Aqua Workload Protection

Aqua Workload Protection provides services which secure containers, Kubernetes, serverless functions, and VMs against evolving cloud native threats with runtime security, powered by real-world threat intelligence. More information can be found at the Aqua Security website.

Integration Method: API

Tables: Detection Finding (2004), Vulnerability Finding (2002), Scan Activity (6007), Web Resources Activity (6001)

This integration supports the following events.

This integration supports the following versions.

Note:

Aqua Security doesn’t follow a traditional versioning system. Instead, it is a continuously updated SaaS platform. As for this document preparation, the latest release was in January 2025.

Prerequisites

• The user should have access to the DataBee console.

• The user should make sure to have below configurations, to use the REST APIs:

  • An Aqua user having Administrator privileges.

  • Aqua requirements for role(s), permission set(s), and application scope(s).

  • A CSPM API key and secret.

Configuration Overview

1. Generate an API Key from the Aqua Security dashboard.

2. Add the Aqua Workload Protection data feed in the DataBee console with the below parameters.

   DataBee Parameter	Aqua Workload Protection Parameter
   API Base URL <instance>	Instance ID
   Token URL	Token URL endpoint
   Integration Key	API Key
   Secret Key	Secret

Aqua Workload Protection Configuration

Login to the Aqua Security dashboard to configure a role.

Configure Role

This role must be configured as follows:

1. Application Scopes: Ensure Global Application scope

   1. Navigate to Account Management from the menu.

      
      

   2. Navigate to User Management > Application Scopes. Verify that Global Application Scope is listed there.
       
      

      Note:

      Global application scope should be there, by default. Refer to Application Scopes for more information on creating and configuring application scopes.

2. Permission Sets: Ensure that a permission set is created with only view permissions applied to the Workload Protection module.

   1. Navigate to Permission Sets and click on Add Permission Set.
       

   2. In the “Add Permission Set” window, make sure to follow the steps:

      1. Enter ‘Name’ and relevant ‘Description’ for the Permission Set.

      2. From the Permissions section, click on WORKLOAD PROTECTION module.

         • Make sure that Workload Protection Module is Enabled.

         • For the permissions, ‘Set all as’ View from the dropdown.

         • Click Save.
            

      Note:

      Refer to Permission Sets for more information on creating and configuring permission sets.

3. Roles: Ensure that a role is created with the default Global Application scope and the Permission Set created in the earlier step.

   1. Navigate to Roles and click on Add Role.
       

   2. In the “New Role” window, fill in required information:

      • Name: enter name for a new role.

      • Description: enter description for a new role.

      • Permission Set: select above created Permission Set.

      • Application Scope(s): select Global Application Scope.

   3. Click Save.
       

      Note:

      Refer to Roles for more information on adding, modifying or deleting a role.

Generate API key and secret

1. Login to your Aqua Security dashboard, as mentioned earlier.

2. In Aqua Security UI, navigate to Account Management.
    

3. In the “Account Management” page, navigate to Settings > API Keys and click on Generate Key.
    

4. In the “New API Key” window, create an API Key by entering the necessary ‘Description’.
    

5. Copy and save the API Key and Secret values before closing the pop-up window.
    

   Note:

   Copy and Save the API Key details. The Client Secret will not be shown again.

6. In the “API Keys” window, edit the newly generated API key.

   1. Click on Edit API Key.
       

   2. In the ‘Global Permissions’ section, disable the Enable global admin permission option.

   3. In the ‘Granular Permissions’ section, enable the tokens:readwrite and roles:assign permissions. While enabling tokens:readwrite, select the role that was created earlier.

   4. Click Save.
       

7. Navigate to WORKLOAD PROTECTION > Settings > Console URL from menu and copy Instance ID from URL extraction.
    

8. For the Instance ID confirmation, raise support assistance from Aqua Support for your tenant.

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for the Aqua Workload Protection and click it as shown below.
    

3. Click on the API Ingest option for collection method.
    

4. Enter feed contact information and click Next.
    

5. In the configuration page, confirm the following:

   • Authorization Method: HMAC Auth

   • API Base URL: this is the base URL that DataBee will interact with. Replace <instance> in the API URL(s) with the instance id copied earlier.

   • Integration Key: paste the previously generated API key.

   • Secret Key: paste the previously generated Secret.

   • Token URL: enter the Token URL endpoint based on your geographical region and append it with v2/tokens path.
      

   • Event Types: preselected for all the event types that integration pulls.

   

6. Click Submit.

Troubleshooting Tips

• Ensure that secrets are pasted correctly. Since you cannot view the API secrets after the 1st time, re-create the API Key, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

• Ensure the Aqua Workload Protection scopes/permissions are correct.