We’re pleased to announce that the Aqua Container Security Platform is now available on the Google Cloud Marketplace. This is the industry’s first consumption-based security solution for containers, enabled for Kubernetes, providing full lifecycle container security from development to production.
The Aqua Container Security Platform is deployed directly on your Google Kubernetes Engine (GKE) cluster. Designed to deliver immediate value, it doesn’t require manual setup, which means you can instantly start scanning images, and ensure only trusted images are deployed into production. What’s more, you can also apply protection to your runtime environments that automatically prevents many types of malicious activity and container-related attacks in real-time.
Beyond simplified deployment on Google Cloud we offer straightforward, usage-based billing, where everything is billed through your Google Cloud account. It meters usage based on two dimensions – time and node size, where you can choose from three different node sizes – small, medium, and large (depending on your app requirements), and conveniently pay for security by the hour. On a large node (8+ vCPU), your security spend will be $0.33/ hour, and on a small node, your security spend will reduced to $0.05/ hour.
Once You Click to Deploy…
Both the Aqua Command Center and Aqua Enforcers are deployed on GKE. The Aqua Command Center is a central server and management console, providing image scanning embedded into your CI/CD tools and/or scanning your GCR container registry. This is also where you manage policy settings, integrations and alerts. The Aqua Enforcer is a lightweight sidecar container deployed on every protected worker node, where it monitors container behavior, enforces image assurance, provides runtime protection, and enforces container firewall policies.
Aqua also integrates with Google Cloud Security Command Center (SCC). This integration provides a centralized, single-pane-of-glass view of all security data for GCP applications, as well as actionable insights. Your SOC analysts can view container/cluster/nodes inventory, vulnerability assessment data, user-level and container-level anomaly detections, and more.
Container Security: The Cloud-Native Way
The Aqua container security solution on Google Marketplace can be found here. You need to be logged-in with your “Kubernetes Engine Admin” credentials, add your Kubernetes cluster information, then choose the right plan for your app’s node size. You will be charged once you click ‘Deploy’.
Once you’ve completed setup, you can jump right in. The Aqua Command Center will map nodes in your Kubernetes cluster. You’ll be able to perform image risk assessments by connecting your Aqua to your Google Container Registry (under System -> Integrations) and scan images for vulnerabilities, malware, secrets, and misconfigurations. You’ll immediately see a visual summary of the issues found.
You can now set up and apply image assurance policies to ensure that only allowed images adhering to security and compliance guidelines will be deployed. For example, you can decide to block images that include blacklist packages from being deployed into a runtime environment. Or alternatively, you can decide not to block images that include vulnerabilities that cannot be fixed. Aqua provides a broad set of predefined controls for popular images.
Moving on to your runtime workloads, you can now see which containers are running and their security posture.
The next step is to establish runtime protection by setting up your runtime policies to ensure all containers comply with security and regulatory mandates, as well as with images least privileges principles.
And finally, you can view the recommended firewall rules Aqua automatically generates and enforces to prevent unauthorized network connections.
Last but not least, you can set up secrets store integration to ensure secrets are delivered securely to runtime containers. Aqua offers ready-to-use integration with multiple secrets stores, such as CyberArk, Hashicorp, and others. With Aqua, secrets can be rotated, updated, and revoked with no container downtime or restart.
