Skip to main content

Aqua Security (SaaS)

Aqua Security (SaaS) is a container security tool that provides workload protection and security for containers, Kubernetes, and serverless applications. You can bring container, host, and security data from Aqua into Brinqa to construct a unified view of your attack surface, thus strengthening your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Aqua SaaS and how to obtain that information from Aqua. See create a data integration for step-by-step instructions on setting up the integration.

info

The Aqua SaaS connector differs from the Aqua Server connector only in its authentication method. Instead of a username and password, the Aqua SaaS connector uses an API key and API secret. The underlying APIs, data retrieved, operation options, and data mappings remain the same as the Aqua Server connector.

Required connection settings

When setting up a data integration, select Aqua SaaS from the Connector drop-down. If you cannot find the connector in the drop-down, make sure you have installed it first. You must provide the following information to authenticate Aqua SaaS with Brinqa:

  • API URL: Your organization’s Aqua SaaS API URL. If the URL is unknown, you can retrieve it by contacting Aqua Support. The default URL format is https://<server_name>.cloud.aquasec.com.

  • Auth URL: The Aqua API Server URL, specific to the region of your Aqua SaaS environment. The default URL format is https://<region>.api.cloudsploit.com. Replace <region> with the specific region of your Aqua API server. If your server is in the US, the URL would be https://api.cloudsploit.com/.

    The following table lists the Aqua SaaS login URL for each region. Please refer to Aqua Platform documentation for accuracy:

    Table 1: Aqua login URLs

    RegionURL
    UShttps://api.cloudsploit.com/
    EUhttps://eu-1.api.cloudsploit.com/
    Singaporehttps://asia-1.api.cloudsploit.com/
    Sydneyhttps://ap-2.api.cloudsploit.com/
  • API key and API secret: The API credentials associated with the Aqua SaaS account, which must have permissions to log in to the API server and return data. For additional information, see Generate Aqua SaaS API credentials.

Generate Aqua SaaS API credentials

For the Aqua SaaS connector to retrieve data from the Aqua API, you must provide API credentials with the necessary permissions. To do so, follow these steps:

  1. Log in to your organization's Aqua portal as an administrator.

  2. Navigate to Account Management > Settings > API Keys.

  3. Click Generate Key.

    Aqua SaaS generate key

  4. Provide a Description for the API key, and then click Create.

    Your API key and API secret display. You cannot view the API secret again after this. Copy and save it to a secure location.

    Aqua SaaS API credentials

  5. After generating the API key, click the kebab (three vertical dots) next to the new API key, and then click Edit.

  6. Disable the Global Permissions toggle and enable the following Granular Permissions, as these are the minimum permissions required to retrieve data from the Aqua API:

    • roles:assign

    • tokens:readwrite

      • Click the drop-down under the tokens-readwrite permission and select Read-Only.

      Aqua SaaS permissions

  7. Click Save.

note

If you do not have permissions to generate API credentials, contact your Aqua administrator. For additional information, see Aqua Platform documentation on API credentials and API key permissions.

Additional settings

The Aqua SaaS connector contains additional options for specific configuration:

  • Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.

  • Parallel requests: The maximum number of parallel API requests. The default setting is 4.

  • Request timeout (secs): The maximum time allotted, in seconds, before a request times out. The default setting is 120 seconds. Although it is not recommended, you can also enter zero (0) to disable timeouts.

  • Maximum retries: The maximum number of times that the integration attempts to connect to the Aqua API before giving up and reporting a failure. The default setting is 5.

Types of data to retrieve

The Aqua SaaS connector can retrieve the following types of data from the Aqua API:

Table 2: Data retrieved from Aqua SaaS

Connector ObjectRequiredMaps to Data Model
ContainerYesContainer
Container ImageYesContainer Image
HostYesHost
VulnerabilityYesVulnerability
Vulnerability DefinitionYesVulnerability Definition
info

For detailed steps on how to view the data retrieved from Aqua in the Brinqa Platform, see How to view your data.

Data lifecycle management (DLM) strategy

The following table details the DLM strategy for the Aqua SaaS connector:

Table 3: Aqua SaaS DLM strategy

Connector ObjectInactivity ConditionPurge PolicySummary
ContainerLAST_SEEN NOT IN LAST 7 DAYS30 days after inactivityUses the LAST_SEEN attribute to identify containers that are inactive within the last 7 days, and then purges the records after 30 days of inactivity.
Container ImageLAST_SEEN NOT IN LAST 7 DAYS30 days after inactivityUses the LAST_SEEN attribute to identify container images that are inactive within the last 7 days, and then purges the records after 30 days of inactivity.
HostLAST_SEEN NOT IN LAST 7 DAYS30 days after inactivityUses the LAST_SEEN attribute to identify hosts that are inactive within the last 7 days, and then purges the records after 30 days of inactivity.
VulnerabilityLAST_CAPTURED NOT IN LAST 7 DAYS30 days after inactivityUses the LAST_CAPTURED attribute to identify vulnerabilities that are inactive within the last 7 days, and then purges the records after 30 days of inactivity.

