Using AWS SSM to create agentless connections

This guide provides an example for creating agentless connections in Cyberwatch using Amazon Web Services Session Manager (AWS SSM).

Prerequisites

This documentation assumes:

  • An account with access to AWS and sufficient IAM permissions to create groups, roles, policies…
  • Basic knowledge of AWS services (IAM, EC2, SSM…)

AWS Configuration

Configuring AWS involves creating the following elements:

  • A policy containing minimum permissions for using the SSM console
  • An IAM role associated with the above policy

Create an AWS Policy

AWS provides several default policy templates, such as the AmazonSSMManagedInstanceCore policy.

However, this policy does not enable Session Manager functionality from the AWS interface on its own.

An alternative is to create a custom policy, very similar to the default AWS policy, with JSON as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2messages:AcknowledgeMessage",
                "ec2messages:DeleteMessage",
                "ec2messages:FailMessage",
                "ec2messages:GetEndpoint",
                "ec2messages:GetMessages",
                "ec2messages:SendReply"
            ],
            "Resource": "*"
        }
    ]
}

To create such a policy in AWS:

  1. Go to the Access management > Policies menu
  2. Click the Create policy button
  3. In the policy editor, select the JSON mode
  4. In the editor, paste the above JSON code
  5. Name the policy, for example, SSM_Cyberwatch_policy, then finalize its creation

Throughout this documentation, the policy will be referred to by its name.

Create an IAM Role

Follow the steps below to create an IAM role in AWS:

  1. Go to the Access management > Roles menu
  2. Click the Create role button
  3. Select AWS service as the trusted entity type and EC2 as the use case
  4. Add the SSM_Cyberwatch_policy policy created earlier as a permission
  5. Name the role, for example, SSM_Cyberwatch_role, then finalize its creation

Throughout this documentation, the role will be referred to by its name.

Assign the policy to an IAM user

The user, whose API keys will be used to create agentless connections with SSM, must be assigned the SSM_Cyberwatch_policy policy created earlier.

To do this, follow the steps below in the AWS console:

  1. Go to the Access management > Policies menu
  2. Select the SSM_Cyberwatch_policy policy and click Actions > Attach
  3. Select the desired user as the IAM entity

Assign the IAM Role to an EC2 instance

From the EC2 instance management interface, select an instance that will be supervised by Cyberwatch via SSM.

From the instance’s Security tab, modify the IAM role to associate it with the SSM_Cyberwatch_role role created earlier.

The above section uses an existing EC2 instance as an example, but these elements are also applicable when creating a new instance.

Actions in Cyberwatch

In Cyberwatch, it’s ideal to use an AWS discovery, which will list the instances to be scanned.

Use an Amazon Web Services discovery

Refer to the Amazon Web Services discoveries page to launch a discovery scan.

Launch the discovery scan using the API keys of the user who will be used for SSM scans from Cyberwatch.

Register discovered assets with AWS Session Manager

Discovered assets can be registered as agentless connections as follows:

  1. From the Discoveries menu, click the link Show discovered assets of the corresponding discovery
  2. Select the assets to add
  3. Click on Bulk actions > Scan with agentless connections
  4. Select AWS Session Manager as the connection type and select the Amazon Web Services stored credentials used for the discovery. This will create an agentless connection of type AWS Session Manager for each selected discovered asset

This type of agentless connection must be authorized in the Administration > Connectors management menu by checking the AWS Session Manager box.

Details:

  • Assets to scan must be compatible with SSM usage and configured so that SSM is allowed, as specified in the official documentation
  • The AWS account must have sufficient privileges for SSM usage on the desired resources (see official documentation)
  • The address and region fields of the agentless connection will be filled with the ID and region of the asset
  • It is also possible to add the asset directly without using a discovery through the Agentless connections > Add button and selecting the type AWS Session Manager
  • Only Windows and Linux assets are supported

Back to top