Amazon Web Services discoveries
You may use AWS discoveries to list all your EC2 instances for a specific AWS region.
Prerequisites
- API access key created by a specific user (and its ID)
AmazonEC2ReadOnlyAccess
permission for this user
AWS EKS prerequisites
If you want to list docker images deployed on an Amazon Elastic Kubernetes Service cluster, you need to:
- Provide a set of credentials with ViewOnlyAccess rights
Configure your AWS access key
To browse your AWS infrastructure, Cyberwatch needs an access key. You may create them from the AWS console by clicking your account name at the top right corner, then select “My security credentials”. See also AWS’ detailed documentation: https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys.
It is recommended that you create a dedicated Cyberwatch account with minimal read-only permissions for listing the instances.
Once your access key has been created, you need to add it to Cyberwatch from “Stored credentials” in the lateral bar, then clicking Add. In the credentials adding form, select type Amazon Web Services and input your generated access key ID and its secret access key.
Create the discovery
- From Discoveries, click Add. Click Amazon Web Services in the Cloud infrastructure category .
- Enter the name of the scan.
- Select optional groups that will be affected to the scan.
- Choose the source of the scan (the Cyberwatch machine that will run the operation).
- Using the Credentials selector, pick the AWS account registered in previous steps.
- Input the name of the AWS region to list instances from (e.g. eu-central-1).
- Select the discovery mode in order to choose which information will be used to list the discovered assets.
- Choose a recurrence. The default value 0 days means the scan will be launched only once.
- Optional - Select an agentless mode connection credential.
- Click Confirm.
When created, the discovery is immediately started as a background task. You may check state of the task any time from Discoveries.
Register discovered assets through AWS Session Manager
Please consult our example guide that explains how to monitor assets in Cyberwatch using AWS Session Manager.
Use AWS roles
To organize the access rights to different projects, AWS lets administrators associate roles to service accounts. Cyberwatch is able to use the Assume Role feature of the AWS Security Token Service API to successively access the roles configured in a discovery and list the assets accessible from each role.
The configuration of AWS roles is defined under the section Advanced settings of the discovery.
When this feature is used, Cyberwatch can use an arbitrary user-defined session name to make the activity in the AWS logs easier to retrace.
Automatic enumeration
AWS discoveries are able to automatically list the accounts of the organization to which their API key is attached, and then list the assets visible from each of these accounts.
To enable this feature, you need to specify the Role for discovered accounts to use. This configuration assumes that your Cyberwatch service account can perform an Assume Role on ARNs arn:aws:iam::<Account ID>:role/<Specified role>
for each of the discovered accounts. In case of a permission error on a specific account, that account is skipped.
If a Master ARN is set, Cyberwatch will use the specified role to perform the organization’s accounts enumeration.
Manual enumeration
If you do not wish to use the automatic enumeration, or if it is insufficient, you can manually specify a list of role ARNs in the field Extra ARNs.
When automatic enumeration is also configured, the extra ARNs will be used on top of the automatically enumerated ARNs.