Aqua Wave CSPM scans can take one of several forms, depending on who (or what) initiated them and what the focus of the report is. For example, background scans cover a full snapshot of the entire infrastructure environment using all available plugins, while live run scans are used for debugging and only test one plugin at a time.


Background Scans

Background scans are full (i.e. all plugins are run) scans of your entire cloud account infrastructure that are run on a periodic basis, depending on the scan interval setting of the cloud account. Background scan results are saved as a report, which is accessible via the "Scan Reports" page in the Aqua Wave console.

On-Demand Scans

On-demand scans are initiated by a user via the Aqua Wave console or an API call. Unlike background scans, the results of an on-demand scan are returned in the browser and are not saved. On-demand scans can be triggered from the "Cloud Accounts" page by clicking the "Scan" button next to any cloud account that has background scanning disabled.

Live Run Scans

Live Run scans are a useful debugging tool that enable you to run a specific plugin (security check) against a connected cloud account and see the full response data from the cloud provider. These scans are run directly from the browser or API and contain the full CSPM scan results, along with source API data (e.g. the full response body from the "ec2:describeInstances" call).

Event Scans

When using CSPM's automated Remediations feature, Aqua performs a real-time event-based scan of specific resources whenever a supported API call is observed.

For example, if Remediations is configured to automatically remediate unencrypted S3 buckets, then when CSPM detects the "S3:CreateBucket" API call in your AWS account, it triggers an event scan of that specific S3 bucket for the "S3 Bucket Encrypted" plugin. If the result is "FAIL" for the impacted resource, then the remediation is executed.

Scan Type Comparison

Background Scan
On-Demand ScanLive Run ScanEvent Scan
Runs regularly based on a pre-defined intervalYesNoNo
Can be triggered by a user at any timeNoYesYesNo
Runs all plugins across the infrastructure
Sends scan summary reports to email and third-party integrationsYesNoNoNo
Triggers alerts to third-party integrationsYesNoNoNo
Triggered by an API call event in the cloud accountNoNoNoYes
Returns the full cloud provider API response dataNoNoYesNo
Results are saved for future referenceYesNoNoYes