Aqua Security’s compliance audit reports are more than just pretty PDFs; they’re a dynamic representation of your security posture against a vast array of industry standards and regulations.
Let’s see this in action. Imagine you’ve just onboarded a new Kubernetes cluster and want to ensure it meets CIS Benchmarks.
# First, ensure your cluster is scanned and vulnerabilities are identified.
# This command might look something like:
aqua scan kubernetes --cluster my-k8s-cluster --output-format json > cluster_scan.json
# Next, we'll generate a compliance report against CIS Kubernetes v1.23
# The 'compliance' command checks the scan results against predefined policies.
aqua compliance \
--scan-results cluster_scan.json \
--policy "CIS Kubernetes Benchmarks v1.23" \
--output-format pdf > cis_k8s_report.pdf
This cis_k8s_report.pdf isn’t just a list of findings. It’s a structured narrative showing which controls are met, which are not, and crucially, the specific resources (like Pod Security Policies, Network Policies, or specific Kubernetes API configurations) that are out of compliance.
The core problem Aqua’s compliance engine solves is the manual, error-prone, and time-consuming process of mapping your cloud-native environment’s actual state to the prescriptive requirements of regulations like PCI DSS, HIPAA, GDPR, or benchmarks like CIS. Instead of sifting through thousands of lines of configuration or manually checking every running container, Aqua continuously scans your environment, ingests the results, and then compares them against pre-built or custom-defined compliance policies.
Internally, Aqua uses a multi-layered approach. When you run a scan, it first identifies all running workloads, images, and infrastructure configurations. Then, for compliance reporting, it takes these findings and overlays them with its extensive library of compliance "checks." These checks are granular, mapping specific security controls (e.g., "ensure container runs as non-root user") to observable states within your environment. The engine then aggregates these check results into a report, categorizing findings by severity and mapping them back to the specific requirements of the selected compliance standard.
The exact levers you control are primarily in the aqua compliance command itself. You choose the scan-results file (which comes from aqua scan commands targeting your Kubernetes clusters, container registries, or even IaC definitions), the policy you want to audit against (Aqua provides many out-of-the-box, and you can create custom ones), and the output-format (PDF, JSON, CSV, etc.). Beyond that, the depth of your compliance posture is determined by how comprehensively you scan your environment – ensuring you’re covering not just running containers but also the underlying infrastructure and build pipelines.
When you define a custom compliance policy in Aqua, you’re essentially creating a new set of logical rules that the engine will evaluate against your scanned environment. These rules are constructed using Aqua’s declarative policy language, which allows you to specify conditions based on image vulnerabilities, misconfigurations, runtime behaviors, and more. For example, a custom policy might state that no container in a specific namespace can run with elevated privileges (privileged: true) and must also have a read-only root filesystem (readOnlyRootFilesystem: true), and that these conditions must be met for any image scanned from a particular registry. This granularity allows you to tailor compliance checks to your unique organizational risk appetite and specific regulatory nuances that might not be perfectly captured by generic benchmarks.
The next step in your compliance journey will likely involve integrating these reports into your CI/CD pipelines for continuous compliance.