On June 1, 2020, Aqua CSPM is releasing a number of performance, stability, and formatting enhancements for our Azure scanning platform. These updates include a number of changes that may impact your scan reports and security findings for connected Azure accounts. Below is a summary of the changes being made.


  1. Enhanced Scan Performance

    What We Did: Aqua has completely re-written the "collection" engine that performs API calls against Azure subscriptions. We have removed the error-prone and inconsistent Azure SDK and replaced it with a custom interface built on top of the Azure REST APIs. This has resulted in our average scan time dropping from 130 seconds to just under 45 seconds.

    What You Will See: Faster scans, fewer "unknown" results, fewer API calls made to your Azure control plane APIs, and more consistent results.

  2. Standardized Format for Result Resources

    What We Did: Standardized on the "/subscription/{id}/resourceType/resourceName" format for all scan results.

    What You Will See: Improved resource attribution in your scan reports, helping you to locate the impacted resources more quickly. A more consistent scan report format. This change will also make the "MTTR Report" calculations more accurate for Azure subscriptions.

  3. Updated Error Handling

    What We Did: Wrote our own error handlers for Azure's REST API to convert common authentication and authorization errors into error messages that contain more details and actionable steps.

    What You Will See: Improved error messages for any "unknown" results, explaining exactly why the result could not be determined, along with actionable steps on how to fix it, and links to knowledge base articles.

  4. Improved Location Processing

    What We Did: Updated how we process Azure's "locations" to ensure a more consistent delivery of results. For example, some Azure APIs return "East US" while others return "eastus." We now consolidate these results under a single location.

    What You Will See: More consistent results and more accurate "location" parameters for all findings.

  5. Raw Data Collection

    What We Did: Updated the way we process API response data from Azure's APIs to follow a consistent format.

    What You Will See: When using the "Live Run" tool for Azure, you will see the Azure API response data formatted in a consistent way with the name of the service, API call, location, and API response data or error messages included.

  6. Disabling Accounts with Failed Connections

    What We Did: Updated our scanning service to mark Azure subscriptions as "disabled" if the credentials provided could not be used to access the account.

    What You Will See: If your Azure credentials added to Aqua CSPM are invalid, or the application or subscription no longer exists, we will mark the account as disabled, notify your account admins, and then skip scanning the account going forward. This will prevent us from accumulating scan reports with 1000s of "unknown" results. You can contact support to update the credentials.


We are confident that these changes will enhance the experience for all of our users using the Aqua CSPM platform to scan their Azure subscriptions. After the first scan is run using the new codebase, you may notice the following changes in your report:

  • Increase in the total number of results (e.g. 2000 PASS; 135 FAIL moving to 4300 PASS; 250 FAIL).
  • Fewer unknown results


While these changes are being deployed, we have temporarily disabled "New Risk" alerts for Azure subscriptions connected to Aqua Cloud. This is done to avoid unnecessary notifications as we move from one scan result format to another. We will re-enable new risk alerts immediately following the change for subsequent scans once the new baseline is established.


If you have any questions, please don't hesitate to contact support using the widget at the bottom right of your dashboard.