Automate Cloud VM Compliance with Cloud Provider Tags and Labels

Automate Cloud VM Compliance with Cloud Provider Tags and Labels

Ensuring and monitoring compliance and security best practices policies at runtime can often be a barrier to both broader adoption of cloud native technologies and moving more cloud native applications into production at scale. Cloud provider attributes — tags, labels, and resource groups — are useful tools for determining what resources are in scope for compliance. Under the shared responsibility model, however, the onus is on customers to determine and apply policies to those in-scope resources to ensure consistent compliance in dynamic environments.

Using the Aqua console, customers can now easily define which cloud VM resources are in scope for each compliance mandate based on user-defined tags, labels, or other cloud provider attributes. Based on those attributes, administrators can automate at scale which network segmentation, vulnerability and malware scanning, runtime protection, and extended role-based access control (RBAC) policies to apply to resources – as well as maintain consolidated auditing.

Aqua’s automated collection of cloud provider attributes extends the ability for Aqua customers to unify compliance across cloud VMs in addition to existing support for containers, and serverless functions, including:

  • Preventing cloud VMs with a specific label or tag from having outbound or inbound connections through identity-based firewalling to consistently automate separation between in-scope networks such as PCI data processing and other networks in more dynamic environments
  • Defining which workloads require malware scanning based on whether they are in scope for compliance mandates and then prioritizing findings based on compliance violation risk, and automating remediation actions such as auditing, blocking, or quarantining
  • Maintaining real-time monitoring and auditing of changes to containers and cloud VMs for PCI and HIPAA compliance, with a complete audit trail of any changes made
  • Integrating cloud provider attributes into application scopes to limit by role which networks and resources administrators can access to conform with PCI, SOX, and HIPAA mandates
  • Automatically grouping and managing cloud native assets deployed on separate nodes and network segments based on common compliance tags and labels, with consolidated auditing and forensics across cloud providers by the specific compliance mandate

What are cloud provider attributes?

AWS, Microsoft Azure and Google Cloud Platform follow different models for generating or assigning cloud provider attributes. They also differ on whether each resource should automatically inherit a resource hierarchy before provisioning, which users can assign tags or labels, and whether assigning attributes should be mandatory.

Tags are pairs of user-defined metadata made up of a name and a value that are added to resources when they are created. The purpose of tags and labels is to simplify administration and management of the resource and to enable consistent enforcement of centrally defined policies. From an administrative perspective, they can also serve as a tool to inventory and filter which resources are in scope for each compliance mandate.

At the most basic level, compliance attributes are used to assign labels to in-scope resources for mandates such as PCI-DSS, GLBA, and data privacy regulations. Similarly, tags can also be used to determine which resources should be evaluated against frameworks like NIST cybersecurity or the CIS benchmarks.

How does Aqua integrate cloud provider attributes?

Aqua Security now supports the ability to automatically collect all classes of cloud provider attributes for cloud VMs – both cloud provider resource groups and user-defined tags or labels, as well as image IDs, image locations, and logical names – to replicate how they would be used in the cloud service provider environment, automate policy enforcement at runtime, consolidate auditing by compliance mandate across their resources, and govern management operations and processes like provisioning and account creation based on the resource attributes.

In our model, we have delineated two classes of cloud provider attributes:

  • Hierarchy-based metadata such as subscription, region, resource group, and virtual network name. While the concepts and models differ across providers, the attributes will all be displayed in the Aqua console. 
  • User-defined metadata like labels and tags that are associated with the VMs.

With Aqua, the cloud provider attributes will be exposed for management at several points:


Administrators can use tags and resource groups to determine which resources are in scope, and then associate cloud provider attributes with a specific set of runtime policies, notably file integrity monitoring for cloud VMs as required under PCI and HIPAA.


Application scopes

Aqua has extended the infrastructure scope to include cloud provider attributes to allow administrators to define which VMs will be part of the application based on cloud provider attributes, whether tags or hierarchy attributes. This mapping allows administrators to extend RBAC for compliance mandates like PCI, SOX, and GLBA by incorporating application scope into policies that determine the specific resources the user is allowed to edit or view.


Cloud VMs view

Aqua has mirrored how administrators typically use tags and resource groups in cloud service providers to manage, segment, filter, and group VM workloads in the Aqua console.


How does Aqua help with compliance automation?

Aqua customers can now seamlessly extend their investment in cloud provider attributes management to enable a unified approach to compliance in cloud native environments at scale. For example, customers can now define from the outset which cloud VMs should be evaluated at runtime for malware and then prioritize remediation based on which cloud VMs are in scope based on associated labels and tags.

Aqua also can help minimize the overhead of deploying separate tools for securing and governing cloud VMs, containers, and serverless functions, with support for consolidated monitoring, logging, and auditing. By allowing easier integration of cloud provider attributes into runtime and networking policies, as well as access controls, Aqua can further reinforce the benefits of a consolidated approach:

Network segmentation

  • Automatically enforce cloud VM micro-segmentation and identity-based firewalling based on PCI-DSS, HIPAA, GLBA, SOX, or data privacy tags or labels

Vulnerability and malware scanning

  • Centrally define which cloud VMs are in scope to automatically apply malware scanning based on mandate, and prioritize findings and remediation actions based on compliance mandate tags

Runtime protection

  • Identify and prioritize potential PCI-DSS, SOX, FISMA, and HIPAA compliance issues with file integrity monitoring policies for cloud VMs
  • Block, audit, and quarantine cloud VMs based on real-time vulnerability and malware scan output to reduce the risk of running non-compliant workloads for PCI and SOX

Extended RBAC policies

  • Minimize the risk of non-compliant access by extending RBAC policies through granular application scopes to reinforce cloud provider infrastructure access controls based on IAM policies

Auditing and logging

  • Standardize multi-cloud VM security and governance with the ability to segment, filter, and group VM workloads with a single view
  • Consolidate logging for audit and forensics

Aqua Security


Steve Coplan

Steve is the Director of Product Marketing for Strategic Partners at Aqua. His experience spans industry research and analysis, corporate strategy and product marketing in data security and privacy. Steve especially enjoys being at the forefront of innovation and collaborating with partners to help customers adopt pioneering technology through new approaches to managing risk and security.