Amazon Web Services (AWS)
  • 28 Jun 2022
  • 36 Minutes to read
  • Dark
    Light
  • PDF

Amazon Web Services (AWS)

  • Dark
    Light
  • PDF

Amazon Web Services (AWS) adapter includes a broad set of global cloud-based products. It supports EC2, ECS, EKS, IAM, EBS, ELB, RDS, S3, VPC, Workspaces, Lambda, Route 53 and more.

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices
  • Users

This page contains the following topics:

Connecting Axonius to AWS Resources

Click to view Connecting Axonius to AWS Resources


Connect Axonius to your AWS resources by using one of the following methods:

If you're using the AWS Organizations service to manage your AWS accounts, then it's possible to setup a single AWS adapter connection and use that connection to discover and connect to all AWS Organization member accounts. Refer to Configuring the AWS adapter using Organizations

Parameters

Click to view Parameters


  1. Region Names or Get All Regions (optional) - Specify one or more comma-separated region names for specific regions. Alternatively, select the Get All Regions option to connect to all available regions.
  2. AWS Access Key ID (optional) - Provide AWS Access Key ID or choose to use EC2 instance attached IAM role.
  3. AWS Access Key Secret (optional) - Provide AWS Access Key Secret or choose to use EC2 instance attached IAM role.
  4. Account Tag (optional) - Tag for the EC2 instance ("nickname").
  5. Proxy (optional) - HTTPS proxy to use when connecting to the AWS APIs.
    • If supplied, Axonius will utilize the proxy when connecting to the AWS APIs.
    • If not supplied, Axonius will connect directly to the AWS APIs.
  6. Roles to assume (optional) – A file with role-ARNs which the AWS Adapter will try to assume for cross-account access with the single IAM user. Two available formats:
    • List of comma-delimited role-ARNs
    arn:aws:iam::111111111111:role/axonius-role, arn:aws:iam::222222222222:role/axonius-role
    
    • JSON format - list of dictionaries that define each role.
      • external_id is only supported in the JSON format
      • The external_id can be different for every role in the list.
    [
        {"arn": "arn:aws:iam::111111111111:role/axonius-role"},
        {"arn": "arn:aws:iam::222222222222:role/axonius-role", "external_id": "MY-SECRET"}
    ]
    
  7. Use instance profile (attached role) (optional) - Select to use the EC2 instance (Axonius installed on) attached IAM role / instance profile instead of using the AWS Access Key ID and AWS Access Key Secret credentials supplied. This does not affect the Roles to assume parameter.
  8. Advanced Configuration File (optional) - Upload an advanced configuration JSON file. For details, see Advanced Configuration File
  9. For details on the common adapter connection parameters and buttons, see Adding a New Adapter Connection.

AWSADapter


Advanced Configuration File

Click to view Advanced Configuration File



The Advanced Configuration File field lets you upload an advanced configuration JSON file. The file can be empty ({}) or can contain any combination of the following key/value pairs in a JSON format.

  • If supplied, when connecting to the source, Axonius will consider the configuration in the uploaded file in addition to the values specified in the various fields of the connection for this adapter.
  • If not supplied, when connecting to the source, Axonius will only consider the values specified in the various fields of the connection for this adapter.

Skip Verification

Key/Value Pair

{
    "skip_ec2_verification": true
}

Using the JSON file
By default, the specified IAM user / roles of the connection for this adapter must have at least ec2 permissions. If the file contains this key/value pair, Axonius skips the ec2 permissions verifications.
As a result, the connection for this adapter will be considered as valid even if the specified connection parameters are correct, but the specified IAM user / roles does not have ec2 permissions.

Authenticate with MFA

The attached file contrains the procedure of how to get the information needed to set up the MFA portion of the AWS adapter.

Your browser does not support PDF.click here to download

Key/Value Pair

{
  "aws_mfa_serial_number": "arn:aws:iam:<account_number>:mfa/<name<name>>",
  "aws_mfa_totp_code": "<totp_code_generator>"
}

Using the JSON file
AWS allows creating policies that require MFA to access some APIs. If those two key/value pairs exist, Axonius will use the values to try to authenticate the user with MFA.

The MFA settings can be configured and viewed from the IAM entity, under the Security Credentials tab.

- "aws_mfa_serial_number": "arn:aws:iam:<account_number>:mfa/<name>" - replace with the virtual MFA device name.
- <totp_code_generator> - The virtual MFA device secret key.

Remote Roles to Assume

Key/Value Pair

{
  "remote_roles_to_assume": [
    {
      "service": "S3",
      "bucket_name": "<bucket_name>",
      "key_name": "<path_to_key>",
      "region": "<region_name>"
    }
  ]
}

Using the JSON file
The assumed role path location will be located at: s3://<bucket_name>/<path_to_key>.
This file uses the exact same conventions as the 'Roles to assume’ in the adapter configuration dialog. The roles to assume can be either a comma-separated string of roles or a JSON list of dictionaries.
Note: More than 1 entry in the remote_roles_to_assume section of the advanced config can be specified
Note: You cannot populate both the advanced config AND the ‘Roles to assume’ in the adapter configuration dialog.

