Generating SOC 2 reports with Aqua Security is a straightforward process that leverages Aqua’s comprehensive security posture management capabilities to provide auditable evidence of your cloud-native security controls.
Here’s a look at Aqua in action, demonstrating how it helps you achieve SOC 2 compliance:
Imagine you’re running a Kubernetes cluster and want to prove to auditors that you’re scanning container images for vulnerabilities, enforcing security policies, and logging access. Aqua can do this for you.
First, Aqua’s agent (or admission controller) is deployed within your Kubernetes cluster. This allows it to intercept image deployments and enforce policies.
# Example Aqua SecurityPolicy for image vulnerability scanning
apiVersion: aquasecurity.io/v1alpha1
kind: SecurityPolicy
metadata:
name: require-vulnerability-scans
spec:
image:
vulnerability:
severity: HIGH
action: BLOCK
namespaceSelector:
matchLabels:
environment: production
When a developer tries to deploy a new container image to the production namespace:
- Image Scanning: Aqua automatically scans the image against its vulnerability database.
- Policy Enforcement: If the image contains HIGH severity vulnerabilities, the
SecurityPolicyabove will block the deployment. - Audit Trail: Aqua logs this event (both the scan result and the blocked deployment) in its audit trail.
This audit trail is the foundation for your SOC 2 reports. Aqua collects evidence from various sources:
- Vulnerability Scans: Records of all images scanned, their vulnerabilities, and whether they passed or failed policy checks.
- Runtime Security: Logs of any suspicious activity detected by Aqua’s runtime security features, such as unauthorized process execution or network connections.
- Configuration Audits: Evidence of compliance with security benchmarks (like CIS Kubernetes) and custom policies.
- Access Control: Logs of user activity within Aqua, including who performed what actions and when.
To generate a report, you’d navigate to the Aqua console. Under the "Compliance" section, you’ll find pre-built reports for various standards, including SOC 2. You can then select the relevant time period and scope for your audit.
The report itself will contain detailed evidence, often presented in a table format, linking specific security controls to Aqua’s findings. For example, a SOC 2 control related to "Vulnerability Management" might be evidenced by a list of all images scanned in the last quarter, the number of critical vulnerabilities found, and the percentage of images that passed Aqua’s policy checks.
The exact levers you control within Aqua for SOC 2 reporting are primarily around defining and enforcing your security policies. This includes:
- Vulnerability Management Policies: Setting thresholds for acceptable vulnerability severity and defining actions (block, log, alert) for non-compliant images.
- Configuration Security Policies: Enforcing best practices for Kubernetes configurations, ensuring resources are not misconfigured in ways that could lead to security gaps.
- Runtime Policies: Defining what constitutes suspicious behavior in your running containers and what actions Aqua should take.
- Access Control and Audit Logging: Configuring who has access to Aqua and ensuring that all actions are logged for accountability.
One of the most powerful aspects of Aqua’s SOC 2 reporting is its ability to provide continuous compliance monitoring rather than just point-in-time audits. By integrating Aqua into your CI/CD pipeline and runtime environment, you’re not just generating a report for auditors; you’re actively maintaining a secure posture throughout the audit period and beyond. The system is designed to catch and remediate issues before they become audit findings, which fundamentally changes the compliance process from a reactive documentation exercise to a proactive security discipline.
The next step after generating your SOC 2 reports is often integrating these findings into your broader incident response workflows.