Operation options

The Aqua SaaS connector supports the following operation options. See connector operation options for information about how to apply them.

Table 4: Aqua SaaS connector operation options

Connector ObjectOptionAll Possible valuesDescriptionExample
ContainernameAny container nameRetrieves only containers with the specified name.Key: name Value: kubernetes. This key and value combination only retrieves containers named kubernetes.
registryAny container registryRetrieves only containers from the specified registry.Key: registry Value: docker. This key and value combination only retrieves containers from the docker registry.
repositoryAny container repositoryRetrieves only containers from the specified repository.Key: repository Value: angular-spring. This key and value combination only retrieves containers form the angular-spring repository.
Container ImagenameAny container image nameRetrieves only container images with the specified name.Key: name Value: alpine/openssl:latest. This key and value combination only retrieves container images named alpine/openssl:latest.
registryAny container image registryRetrieves only container images from the specified registry.Key: registry Value: docker hub. This key and value combination only retrieves container images from the docker hub registry.
repositoryAny container image repositoryRetrieves only container images from the specified repository.Key: repository Value: angular-spring. The key and value combination only retrieves container images from the angular-spring repository.
HostnameAny host nameRetrieves only hosts with the specified name.Key: name Value: webserver01. This key and value combination only retrieves hosts names webserver01.
registryAny host registryRetrieves only hosts from the specified registry.Key registry Value: docker. This key and value combination only retrieves hosts from the docker registry.
repositoryAny host repositoryRetrieves only hosts from the specified repository.Key: repository Value: alpine/openssl. This key and value combination only retrieves hosts from the alpine/openssl repository.
Vulnerabilityexploit_availabilityavailable, not availableFilter vulnerabilities by whether or not that have an exploit available, as determined by Aqua.Key: exploit_availability Value: available This key and value combination only retrieves vulnerabilities that have an exploit available.
exploit_typedos, local, remote, web appsA comma-separated list of types of exploits. Filter vulnerabilities by their exploit type.Key: exploit_type Value: dos,remote. This key and value combination only retrieves vulnerabilities with the dos or remote exploit type.
include_vpatch_info1Retrieves suppressed findings from Aqua.Key: include_vpatch_info Value: 1. This key and value combination retrieves suppressed findings from Aqua.
nameAny container image nameRetrieves only vulnerabilities from the specified container image name.Key: name Value: docker.io. This key and value combination only retrieves vulnerabilities associated with docker.io container image.
namespace_namesAny Aqua resource namespace nameA comma-separated list of namespace names. Retrieves only vulnerabilities from the specified namespace names. For additional information on namespaces, see Aqua documentation.Key: namespace_names Value: default,kube-system,kube-public. This key and value combination only retrieves vulnerabilities from the specified namespaces.
registryAny container image registryA comma-separated list of container image registries. Retrieves only vulnerabilities from the specified container image registry.Key: registry Value: docker-hub,harbor. This key and value combination only retrieves vulnerabilities from the docker-hub or harbor container image registries.
repositoryAny container image repository.Retrieves only vulnerabilities from the specified container image repository.Key: repository Value: alpine. This key and value combination only retrieves vulnerabilities from the alpine container image repository.
note

The option keys and values are case-sensitive as they are shown in this documentation.

APIs

The Aqua SaaS connector uses the Aqua Enterprise API v2. Specifically, it uses the following endpoints:

Table 5: Aqua SaaS API Endpoints

Connector ObjectAPI Endpoints
ContainerGET /api/v2/containers
Container ImageGET /api/v2/images/names
GET /api/v2/images/
HostGET /api/v2/infrastructure
VulnerabilityGET /api/v2/risks/vulnerabilities/exporters/jobs
GET /api/v2/risks/vulnerabilities/exports/export
GET /api/v2/risks/vulnerabilities/exporters/stream
Vulnerability DefinitionGET /api/v2/risks/vulnerabilities/exporters/jobs
GET /api/v2/risks/vulnerabilities/exports/export
GET /api/v2/risks/vulnerabilities/exporters/stream

Changelog

The Aqua SaaS connector has undergone the following changes:

Table 6: Aqua SaaS connector changelog

VersionDescription
4.0.3- Added the NAMESPACE attribute to the Vulnerability object.
- Added a new operation option to filter vulnerabilities by their namespace: namespace_names
4.0.2Enhanced the connector to retrieve suppressed findings from Aqua. As a result, the following operation option has been added to the Vulnerability object: include_vpatch_info
4.0.1Added the HAS_RUNNING_WORKLOADS and RUNNING_WORKLOADS_COUNT attributes to the Vulnerability object.
4.0.0- Transitioned the Aqua SaaS connector to fully use the Aqua Enterprise API v2 to enhance performance and reliability.
- Added two new operation options to filter vulnerabilities: exploit_availability and exploit_type.
3.1.3Added support for Data lifecycle management to the Container, Container Image, Host, and Vulnerability objects.
3.1.2Fixed an issue where the Vulnerability Definition object sync was failing.
3.1.1Code clean up and general maintenance.
3.1.0Initial Integration+ release.