Roles for Account Name

Key/Value Pair

{
  "roles_for_account_name": [
    {
      "role_arn": "arn:aws:iam::111111111111:role/Axonius-Adapter",
      "role_arn": "arn:aws:iam::222222222222:role/Axonius-Adapter"
    }
  ],
  "skip_ec2_verification": true
}

Using the JSON file
Adds the 'Account name' to the AWS Organization data that is populated in every AWS device and user.
Each IAM Role in this advanced configuration is used to query an individual AWS Organization. In case there are multiple AWS Organizations, each should be populated as an individual role_arn entry.

Note:
  • It is highly recommended that skip_ec2_verification is set to true, since per AWS Best Practices, only IAM resources should be present in the root organization account and this is the account that we will query to fetch the organization account name.
  • This feature requires the organizations:ListAccounts IAM permission for the roles that will be inherited:

Fetch Roles from Organization

Key/Value Pair

{
  "fetch_roles_from_organization": {
    "organization_role_for_discovery": "arn:aws:iam::111111111111:role/Axonius-Adapter",
    "role_name": "<role_name>",
    "role_path": "",
    "external_id": "",
    "region": "<region_name>"
  },
  "skip_ec2_verification": true
}

Using the JSON file
This feature allows the user to set a role in the advanced configuration that allows Axonius to discover all member accounts in an AWS Organization. Axonius can then assume roles in each of these member accounts in order to perform asset discovery using a single adapter connection.
The adapter will query the AWS Organization API to find all member accounts.
Note that the role_names to assume in the member account must be consistent in all accounts, otherwise Axonius will not have access to that member account.
role_path is optional. region is optional, if not input, the default value is us-east-1
Note: It is recommended that skip_ec2_verification is set to true, when the user account configured in the adapter connection has no IAM rights other than sts:AssumeRole. If the user account has no resources in the root account, this must be set in the advanced config. If this is not set, or if the rights to query for EC2 are not granted to the role, the adapter will fail completely.
Note: This feature requires the following IAM permission for the role(s) that will be inherited:

  • organizations:ListAccounts
  • sts:AssumeRole

Tag Allow/Block List for Fetching Devices

Key/Value Pair

{
  "tags_to_match": {
    "tags": [
      {
        "Key": "First Key",
        "Value": "First Value"
      },
      {
        "Key": "Second Key",
        "Value": "Second Value"
      },
    ],
    "include_device": true
  }
}

Using the JSON file

Use this configuration to set an allow list of AWS tags or an exclude list of AWS tags. Add a list of tags to an adapter connections and Axonius will either fetch ONLY devices that have the tags, or NOT fetch devices that have these tags.
Set the parameters as follows:

  • tags_to_match - the name of the advanced configuration file section for this feature.
  • tags - a list of dictionaries that define a dictionary key and a dictionary value to search for.
  • Set include_device to true to include only those EC2 devices that match one or more tags from the tags section. Set to false to remove EC2 devices that match one or more of the tags from the tags section.

Configuring the AWS Adapter Using Organizations

Click to view Configuring the AWS Adapter Using Organizations


In large AWS deployments, it becomes difficult to maintain the list of accounts and roles (or individual adapter connections) that are needed by Axonius in order to be able to connect to those accounts and enumerate the AWS resources in those accounts. If you are using the AWS Organizations service to manage your AWS accounts, then there is an easier way to configure Axonius.

You can use AWS Organizations to set up a single AWS adapter connection and then use that connection to discover and connect to all of the AWS Organization member accounts.
To read more about AWS Organizations see here

Requirements for Configuring the AWS Adapter Using Organizations

In order for this feature to work correctly, the following criteria must be met:

  • A role must be configured on the AWS adapter connection that has the following two IAM permissions (no other permissions are needed):

    sts:AssumeRole

    organizations:ListAccounts

  • This role can be inherited through an AWS Access Key ID and Secret Access Key keypair or through an EC2 instance attached role. The configuration for each of these scenarios will be discussed in this section.

  • This role must be granted the permissions to assume a secondary role in each of the member accounts. This secondary role must contain the permissions of a normal AWS adapter for discovery in the member account.

  • The roles that the original role will inherit in each of the member accounts must be named the same across all member accounts and must be in the same path across all member accounts. If an external ID is used for authentication, that external ID must be the same across all member accounts.

Configuration for the AWS Adapter Using Organizations

This section of the document describes how to configure the AWS adapter to query an AWS organization for all member accounts, then inherit a role in those accounts to use for discovery.

There are two ways to configure the AWS adapter connection to simplify the setup in large AWS deployments. You an configure an AWS Access Key ID and Secret Key or configure an EC2 instance attached role. Both of these methods allow the Organization member account discovery and role assumption.

Access Key and Secret Key

In this scenario, you configure an IAM user with an AWS Access Key ID and Secret Key that has the ability to assume a role that will perform the discovery and subsequently assume roles in each organization member account.

In the AWS adapter, create a new connection and configure it as follows (not all configuration fields are discussed here, if they are optional):

  • Add a region name or select the 'Get All Regions' checkbox.
  • Enter the Access Key ID
  • Enter the Secret Key
  • Create a roles to assume file, according to the instructions here. The role referenced in this file should have the permissions described below in 'Sample IAM Policy' and should have the appropriate Trust Relationship in the organization root account and all member accounts.

