | Description |
---|---|
Scans | List all scan results. |
Compliances | List all compliances. |
This integration supports the following versions.
Aqua CSPM API version | v2 |
Note:
Aqua Security is a continuously updated SaaS platform. As for this document preparation, the latest release was in January 2025.
Prerequisites
The user should have access to the DataBee console.
The user should make sure to have below configurations, to use the REST APIs:
An Aqua user having Administrator privileges.
Aqua requirements for role(s), permission set(s), and application scope(s).
A CSPM API key and secret.
Configuration Overview
Generate an API Key from the Aqua Security dashboard.
Add the Aqua CSPM data feed in the DataBee console with the below parameters.
Aqua CSPM Configuration
Configure Role
This role must be configured as follows:
Application Scopes: make sure that Global Application Scope is created.
Refer to Application Scopes for more information on creating and configuring application scopes.
Permission Sets: ensure that a permission set is created with only view permissions applied to the CSPM module. Refer to Permission Sets for more information on creating and configuring permission sets.
Click on Add Permission Set.
In the “Add Permission Set” window, make sure to follow the steps:
Enter ‘Name’ and relevant ‘Description’ for the Permission Set.
From the Permissions section, click on CSPM module.
Make sure that CSPM Module is Enabled.
For the permissions, ‘Set all as’ View only from the dropdown.
Click Save.
Role: ensure that a role is created with the default Global Application scope and the Permission Set created in the 1st step. Refer to Roles for more information on adding a role.
Click on Add Role.
In the ‘New Role’ window, fill in required information:
Name: enter Name for a new role.
Description: enter Description for a new role.
Permission Set: select above created Permission Set.
Application Scope(s): select Global Application Scope.
Click Save.
Generate a CSPM API key and secret
Login to your Aqua Security dashboard.
In Aqua Security UI, navigate to Account Management.
In the Account Management page, navigate to Settings > API Keys and Click on Generate Key.
In the New API Key window, create an API Key by entering the necessary Description.
Copy and save the API Key and Secret values before closing the pop-up window.
Note:
Copy and Save the API Key details. The Client Secret will not be shown again.
In the “API Keys” screen, edit the newly generated API key.
Click on Edit API Key.
In the Global Permissions section, disable the Enable global admin permission option.
In the Granular Permissions section, enable the tokens:readwrite and roles:assign permissions. While enabling tokens:readwrite, select the role that was created as a part for our user creation process.
Additionally, enable below permissions to fetch required events:
compliances:read
scansv2:read
Click Save.
DataBee Configuration
Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
Search for the Aqua CSPM and click it as shown below.
Click on the API Ingest option for collection method.
Enter feed contact information and click Next.
In the configuration page, confirm the following:
Click Submit.
Troubleshooting Tips
Ensure that secrets are pasted correctly. Since you cannot view the API secrets after the 1st time, re-create the API Key, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.
Ensure the Aqua CSPM scopes/permissions are correct.