Amazon Web Services discoveries

You may use AWS discoveries to list all your EC2 instances for a specific AWS region.

Configure your AWS access key

To browse your AWS infrastructure, Cyberwatch needs an access key. You may create them from the AWS console by clicking your account name at the top right corner, then select “My security credentials”. See also AWS’ detailed documentation: https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys.

It is recommended that you create a dedicated Cyberwatch account with minimal read-only permissions for listing the instances.

Once your access key has been created, you need to add it to Cyberwatch from “Stored credentials” in the lateral bar, then clicking Add. In the credentials adding form, select type Amazon Web Services and input your generated access key ID and its secret access key.

Create the discovery

  1. From Discoveries, click Add. Click Amazon Web Services in the Cloud infrastructure category .
  2. Enter the name of the scan.
  3. Select optional groups that will be affected to the scan.
  4. Choose the source of the scan (the Cyberwatch machine that will run the operation).
  5. Using the Credentials selector, pick the AWS account registered in previous steps.
  6. Input the name of the AWS region to list instances from (e.g. eu-central-1).
  7. Select the discovery mode in order to choose which information will be used to list the discovered assets.
  8. Choose a recurrence. The default value 0 days means the scan will be launched only once.
  9. Optional - Select an agentless mode connection credential.
  10. Click Confirm.

When created, the discovery is immediately started as a background task. You may check state of the task any time from Discoveries.

Register discovered assets through AWS Session Manager

Discovered assets may be registered as agentless connections as follows:

  1. From menu Discoveries, access to the list of assets discovered by clicking on the corresponding List button on the right of the table.
  2. Select the assets to register.
  3. Click on Bulk actions > Scan with agentless connections.
  4. Select a set of Amazon Web Services credentials which will create a connection with AWS Session Manager type. This type of connection must be authorized in the Administration > Connectors menu by selecting the AWS Session Manager checkbox.

Notes:

  • The scanned assets must be compatible with the use of SSM and configured so that SSM is allowed, as specified in the official documentation.
  • The AWS account must have sufficient privileges to use SSM on the desired resources (see official documentation).
  • The address and region fields of the agentless connection will be pre-populated with the ID and region of the asset in the used AWS inventory.
  • It is also possible to add the asset directly without using a discovery by going to Agentless connections > Add and selecting the type AWS Session Manager.
  • Only Windows and Linux assets are supported.

Use AWS roles

To organize the access rights to different projects, AWS lets administrators associate roles to service accounts. Cyberwatch is able to use the Assume Role feature of the AWS Security Token Service API to successively access the roles configured in a discovery and list the assets accessible from each role.

The configuration of AWS roles is defined under the section Advanced settings of the discovery.

When this feature is used, Cyberwatch can use an arbitrary user-defined session name to make the activity in the AWS logs easier to retrace.

Automatic enumeration

AWS discoveries are able to automatically list the accounts of the organization to which their API key is attached, and then list the assets visible from each of these accounts.

To enable this feature, you need to specify the Role for discovered accounts to use. This configuration assumes that your Cyberwatch service account can perform an Assume Role on ARNs arn:aws:iam::<Account ID>:role/<Specified role> for each of the discovered accounts. In case of a permission error on a specific account, that account is skipped.

If a Master ARN is set, Cyberwatch will use the specified role to perform the organization’s accounts enumeration.

Manual enumeration

If you do not wish to use the automatic enumeration, or if it is insufficient, you can manually specify a list of role ARNs in the field Extra ARNs.

When automatic enumeration is also configured, the extra ARNs will be used on top of the automatically enumerated ARNs.