The roles to assume file should look similar to this example, where '111111111111' is the account number of the organization root account and 'Axonius-Adapter' is the name of the role to inherit in the root account and which contains the permissions enumerated in the section titled 'Sample IAM Policy' below:

Roles to Assume Example


[

  {"arn":  "arn:aws:iam::111111111111:role/Axonius-Adapter"}

]

Create an advanced configuration file (as described here) with skip_ec2_verification set to true.

The following JSON-format advanced configuration file should be used if you are employing an AWS Access Key ID and Secret Key to query the organization and assume roles in the organization.

Advanced Configuration File Example 1

{
  "skip_ec2_verification": true
}

Save the connection.

You're ready to discover AWS resources.

EC2 Instance Attached Role

Here, you will configure the AWS adapter connection to use an EC2 instance attached role. This does not require the use of an AWS Access Key ID / Secret Key keypair.

  • Add a region name or select the 'Get All Regions' checkbox.
  • Check the 'Use instance profile (attached role)' checkbox.
  • Create an advanced configuration file, similar to the sample below.

Advanced Configuration File Example 2

This JSON-format advanced configuration file is an example of a typical configuration for AWS Organization discovery.

{
  "fetch_roles_from_organization":
    {
      "organization_role_for_discovery": "arn:aws:iam::111111111111:role/Axonius-Adapter",

      "role_name": "Axonius-Adapter",

      "role_path": "",

      "external_id": "",

      "region": "us-east-1"

    },

  "skip_ec2_verification": true
}
  • Save the connection.

You're ready to discover AWS resources.

Advanced Configuration Fields

This section describes each of the fields in the advanced configuration.

Role for Organization Discovery

The configuration assumes the initial role defined at organization_role_for_discovery. This role is used to query the root organization account for a list of all organization member account numbers. The 111111111111 account number should be replaced with the account number of the root organization account.

Common Role Name

The role_name is the name of the role that must be present in all member accounts and the role that will be used for the normal device and user discovery by Axonius. This role should have all of the normal permissions for the adapter.

Role Path

If your IAM strategy uses special paths for IAM roles, that path should be entered here. In most AWS deployments, this field will be left empty.

External ID

If you use an external ID as an additional authentication factor during role inheritance, enter that external ID here between the double quotes. This external ID must be the same in all member accounts.

Region

Use this field in order to make our initial connection to the AWS APIs. This field can be left empty and, if so, we will assume us-east-1 for the initial connection. In most cases, you can leave this field empty.

Skip EC2 Verification

If you have no EC2 instances in the root organization account, you must set skip_ec2_verification to true.

Sample IAM Policy

This sample policy can be used to enable the permissions required for this feature.

{
    "Statement": [
        {
            "Action": [
                "organizations:ListAccounts"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "OrganizationAccountDiscovery"
        },
        {
            "Action": [
                "sts:AssumeRole"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/Axonius-Adapter",
            "Sid": "AssumeRoleInAllMemberAccounts"
        }
    ],
    "Version": "2012-10-17"
}

Follow this guide to configure AWS Organizations

Your browser does not support PDF.click here to download


Advanced Settings

Click to view Advanced Settings

The Amazon Web Services (AWS) adapter has unique, advanced settings which enable configuring the logic around correlation of the AWS cloud servers (devices) and the information Axonius will fetch for each of them. Some of these settings required specific permissions. You can learn more about required permissions here.

Note:

From Version 4.6, Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters

  1. Correlate ECS containers with their EC2 Instance - Select whether to correlate ECS containers with the EC2 host they are running on.

    • If enabled, this adapter correlates ECS containers with the EC2 host they are running on.
    • If disabled, this adapter will not correlate ECS containers with the EC2 host they are running on. Such ECS and EC2 resources will be created in Axonius as two different devices.
  2. Correlate EKS containers with their EC2 Instance - Select whether to correlate EKS containers with the EC2 host they are running on.

    • If enabled, this adapter correlates EKS containers with the EC2 host they are running on.
    • If disabled, this adapter does not correlate EKS containers with the EC2 host they are running on. Such EKS and EC2 resources will be created in Axonius as two different devices.
  3. Fetch ECR Images as devices - Select to fetch AWS ECR (Elastic Container Registry) public and private images as devices.

  4. Correlate ECR hosted images with compatible containers - Select to add more information to existing AWS ECS/EKS assets.

  5. Associate role policies to users and roles - Select this option to fetch more information from Access Advisor so that you can can search for all services that a user or role has access to but they did not use within a certain number of days. This can be used to create a least access IAM policy.
    To activate this capability and fetch this information, you need to select the following additional options in the AWS Configuration Advanced Settings:

    • Fetch information about IAM users
    • Fetch IAM roles as users
    • Parse IAM policies
    • Fetch IAM User’s AWS Services
      This feature only presents data after the second discovery cycle after you enable the feature.
  • If enabled, this adapter fetches additional information from the AWS IAM service.
  • If disabled, this adapter will not fetch additional information from the AWS IAM service.
  1. Fetch information about EC2 attached roles - Select whether to fetch information about each EC2 attached roles.
    • If enabled, all connections for this adapter will fetch information about each EC2 attached role from AWS.
    • If disabled, all connections for this adapter will not fetch any information about each EC2 attached role from AWS.
  2. Fetch FSx metadata as devices - Select to fetch Amazon FSx metadata as devices.
Note:

The API for FSx metadata requires the fsx:DescribeFileSystems permission and arn:aws:fsx:region:account-id:file-system resource.

