Aqua Blog

Provision Aqua on AWS CloudFormation Public Registry with IaC Automation

Provision Aqua on AWS CloudFormation Public Registry with IaC Automation

The availability of AWS CloudFormation Public Registry makes it possible to manage Aqua components using Infrastructure as Code (IaC) workflows just as easily as AWS resource types. You can now seamlessly automate how you deploy and update Aqua as native resource types across multiple accounts and regions.

Today, AWS announced the launch of AWS CloudFormation Public Registry, a new searchable collection of extensions that allows customers to easily discover, provision, and manage third-party resource types (provisioning logic) and Modules published by AWS Partner Network (APN) Partners and the developer community.

Aqua Security, the pure-play cloud native security leader, has collaborated with AWS to launch Aqua Enterprise Server, Aqua Enterprise Scanner, Kube Enforcer and Container Enforcer resource types on the Registry, which enables our customers to radically simplify provisioning and deploying modules, effectively scale and easily upgrade as new versions of the Aqua Platform are released.

The Aqua CloudFormation Registry listing is available now for AWS customers. Aqua is also listed in AWS Marketplace, and is a certified member of the AWS Partner Network (APN).

Aqua Resources on AWS CloudFormation Public Registry

With broad native AWS integration, Aqua facilitates security and DevOps collaboration for the cloud native journey, embeds security into the AWS build and artifact pipelines, validates and remediates AWS infrastructure controls, and protects workloads running on advanced services through behavioral profiling.

Aqua has validated multiple resource types that can now be provisioned through CloudFormation templates:

  • Aqua Server is a central management component that provides capabilities for scanning, lifecycle controls, policies, monitoring, and reporting
  • Aqua Enterprise Vulnerability Scanner helps to “shift security left,” scanning directly within the CI/CD pipeline, function stores, and image registries to provide complete risk analysis and to facilitate rapid remediation before the build.
  • Aqua Kube Enforcer serves as a cloud security posture admission controller, which ensures that only scanned, non-compromised or compliant images can be run in your Kubernetes environments
  • Aqua Container Enforcer monitors workload runtime activity and ensures security by enforcing defined controls

Customers can now deploy the Aqua platform and these modular components through a few clicks and manage the platform components as resource types in AWS infrastructure – rather than having to use command line scripts or other manual provisioning steps. Customers can reduce the complexity of provisioning and manage the lifecycle of Aqua resources natively in their AWS environments.

Why CloudFormation and Infrastructure as Code?

AWS CloudFormation gives Aqua customers an easy way to model a collection of related AWS and third-party resources, provision them quickly and consistently, and manage them throughout their lifecycles, by treating infrastructure as code. Developers can deploy and update Aqua resources in a simple, declarative style that abstracts away the complexity of specific resource APIs.

With this co-launch between Aqua and CloudFormation Public Registry, our customers can now easily discover our published resource types, eliminating the need to build and maintain these resource types themselves.

With our Aqua components packaged and published as a resource type on the CloudFormation Registry, customers can also activate this solution for use across their entire AWS Organization or for a specific set of accounts within an OU in a single operation by using CloudFormation’s Service Managed StackSets. You could use the AWS::CloudFormation::TypeActivation resource type in a template submitted to a Service-Managed StackSet that targets the entire AWS Organization or a particular OU, and optionally pass the ARN for our resource type to enable it.

In addition, customers can use CloudFormation features such as Drift Detection on our Aqua resource types. Drift detection will allow you to identify the drift of resources in your stack from its expected template configuration and understand detailed information about the drift status for each third-party resource type.


As an AWS partner, Aqua can now publish and maintain its own listings on the Registry, using CloudFormation templates as a single method for provisioning logic to automate and streamline how the platform is installed across multiple accounts and regions.

The listing in the AWS CloudFormation Public Registry and validated support for AWS CloudFormation provisioning templates build on Aqua’s longstanding collaboration with AWS.

As an AWS Container Competency Partner, Aqua has invested in capabilities to secure AWS services like Amazon Elastic Kubernetes Service (Amazon EKS), AWS Lambda, AWS Fargate, BottleRocket, Amazon Elastic Container Service Anywhere (Amazon ECS Anywhere), and Amazon Elastic Compute Cloud (Amazon EC2) instances running on Graviton2 processors.


Aqua Team
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure and secure running workloads wherever they are deployed. Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.