Aqua resource types for AWS CloudFormation

AWS CloudFormation resource types for the management of aqua in EKS and self-managed Kubernetes clusters.

Prerequisites

IAM role

An IAM role is used by CloudFormation to execute the resource type handler code. A CloudFormation template to create the execution role is available here

Create an EKS cluster and provide CloudFormation access to the Kubernetes API

EKS clusters use IAM to allow access to the kubernetes API, as the CloudFormation resource types in this project interact with the kubernetes API, the IAM execution role must be granted access to the kubernetes API. This can be done in one of two ways:

• Create the cluster using CloudFormation: Currently there is no native way to manage EKS auth using CloudFormation (+1 this GitHub issue to help prioritize native support). For this reason AWSQS::EKS::Cluster has been published. Instructions on activation and usage can be found here.
• Manually: to allow this resource type to access the kubernetes API, follow the instructions in the EKS documentation adding the IAM execution role created above to the system:masters group. (Note: you can scope this down if you plan to use the resource type to only perform specific operations on the kubernetes cluster)

Activating the Resource types

To activate the resource types in your account follow the links below, then choose the AWS Region you would like to use it in and click Activate.

• Aqua::Enterprise::Server
• Aqua::Enterprise::Enforcer
• Aqua::Enterprise::KubeEnforcer
• Aqua::Enterprise::Scanner

Usage

• Aqua::Enterprise::Server - CloudFormation properties - Helm values
• Aqua::Enterprise::Enforcer - CloudFormation properties - Helm values
• Aqua::Enterprise::KubeEnforcer - CloudFormation properties - Helm values
• Aqua::Enterprise::Scanner - CloudFormation properties - Helm values