  1. Fetch information about ELB (Elastic Load Balancers) - Select whether to fetch information about all available load balancers and add that information to relevant EC2 instances.

    • If enabled, all connections for this adapter will fetch information about all available load balancers and add that information to relevant EC2 instances. Each ELB will be represented then as a separate device.
    • If disabled, all connections for this adapter will not fetch any information about all load balancers.
  2. Fetch IAM groups as users - Select this option to fetch IAM groups and create a user for each IAM group fetched

  3. Fetch policies as users - Select this option to fetch polices and create a user for each policy fetched.

  4. Fetch information about SSM (System Manager) - Select whether to fetch additional information from AWS SSM for each host.

    • If enabled, all connections for this adapter will fetch additional information from AWS SSM for each host.
    • If disabled, all connections for this adapter will not fetch any information about AWS SSM.
  5. Fetch information about NAT Gateways - Select whether to fetch NAT gateways as devices assets.

    • If enabled, all connections for this adapter will fetch all available NAT gateways data from AWS.
    • If disabled, all connections for this adapter will not fetch any NAT gateways data from AWS.
  6. Fetch internet gateways as devices - Select whether to fetch internet gateways as devices assets.

    • If enabled, all connections for this adapter will fetch all available internet gateways data from AWS. Each internet gateway will be added as a unique device.
    • If disabled, all connections for this adapter will not fetch any internet gateways data from AWS.
  7. Fetch route tables as devices - Select whether to route tables as devices assets.

    • If enabled, all connections for this adapter will fetch all available route table data from AWS. Each route table will be added as a unique device.
    • If disabled, all connections for this adapter will not fetch any route table data from AWS.
  8. Add route tables to devices - Select whether to fetch information about route tables and add it to the appropriate devices.

    • If enabled, all connections for this adapter will fetch all route table data from AWS for the following services:
      • EC2
      • ELB
      • IGW
      • NAT
      • RDS
      • Workspaces
      • ECS - only if Correlate ECS Containers with their EC2 Instance checkbox is enabled.
      • EKS - only if Correlate EKS Containers with their EC2 Instance checkbox is enabled.
    • If disabled, all connections for this adapter will not fetch any route table data from AWS.
  9. Fetch information about Elasticsearch - Select whether to fetch information on the existing Elasticsearch instances.

    • If enabled, all connections for this adapter will fetch all existing Elasticsearch instance data from AWS.
    • If disabled, all connections for this adapter will not fetch any Elasticsearch instance data from AWS.
  10. Fetch ELB IP using current DNS - Select whether to resolve the IP address of each ELB using the current DNS server.

    • If enabled, all connections for this adapter will resolve the IP address of each ELB using the current DNS server.
    • If disabled, all connections for this adapter will not resolve the IP address of each ELB.
      Note:

      This setting will only take effect if the Fetch information about ELB (Elastic Load Balancers) option is selected.

  11. Fetch information about RDS (Relational Database Service) - Select whether to fetch the information on the existing Amazon RDS instances.

    • If enabled, all connections for this adapter will fetch all existing Amazon RDS instance data from AWS.
    • If disabled, all connections for this adapter will not fetch any Amazon RDS instance data from AWS.
  12. Fetch information about DynamoDB (NoSQL Database Service) - Select whether to fetch the information on AWS DynamoDB.

    • If enabled, all connections for this adapter will fetch information on DynamoDB from AWS.
    • If disabled, all connections for this adapter will not fetch information on DynamoDB from AWS.
  13. Fetch information about S3 - Select whether to fetch information about Amazon S3 buckets, such as their ACL's, locations and their public status.

    • If enabled, all connections for this adapter will fetch information about Amazon S3 buckets data from AWS.
    • If disabled, all connections for this adapter will not fetch any Amazon S3 buckets data from AWS.
    • When using the Cloud Asset Compliance, this settings is required to view Affected Devices of type S3 buckets.
  14. Fetch information about IAM Users - Select whether to fetch information about IAM users, attached groups, attached policies and access keys.

    • If enabled, all connections for this adapter will fetch information about IAM users, attached groups, attached policies and access keys.
    • If disabled, all connections for this adapter will not fetch any information about IAM users from AWS.
    • When using the Cloud Asset Compliance, this setting is required to view Affected Devices of the type IAM Users.
  15. Fetch IAM roles as users - Select whether to add IAM roles as user assets.

    • If enabled, all connections for this adapter will fetch IAM roles from AWS. Each IAM role will be added as a unique user.
    • If disabled, all connections for this adapter will not fetch IAM roles from AWS.
  16. Fetch VPCs as devices - Select whether to add VPCs as device assets.

    • If enabled, all connections for this adapter will fetch VPCs from AWS. Each VPC will be added as a unique device.
    • If disabled, all connections for this adapter will not fetch VPCs from AWS.
  17. Parse IAM policies - Select whether to fetch information about the privileges that are granted to each AWS IAM user by group, inline and attached IAM policies.

