Aqua Blog

Out-of the-Box Policies Simplify Container Compliance

One of the challenges organizations have in using cloud native technologies is in figuring out how compliance requirements translate into actionable control points. Most regulations predate containers and serverless technologies and don’t have specific articles governing the use of such technologies.

We recently released Aqua 3.2, where we rolled out key compliance controls pre-configured as out-of-the-box templates in our runtime policy. These templates provide starting points that address specific regulatory requirements, which admins can further tweak as they see fit – but we save them the hassle of starting from scratch.

To achieve this, we mapped specific PCI-DSS, HIPAA, NIST and CIS requirements, translating them into actionable controls in the Aqua Runtime Policy. These compliance control sets are applied globally, across the board, to all containers, clusters, and nodes.

Container runtime policies

The compliance controls and the Aqua Runtime Policy as a whole, are part of Aqua’s defense in depth, which includes additional layers that can also be instrumental in achieving compliance. These include:

  • Image Assurance – Persistent controls to ensure image integrity throughout its lifecycle, and preventing unapproved or unvetted images from running
  • Image Profiles – Provides controls to define authorized image activities. These profiles apply to containers instantiated from a specific image
  • Container Firewall – Limits container communications to defined nano-segments based on application context
  • User Access Control – Fine-grained access control model to enforce access privileges at the container level, from development to production, including custom and predefined roles, such as cluster admin, auditor, developer, etc.
  • Thin OS Host Controls – Scans hosts for vulnerabilities and malware, monitors logins, and failed logins
  • Extensive Audit Logs – Granular container-level event logs that provide visibility across all environments into container processes and policy violations

Container compliance policies

From requirements to prevention using regulatory controls

Following are some PCI-DSS standardrelated controls (partial list) as they are translated into Aqua’s global runtime policy. Note that each template can be used as a starting point for further tweaking of the policy:  

PCI-DSS Requirement Aqua Runtime Policy (Partial list)
Network Controls
Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone
IP Reputation:
Enable detection/prevention of outbound communication from containers to IP addresses with bad reputations

Network Link:
Enable blocking of network connection between containers that are not linked or not running on the same network

Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet
Container Monitoring & Control
Deploy a change-detection mechanism (e.g. file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files, and configure the software to perform at least weekly critical file comparisons 2.2
Develop configuration standards for all system components. Ensure that these standards address all known security vulnerabilities, and are consistent with industry-accepted system hardening standards
Drift Prevention:
Aqua uses a cryptographic digest of the image content across all layers to create a unique digital fingerprint. Images that do not match known fingerprints will be blocked from running, enforcing image integrity and preventing drift

Prevent Override Default Configurations:
This control prevents running containers that override default configuration, e.g. containers that are running without default seccomp profiles

CIS Controls:
Aqua supports CIS benchmarks (Docker and Kubernetes) for host hardening, providing compliance reports per host, and a comprehensive image vulnerability report. In addition, Aqua admin can review CIS compliance status using the Aqua Host CIS reports

Port Scanning Detection:
When this control is enabled, Aqua detects port scanning inside containers

Volumes Blacklist:
Admin can list volumes that cannot be mounted to containers

Container privileges limitation:
Admin can limit containers from running with excess privileges, e.g. access to host network, configured with ‘root’ user

Any violation of the policy automatically generates an alert and is blocked if the policy is in Enforce mode. These controls are out-of-the-box compliance runtime controls specifically developed to help you translate sometimes amorphic, general requirements into specific container controls. And because you define these policies at Aqua, if you plan on switching cloud providers, move from AWS to Azure or Google, or use a different platform, you can do this without the need to redefine your policies.

Download our container compliance guides for
NIST SP-800-190, 
HIPPA and 

NIST container compliance


HIPPA container compliance PCI DSS container compliance



Rani Osnat
Rani is the SVP of Strategy at Aqua. Rani has worked in enterprise software companies more than 25 years, spanning project management, product management and marketing, including a decade as VP of marketing for innovative startups in the cyber-security and cloud arenas. Previously Rani was also a management consultant in the London office of Booz & Co. He holds an MBA from INSEAD in Fontainebleau, France. Rani is an avid wine geek, and a slightly less avid painter and electronic music composer.