Aqua CSPM is designed to help you surface and fix security risks in your cloud environments as quickly as possible. This has been done in several ways:

  • Easy to read, filterable scan reports with detailed descriptions of all security controls and their results.
  • Integrations with third-party tools, such as Slack and PagerDuty, to alert you of security risks as soon as they are detected.
  • Direct connections to real-time event feeds, such as AWS CloudTrail and CloudWatch Events, to detect risks within seconds.
  • Links to cloud provider documentation
  • Direct links to cloud provider consoles to help you quickly open the correct settings pages.
  • Links to Aqua's open source "Remediation Guides" with clear, step-by-step instructions on how to fix detected security risks.

Although these features are helpful, our users have asked for the ability to automatically remediate issues that are detected in their cloud environments.

Introducing "Remediations"

With the introduction of our "Remediations" feature, Aqua has added two additional ways to help you quickly remediate your security findings:

  1. Manual (User-Triggered) Remediations - any user (with the correct access) who is viewing an Aqua CSPM security report, will now see a new "Remediate" button next to all supported findings. Clicking this button will allow the user to trigger a remediation that is executed by Aqua, according to a pre-defined policy that you configure.

  2. Automated (Event-Triggered) Remediations - when Aqua CSPM receives an event from AWS CloudTrail or CloudWatch Events, we will evaluate it, trigger a real-time scan of the newly-detected resource, and remediate any findings according to a pre-defined policy that you configure.


Like all components of Aqua Cloud, the security of our Remediations feature is paramount. We have developed a security model that allows you to have complete control over how, when, and with what permissions, Aqua connects to your account, while still being an easy-to-use feature that requires minimal configuration.

You can read more about the security model for each remediation type here.


At a high-level, Remediations helps you fix security risks in your cloud accounts without having to develop complex scripts, deploy error-prone templates, or make risky changes manually. Instead, Aqua will implement the fix on your behalf, using its own well-tested, open source, remediation processes.

By way of example, if an S3 bucket is found to be deployed without encryption, Remediations can be used to enable encryption instantly, either with the default AES-256, or via a custom CMK that you provide.

Remediation Policies

At the heart of the Remediations feature is the concept of policies. By default, Aqua will not make any changes to your account. Instead, we follow an explicit opt-in process for enabling the feature in your account. Once enabled, you must also define a policy that gives Aqua explicit permission to make the changes when requested.

You can read more about remediation policies here.

Reporting and Logging

Every remediation that Aqua CSPM performs is heavily audited from the moment the user clicks the "Remediate" button, to the moment the remediation is implemented. Fail-safes are included at every step of the process to ensure that any errors are caught and reported back to you.

You can view an overview of all of the remediations performed for your account, and click into any remediation to see a detailed history of who (or what) triggered the remediation, the before and after state of the resources, audit logs for the API calls performed during the remediation process, and the outcome of the remediation - whether it was successfully remediated or if the remediation failed and the risk is still present.

Getting Started

If you would like to try out Remediations, please view our setup guide.