    • If enabled, all connections for this adapter will query each AWS IAM user to determine the privileges that are granted to it by group, inline and attached IAM policies.
    • If disabled, all connections for this adapter will not fetch information about the privileges that are granted to each AWS IAM user.
  18. Fetch IAM Users' and Roles' AWS Services - Select whether to fetch the AWS Services accessed by an IAM User or IAM Role.

    • If enabled, all connections for this adapter will fetch the AWS Services accessed by an IAM User or Role.
    • If disabled, all connections for this adapter will not fetch the AWS Services accessed by an IAM User or Role.
  19. Fetch information about Workspaces - Select whether to fetch information about Amazon Workspaces.

    • If enabled, all connections for this adapter will fetch Amazon Workspaces data from AWS.
    • If disabled, all connections for this adapter will not fetch any Amazon Workspaces data from AWS.
  20. Fetch information about Lambdas - Select whether to fetch information on AWS Lambdas.

    • If enabled, all connections for this adapter will fetch AWS Lambdas data from AWS.
    • If disabled, all connections for this adapter will not fetch any AWS Lambdas data from AWS.
  21. Fetch information about Route 53 - Select whether to fetch information on Amazon Route 53 DNS records.

    • If enabled, all connections for this adapter will fetch Amazon Route 53 DNS records from AWS.
    • If disabled, all connections for this adapter will not fetch any Amazon Route 53 DNS records from AWS.
  22. Fetch information about Cloudfront - Select whether to fetch information on Cloudfront.

    • If enabled, all connections for this adapter will fetch Cloudfront information from AWS.
    • If disabled, all connections for this adapter will not fetch Cloudfront information from AWS.
  23. Add WAF to devices - Select whether to enrich devices with WAF information. WAF (WebAcl) versions 1 and 2 for regional and Cloudfront devices.

    • If enabled, all connections for this adapter will enrich relevant devices with WAF information.
    • If disabled, all connections for this adapter will enrich devices with WAF information.
  24. Fetch Organizations as devices - Select whether to add Organizations data as devices assets.

    • If enabled, all connections for this adapter will fetch Organizations data from AWS. Each Organization will be added as a unique device.
    • If disabled, all connections for this adapter will not fetch Organizations data from AWS.
  25. Fetch information about API Gateway - Select whether to fetch AWS API Gateways and their related data.

    • If enabled, all connections for this adapter will fetch AWS API Gateways and their related data.
    • If disabled, all connections for this adapter will not fetch AWS API Gateways and their related data.
  1. Fetch Inspector Findings (required, default: Do not fetch) - Select which AWS Inspector settings to fetch. This gets security findings about ec2 instances directly from AWS Inspector. The default settings is 'Do not fetch'. The following AWS Inspector settings are availble:

    • Severity High/Medium/Low - last 30 days
    • Severity High/Medium/Low/Informational - last 30 days
    • Severity High/Medium/Low - last 7 days
    • Severity High/Medium/Low/Informational - last 7 days
  2. Show verbose notifications about connection failures - Select whether to create a system notification with all failed AWS connections on each discovery cycle.

    • If enabled, all connections for this adapter will create a system notification with all failed AWS connections on each discovery cycle.
    • If disabled, all connections for this adapter will not create a system notification with all failed AWS connections on each discovery cycle.
  3. Shodan API key for more IP info (optional) – Specify an API key which will be used to query information about public IP addresses.

  4. Verify all IAM roles (required, default: true) - Select whether to verify all IAM roles.

    • If enabled, all connections for this adapter will verify all IAM roles. If one of the IAM roles is not valid, the adapter connection will fail.
    • If disabled, all connections for this adapter will not verify all IAM roles. Only if all the IAM roles are not valid, the adapter connection will fail.
  5. Verify primary account permissions (required, default: true) - Whether or not the primary account permissions should be used when the adapter connections fetch data from AWS.

    • If enabled, all connections for this adapter will use the primary account permissions to fetch data from AWS. If the primary account permissions are insufficient, the adapter connections will fail to fetch the data.
    • If disabled, all connections for this adapter will only use the primary account to assume the roles attached to it, and the adapter connections will use those role permissions to fetch data from AWS. This setting should be disabled only if you want to use the primary account assumed roles permissions instead of the primary account permissions when fetching assets from AWS.
  6. Do not fetch EC2 machines that are turned off - Whether or not to fetch EC2 devices whose power state is turned off.

    • If enabled, all connections for this adapter will only fetch EC2 devices whose power state is turned on.
    • If disabled, all connections for this adapter will fetch all EC2 devices, regardless of their power state.
  7. Number of accounts to fetch in parallel (required, default: 5) - For all connections for this adapter, specify the number of AWS accounts Axonius will fetch data from in parallel.

  8. Parallel workers amount in users fetch (required, default: 5) - Specify the number of distributed workers (processes) to fetch data during the users fetch phase.

  9. Advanced Modes - Implemented in specific cases as instructed by Axonius team.

  10. List of tags to parse as fields (optional) - Specify a comma-separated list of tag keys to be parsed as devices fields. Each tag is a key-value pair that is part of the Adapter Tags complex field.

    • If supplied, all connections for this adapter will parse any of the listed tags that are associated with the fetched device as:
      • Values of the Adapter Tags field.
      • Designated field with the name of the tag key and the value of the tag value.
    • If not supplied, all connections for this adapter will only parse all tags as values of the Adapter Tags field.
  11. Perform distributed data processing - Select to fetch and process data-intensive parts in parallel, using distribution. This option accelerates the processing stages during the fetch.

