Aqua Wave CSPM scans can take one of several forms, depending on who (or what) initiated them and what the focus of the report is. For example, background scans cover a full snapshot of the entire infrastructure environment using all available plugins, while live run scans are used for debugging and only test one plugin at a time.
TABLE OF CONTENTS
Background scans are full (i.e. all plugins are run) scans of your entire cloud account infrastructure that are run on a periodic basis, depending on the scan interval setting of the cloud account. Background scan results are saved as a report, which is accessible via the "Scan Reports" page in the Aqua Wave console.
On-demand scans are initiated by a user via the Aqua Wave console or an API call. Unlike background scans, the results of an on-demand scan are returned in the browser and are not saved. On-demand scans can be triggered from the "Cloud Accounts" page by clicking the "Scan" button next to any cloud account that has background scanning disabled.
Live Run Scans
Live Run scans are a useful debugging tool that enable you to run a specific plugin (security check) against a connected cloud account and see the full response data from the cloud provider. These scans are run directly from the browser or API and contain the full CSPM scan results, along with source API data (e.g. the full response body from the "ec2:describeInstances" call).
When using CSPM's automated Remediations feature, Aqua performs a real-time event-based scan of specific resources whenever a supported API call is observed.
For example, if Remediations is configured to automatically remediate unencrypted S3 buckets, then when CSPM detects the "S3:CreateBucket" API call in your AWS account, it triggers an event scan of that specific S3 bucket for the "S3 Bucket Encrypted" plugin. If the result is "FAIL" for the impacted resource, then the remediation is executed.
Scan Type Comparison
|Background Scan||On-Demand Scan||Live Run Scan||Event Scan|
|Runs regularly based on a pre-defined interval||Yes||No||No||No|
|Can be triggered by a user at any time||No||Yes||Yes||No|
|Runs all plugins across the infrastructure||Yes||Yes||No||No|
|Sends scan summary reports to email and third-party integrations||Yes||No||No||No|
|Triggers alerts to third-party integrations||Yes||No||No||No|
|Triggered by an API call event in the cloud account||No||No||No||Yes|
|Returns the full cloud provider API response data||No||No||Yes||No|
|Results are saved for future reference||Yes||No||No||Yes|