Aqua CSPM scan reports can be customized by suppressing certain plugins that may not be applicable to your environment or audit a security control or resource that you prefer not to audit. Using the "Suppressions" functionality, you can control exactly which plugins, regions, and resources are evaluated as part of CSPM scans.


Introduction to Suppressions

Suppressions are a way of telling CSPM not to produce certain results in its scan reports. While CSPM will still query and audit these resources, any failures detected that match a suppression will not trigger "new risk" alerts or impact the security score of the report.

Suppressions can be added, removed, or modified at any time by an Aqua admin or group admin.

Types of Suppressions

Suppressions can take the following forms:

  1. Suppress a plugin across all cloud accounts
  2. Suppress a plugin for a specific cloud account
  3. Suppress a region across all cloud accounts
  4. Suppress a region for a specific cloud account
  5. Suppress a resource for a specific cloud account

Global Suppressions

A "global" suppression means that the suppression applies to all connected cloud accounts as well as accounts connected in the future. Global suppressions are ideal for when the specific security control (plugin) is not required across the organization and should not be run for any cloud accounts.

Viewing Suppressions

Suppressions can be viewed by following these steps:

  1. Log into the Aqua console
  2. Navigate to the "Suppressions" page
  3. Use the filters to search for the cloud account, region, or plugin associated with the suppression

Creating New Suppressions

Suppressions can be created by following these steps:

  1. Log into the Aqua console
  2. Navigate to the "Suppressions" page
  3. Click "Create Suppression" at the top right
  4. Choose whether you want to suppress a plugin or a region
  5. Enter the details for the suppression (expiration date, comment, etc.)
  6. Apply the suppression either to all cloud accounts (global) or specific cloud accounts

Expiring Suppressions

Suppressions can be created with an expiration date. After the suppression expires, it is treated as a deleted suppression and must be re-created.

Accessing Suppressed Results

Although suppressions prevent results from triggering new risk notifications and alerts, the raw results are still stored by Aqua. This is a good way to debug suppressions and ensure that no security risks are accidentally missed because of an errant suppression.

To see the suppressed results, navigate to any scan report and select the "Suppressed" tab. You can click any row to see more details about why the result was suppressed, including a link to the original suppression.

Removing Suppressions

To remove or delete a suppression, simply locate it on the "Suppressions" page and select "Delete" from the drop-down menu to its right. The suppression will be removed for all future scan reports, but existing scan reports will not be impacted.