  12. Number of workers for distributed data processing (optional, default: 2) - Specify the number of workers (independent processes that run in parallel) that process data.

  13. EC2 Host Name Population (optional, default: 'Public DNS or Private DNS') - Select the EC2 hostname population. Options are:

    • Public DNS or Private DNS
    • Public DNS
    • Private DNS
    • Disable - No EC2 hostnames are populated
Note:

To learn more about Adapter Configuration tab advanced settings, see Adapter Advanced Settings.

Connecting the Amazon Web Services (AWS) Adapter

Click to view Connecting the AWS Adapter


To connect this adapter, you will first need to create an IAM user:

Creating an IAM User

  1. Open your AWS Dashboard and go to the IAM service.

image.png

  1. Go to the Policies tab and click Create policy. You need to create a policy that grants read-only access to specific AWS Resources.

image.png

  1. Click JSON and copy-paste the following JSON, which provides Axonius read-only access to the EC2, ECS, EKS, IAM, SSM, RDS, S3, Workspaces and Lambda services.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:Get*",
                "iam:List*",
                "iam:GenerateCredentialReport",
                "ecs:Describe*",
                "eks:Describe*",
                "eks:List*",
                "ecs:List*",
                "ec2:Get*",
                "es:List*",
                "elasticloadbalancing:Describe*",
                "ssm:Get*",
                "ssm:List*",
                "ssm:Describe*",
                "rds:List*",
                "rds:Describe*",
                "s3:List*",
                "s3:Get*",
                "cloudtrail:Get*",
                "cloudtrail:List*",
                "cloudtrail:Describe*",
                "cloudfront:List*",
                "cloudfront:Get*",
                "Workspaces:Describe*",
                "Workspaces:List*",
                "Lambda:Get*",
                "Lambda:List*",
                "apigateway:Get*",
                "route53:Get*",
                "route53:List*",
                "organizations:Describe*",
                "organizations:List*",
                "waf:GetWebACL",
                "waf:ListWebACLs",
                "waf-regional:GetWebACL",
                "waf-regional:GetWebACLForResource",    
                "waf-regional:ListWebACLs",
                "wafv2:GetWebACL*",
                "wafv2:GetWebACLForResource",
                "wafv2:ListWebACLs",
                "acm:DescribeCertificate",
                "dynamodb:ListTables",
                "dynamodb:DescribeTable",
                "dynamodb:ListGlobalTables",
                "dynamodb:DescribeGlobalTable",
                "dynamodb:DescribeGlobalTableSettings",
                "inspector:List*",
                "inspector:Describe*"
            ],
            "Resource": "*"
        }
    ]
}
Note:

When using Cloud Asset Compliance, the AWS Policy needs additional permissions.

  1. Click Review policy and fill in the details. Then click Create policy.

  2. Select Users > Add User > Programmatic access to allow Axonius to use the AWS API, and proceed to the Permissions dialog.

image.png

  1. In the Permissions dialog, click Attach existing policies directly, then attach the policy you just created.

image.png

  1. Click Create User. The Access Key ID and Secret Access Key are displayed. Save both of them in a secure location (they will not appear again) for the adapter configuration.

image.png

  1. At this point, you can use the credentials to access Axonius. Fill in all required fields in the adapter configuration, click Save. The AWS adapter is configured.

  2. If you want to use AWS EKS or AWS Roles, the configuration requires additional steps. Proceed to the next section to add permissions to your IAM User.

EKS Configuration

When an Amazon EKS cluster is created, the IAM entity (user or role) that creates the cluster is added to the Kubernetes RBAC authorization table as the administrator. Initially, only that IAM user can make calls to the Kubernetes API server using kubectl. Thus, you need to add your new IAM account to the kubectl configurations to get read-only permissions.

First, you need to get the ARN of the user you just created. In the IAM Service, click "Users" and select the new user you just created. Copy its User ARN.

image.png

  1. You need to use kubctl, Kubernetes' admin command line interface to add a read-only group and map our AWS user to it. For each cluster you want Axonius to connect to, do the following steps.

As a logged-in admin, create a ClusterRoleBinding that maps the "view" ClusterRole to the group "axonius-readonly":

kubectl create clusterrolebinding axonius-view-cbr --clusterrole=view --group=axonius-readonly

image.png

  1. Then, edit the Kubernetes AWS auth configurations, and add a new user mapping. If you don't have the mapUsers block already, create it.
    Open the editor to edit the configurations:
kubectl edit -n kube-system configmap/aws-auth

Then, append the new user mapping, while replacing the 'userarn' field with the ARN you got before.

mapUsers: |
    * userarn: arn:aws:iam::405799742499:user/Axonius-Readonly

      username: axonius-readonly

      groups:

        * axonius-readonly

The first part of the most basic configuration file should look similar to this:

image.png

  1. Save the file.
  2. You should see a message indicating your edit was successful.
    image.png

Your IAM account can now authenticate against the Kubernetes cluster.

