Using AWS SSM to create agentless connections
This guide provides an example for creating agentless connections in Cyberwatch using Amazon Web Services Session Manager (AWS SSM).
Prerequisites
This documentation assumes:
- An account with access to AWS and sufficient IAM permissions to create groups, roles, policies…
- Basic knowledge of AWS services (IAM, EC2, SSM…)
AWS Configuration
Configuring AWS involves creating the following elements:
- A policy containing minimum permissions for using the SSM console
- An IAM role associated with the above policy
Create an AWS Policy
AWS provides several default policy templates, such as the AmazonSSMManagedInstanceCore
policy.
However, this policy does not enable Session Manager functionality from the AWS interface on its own.
An alternative is to create a custom policy, very similar to the default AWS policy, with JSON as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
}
]
}
To create such a policy in AWS:
- Go to the
Access management > Policies
menu - Click the
Create policy
button - In the policy editor, select the
JSON
mode - In the editor, paste the above JSON code
- Name the policy, for example,
SSM_Cyberwatch_policy
, then finalize its creation
Throughout this documentation, the policy will be referred to by its name.
Create an IAM Role
Follow the steps below to create an IAM role in AWS:
- Go to the
Access management > Roles
menu - Click the
Create role
button - Select
AWS service
as the trusted entity type andEC2
as the use case - Add the
SSM_Cyberwatch_policy
policy created earlier as a permission - Name the role, for example,
SSM_Cyberwatch_role
, then finalize its creation
Throughout this documentation, the role will be referred to by its name.
Assign the policy to an IAM user
The user, whose API keys will be used to create agentless connections with SSM, must be assigned the SSM_Cyberwatch_policy
policy created earlier.
To do this, follow the steps below in the AWS console:
- Go to the
Access management > Policies
menu - Select the
SSM_Cyberwatch_policy
policy and clickActions > Attach
- Select the desired user as the IAM entity
Assign the IAM Role to an EC2 instance
From the EC2 instance management interface, select an instance that will be supervised by Cyberwatch via SSM.
From the instance’s Security
tab, modify the IAM role to associate it with the SSM_Cyberwatch_role
role created earlier.
The above section uses an existing EC2 instance as an example, but these elements are also applicable when creating a new instance.
Actions in Cyberwatch
In Cyberwatch, it’s ideal to use an AWS discovery, which will list the instances to be scanned.
Use an Amazon Web Services discovery
Refer to the Amazon Web Services discoveries page to launch a discovery scan.
Launch the discovery scan using the API keys of the user who will be used for SSM scans from Cyberwatch.
Register discovered assets with AWS Session Manager
Discovered assets can be registered as agentless connections as follows:
- From the Discoveries menu, click the link
Show discovered assets
of the corresponding discovery - Select the assets to add
- Click on
Bulk actions > Scan with agentless connections
- Select
AWS Session Manager
as the connection type and select the Amazon Web Services stored credentials used for the discovery. This will create an agentless connection of typeAWS Session Manager
for each selected discovered asset
This type of agentless connection must be authorized in the Administration > Connectors management
menu by checking the AWS Session Manager
box.
Details:
- Assets to scan must be compatible with SSM usage and configured so that SSM is allowed, as specified in the official documentation
- The AWS account must have sufficient privileges for SSM usage on the desired resources (see official documentation)
- The
address
andregion
fields of the agentless connection will be filled with the ID and region of the asset - It is also possible to add the asset directly without using a discovery through the
Agentless connections > Add
button and selecting the typeAWS Session Manager
- Only Windows and Linux assets are supported