README.md

## Welcome to Aqua Cloud Native Security Platform (CSP)!

Aqua CSP provides full lifecycle security for your cloud native applications (containers, orchestrators, cloud VMs, and serverless functions) at a very granular level. Aqua includes preventive controls to secure the development pipeline; protects applications in runtime; detects and blocks attacks; and provides visibility and auditing for security risk management and compliance.

Aqua CSP:

* Integrates with your existing workflows for building, shipping, running, and securing your cloud workloads
* Works with the leading orchestrators and cloud provider platforms
* Secures environments consisting of servers running Linux and Windows, as well as CaaS and FaaS cloud services
* Provides you with full audit logs of security-related events that have occurred on your hosts or in your containers and serverless functions

Aqua CSP Version 5.0 includes several new features, other improvements, and changes with respect to CSP Version 4.6. They are described below.

### What's new in this version?
* Multi-Application Role-Based Access Control
* Aqua Dynamic Threat Analysis (DTA)
* Temporal exploitability information for vulnerabilities
* Risk-based Insights and enhanced filtering for vulnerability management
* Automated Kubernetes discovery without Aqua Enforcer (Linux hosts)
* Automatic NanoEnforcer deployment and Runtime Policy scope for AWS Lambda functions
* Improved calculation of vulnerability severity
* Scanning of local images in tar/OCI format
* New policy scope category: Cloud Attributes
* New and enhanced Host Runtime Policy controls
* Serverless runtime: event management via cloud native storage

More information at https://www.aquasec.com

### Aqua images and containers
Aqua components are supplied as product images in the Aqua Registry, and deployed as containers. The typical exceptions to this are:
* Aqua Server is  the central control component of Aqua CSP.
* Aqua Gateway(s) handle communication between the Aqua Server and the Aqua Enforcer(s), and use the Aqua Database. 
* Aqua Scanner(s) scan images for security issues (vulnerabilities, sensitive data, and malware) and send the results to the Aqua Server. The Scanners are directed by the Image Assurance Policies you have configured using the Aqua UI.
* Aqua Enforcer(s) provide runtime security-related monitoring of your running containers, in order to provide enforcement of the Container Runtime Policies you have configured using the Aqua UI. The Aqua Enforcer(s) also ensure that
 only registered and scanned images will run on the hosts where the Aqua Enforcer is deployed.
  
### Deploying Aqua CSP 

Follow the example below for a simple ``podman`` based deployment.

**Other deplyment options are available at https://github.com/aquasecurity/deployments/**

* ```<DB_HOST>``` must be changed to a resolvable DNS name or the IP address of the database host.
* Replace all occurrences of ```<DB_PASSWORD>``` with a password of your choice.
* Replace ```<CONSOLE_HOST>``` with a resolvable DNS name or the IP address of the Aqua Server host.
* Replace the image name with the appropriate Ironbank image source.

```
podman run -d -p 5432:5432 --name aqua-db \
   -e POSTGRES_PASSWORD=<DB_PASSWORD> \
   -v /var/lib/aqua-db/data:/var/lib/postgresql/data \
   registry.aquasec.com/database:5.0
    
 podman run -d -p 8080:8080 -p 443:8443 \
   --name aqua-web \
   -e SCALOCK_DBHOST=<DB_HOST> \
   -e SCALOCK_DBNAME=scalock \
   -e SCALOCK_DBUSER=postgres \
   -e SCALOCK_DBPASSWORD=<DB_PASSWORD> \
   -e SCALOCK_AUDIT_DBHOST=<DB_HOST> \
   -e SCALOCK_AUDIT_DBNAME=slk_audit \
   -e SCALOCK_AUDIT_DBUSER=postgres \
   -e SCALOCK_AUDIT_DBPASSWORD=<DB_PASSWORD> \
   -v /var/run/docker.sock:/var/run/docker.sock \
   registry.aquasec.com/console:5.0
 
 podman run -d -p 3622:3622 -p 8443:8443 --name aqua-gateway \
   -e AQUA_CONSOLE_SECURE_ADDRESS=<CONSOLE_HOST>:443 \
   -e SCALOCK_DBHOST=<DB_HOST> \
   -e SCALOCK_DBNAME=scalock \
   -e SCALOCK_DBUSER=postgres \
   -e SCALOCK_DBPASSWORD=<DB_PASSWORD> \
   -e SCALOCK_AUDIT_DBHOST=<DB_HOST> \
   -e SCALOCK_AUDIT_DBNAME=slk_audit \
   -e SCALOCK_AUDIT_DBUSER=postgres \
   -e SCALOCK_AUDIT_DBPASSWORD=<DB_PASSWORD> \
   registry.aquasec.com/gateway:5.0
```

 The instructions to deploy the Enforcer are installation dependent and can be retrieved from Enforcers page on the Aqua console web ui. Open the 3-dot menu on the right side of the default enforcer group and select 'Copy Deployment Command'.     

###  Sizing Guide
The sizing guidance below is based on a small kubernetes deployment as decribed in the following table:

| Hosts | Pods | Gateways | Scanners | Enforcers |
| --- | --- | --- | --- | --- |
| 50 | 4000 | 1 | 10 | 50 | 

| Component	| CPU (millicores) | RAM (GB)   | Storage (GB) |
|-----------| --- | ------ | --- |
| Aqua Server | Min: 2,000 Rec: 3,000 | Min: 3.0 Rec: 5.0 | Min: 5.0 Rec: 6.0 |
| Aqua Gateway (each) | Min: 1,000 Rec: 1,000 | Min: 1.0 Rec: 2.0 | | 
| Aqua Scanner (each) | Min: 500 Rec: 800 | Min: 2.0 Rec: 6.0 | Size of the largest image |
| Aqua Enforcer (each) | Min: 350 Rec: 500 | Min: 0.5 Rec: 1.5 | |
| PostgreSQL DB | Min: 2,000 Rec: 5,000 | Min: 10.0 Rec: 20.0 | Min: 50 Rec: 250 |