AWS Roles configuration

Axonius supports IAM Roles in the AWS adapter alongside the current IAM User for cross-account access, meaning that the AWS adapter can assume specified roles to allow fetching devices from other AWS accounts. To do this, you have to create a role in the desired additional AWS account(s), and allow the IAM User which is being used in the adapter to assume this role. In each of your additional accounts:

  1. Go to IAM and create the same policy created at steps 1-4.
  2. Go to IAM -> Roles and create a new role. Choose "Another AWS Account". Fill in your primary account ID (the one in which the primary IAM user resides) and leave the other 2 options unchecked.

image.png

  1. Click "Next" and select the read-only policy.

image.png

  1. Click "Next" and fill in the details to create the role.

image.png

  1. Now select the role you just created. Change the maximum session duration to 4 hours and click "Save changes".

image.png

  1. Go to "Trust relationships" and click "Edit trust relationship". You need to edit this trust relationship to allow only your specific IAM user to assume this. Change the 'AWS' parameter in the policy document to the IAM UserARN you created in the beginning of the guide. If you don't know it, log in to your primary account , go to IAM -> Users and click the IAM user to get its ARN.

image.png

  1. Save the policy and keep the role ARN.

  2. Do this for every additional account you want the AWS Adapter to connect to. After you are done, go back to your main account (the one with the IAM User you created). Go to IAM -> Policies to create a policy which allows your IAM User to assume the roles you created. Click "Create Policy" and switch to the JSON tab.

  3. Paste the following JSON Policy and append your Role ARNs. In this example, we have 2 roles.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::405799742499:role/Axonius-Readonly-Role",
                "arn:aws:iam::405799742498:role/AxoniusDevRole"
            ]
        }
    ]
}
  1. Click Next and give this policy a name, then create it.

image.png

  1. Navigate to IAM > Users, select the user you created for Axonius and click Add permissions. Attach the policy you created to allow this user to assume the roles.

image.png

  1. At this stage you can use Axonius to assume the roles you created. To assume these roles, create a file that contains all role ARNS and use it in the Adapter Settings screen. Two available formats:
    • List of comma-delimited role-ARNs
    arn:aws:iam::405799742499:role/AxoniusDevRole, arn:aws:iam::405799742498:role/Axonius-Readonly-Role
    
    • JSON format - list of dictionaries that define each role.
      • external_id is only supported in the Json format.
      • The external_id can be different for every role in the list.
    [
        {"arn": "arn:aws:iam::405799742499:role/AxoniusDevRole"},
        {"arn": "arn:aws:iam::405799742498:role/Axonius-Readonly-Role", "external_id": "MY-SECRET"}
    ]
    


Make sure to replace the account ID in our examples(405799742499/405799742498) with your own

Configuring an S3 Bucket to use with Axonius

Click to view Configuring an S3 Bucket to use with Axonius

To save files on AWS S3 buckets you must first create an S3 bucket. This section outlines the basic steps to configure an AWS S3 bucket to be used by the Axonius system for the purposes of backups, data synchronization and EC action support. This is not intended to be an exhaustive process for configuring the bucket or for setting security controls on the bucket. Refer to AWS Buckets overview for more extensive information.

Creating a Bucket in S3

  1. Login to the AWS Console.

    console Logon.png

  2. Open the AWS Management Console and go to the S3 service.
    S3-2-.png

  3. Click Create Bucket.
    CreateBucket.png

  4. Supply a name for the bucket. Note that S3 bucket names must be unique across AWS.

  5. Select the appropriate AWS Region.

    BucketNAme.png

  6. Configure the appropriate settings in the Bucket Creation page.

    Bucket2.png

  7. Click Create Bucket to complete the bucket creation process.

  8. Gather the S3 bucket ARN:
    a. Locate the bucket you just created in the S3 Bucket Listing page.
    b. Click the bucket.
    c. Click the Properties tab.
    d. Copy the S3 bucket Amazon resource name (ARN) for use later in this process.

    ARN(4)

  9. Continue the setup in the IAM section.

Setting the IAM Policy for the S3 Bucket

There are two flows in this process. The flow to use will be determined by the presence or absence of an existing Axonius IAM policy. If no IAM policy exists in AWS to support Axonius, follow the instructions in 'No Existing IAM Policy.' In most cases, an IAM policy will already exist to support the system's operation. If this is the case, follow the instructions in 'IAM Policy Exists'.

No Existing IAM Policy

  • At the top of the AWS S3 Administration page, type IAM (or choose IAM from the Services dropdown menu) to go to the IAM administration page.
  • Click on the link for Policies on the left side of the window.
  • Click Create policy at the top of the page to create a dedicated Axonius Adapter policy.
  • On the Create Policy page, do the following:
    a. Click the JSON tab.
    b. Copy and paste the policy presented below into the window that opens.
{
  "Version": "2012-10-17",
 "Statement": [
    {
     "Action": [
       "s3:CreateBucket",
       "s3:GetObject",
       "s3:HeadBucket",
       "s3:PutObject"
    ],
     "Effect": "Allow",
     "Resource": "[Enter_S3_Bucket_ARN_Here]",
     "Sid": "AxoniusS3BucketAccess"
   }
 ]
}



c. In the policy, locate the "Resource" element.
d. Replace "[Enter_S3_Bucket_ARN_Here]" with the S3 bucket ARN you captured in the S3 section above.
e. Click the "Next: Tags" button to continue.
f. Add tags, if needed.
g. Click the "Next: Review" button to continue.
h. Give the policy a name.
i. Click the "Create policy" button.

IAM Policy Exists

  1. If you have an existing Axonius Adapter policy, locate it and click it to open the Policy Summary page.
  2. Click {} JSON to display the existing policy as JSON.
  3. Click Edit policy.
  4. Add a new section to the policy as follows:
    {
      "Action": [
        "s3:CreateBucket",
        "s3:GetObject",
        "s3:HeadBucket",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "[Enter_S3_Bucket_ARN_Here]",
      "Sid": "AxoniusS3BucketAccess"
    },
}
  1. In the policy, locate the "Resource" element.
  2. Replace "[Enter_S3_Bucket_ARN_Here]" with the S3 bucket ARN you captured above in the S3 section.
  3. Click Review policy.
  4. Click Save changes.

IAM User/Role

Similar to the IAM Policy section, there are two flows in this process. If Axonius is already running in AWS, then use the "IAM User/Role Exists" flow. If Axonius isn't running in AWS, complete IAM User/Role Does Not Exist.

IAM User/Role Does Not Exist

Refer to the Axonius documentation to configure the user/role.

IAM User/Role Exists

IAM User

  1. Login to the AWS Console, if you are not already logged in.

  2. Open the AWS Management Console and go to the IAM service.

    IAMService.png

  3. While you are still in the IAM administration page, click on the Users link on the left side of the window.

  4. Locate the Axonius user and click it.

  5. Click Add permissions.

  6. Click Attach existing policies directly.

  7. Locate the IAM policy that you created or updated above.

  8. Click the radio button to the left of the policy name to select it.

  9. Click Next: Review to continue.

  10. Click Add permissions to continue.

IAM Role

  1. While you are still in the IAM administration page, click on the Roles link on the left side of the window.
  2. Locate the Axonius role and click on it.
  3. Click Attach policies.
  4. Locate the IAM policy that you created or updated above.
  5. Click the radio button to the left of the policy name to select it.
  6. Click Attach policy to continue.

AWS Permissions

Click to view AWS Permissions


This table summarizes permissions that Axonius requires to fetch various AWS resources.
Use this information both to enable required permissions, and to only apply necessary permissions.

AWS Service Permissions
Axonius Setting
API Gateway
  • GET
  • Fetch information about API Gateways
    (Adapter Advanced Settings)
    ACM
  • acm:DescribeCertificate,
  • acm:ListCertificates
  • Fetch information about ELB (Elastic Load Balancers)
    (Adapter Advanced Settings)
    Cloudfront
  • cloudfront:GetDistribution
  • cloudfront:ListDistributions
  • Fetch information about Cloudfront
    (Adapter Advanced Settings)
    Cloudtrail
  • cloudtrail:DescribeTrails
  • S3 Fetch
  • Axonius Cloud Asset Compliance
  • DynamoDB
  • dynamodb:ListTables
  • dynamodb:DescribeTable
  • dynamodb:ListGlobalTables
  • dynamodb:DescribeGlobalTable
  • dynamodb:DescribeGlobalTableSettings
  • Fetch information about DynamoDB (NoSQL Database Service)
    (Adapter Advanced Settings)
    EC2
  • ec2:DescribeAddresses
  • ec2:DescribeImages
  • ec2:DescribeInstances
  • ec2:DescribeInternetGateways
  • ec2:DescribeNatGateways
  • ec2:DescribeRouteTables
  • ec2:DescribeSecurityGroups
  • ec2:DescribeSubnets
  • ec2:DescribeTags
  • ec2:DescribeVolumes
  • ec2:DescribeVpcPeeringConnections
  • ec2:DescribeVpcs
  • Basic Fetch (Unless EC2 permissions verification overridden in 'Advanced Configuration File' settings)
    ECR
  • ecr:DescribeImages
  • ecr:DescribeRegistry
  • ecr:DescribeRepositories
  • ecr-public:DescribeImages
  • ecr-public:DescribeRegistries
  • ecr-public:DescribeRepositories
  • ECS
  • ecs:DescribeClusters
  • ecs:DescribeContainerInstances
  • ecs:DescribeServices
  • ecs:DescribeTasks
  • ecs:ListClusters
  • ecs:ListContainerInstances
  • ecs:ListServices
  • ecs:ListTagsForResource
  • ecs:ListTasks
  • Basic Fetch
    EKS
  • eks:DescribeCluster
  • eks:ListClusters
  • Basic Fetch
    ELB
  • elasticloadbalancing:DescribeLoadBalancerPolicies
  • elasticloadbalancing:DescribeLoadBalancers
  • elasticloadbalancing:DescribeListeners
  • elasticloadbalancing:DescribeSSLPolicies
  • elasticloadbalancing:DescribeTargetGroups
  • elasticloadbalancing:DescribeTargetHealth
  • Fetch information about ELB (Elastic Load Balancers)
    (Adapter Advanced Settings)
  • Elasticsearch
  • es:DescribeElasticsearchDomain
  • es:ListDomainNames
  • Fetch information about Elasticsearch
    (Adapter Advanced Settings)
    FSx
  • fsx:DescribeFileSystems
  • arn:aws:fsx:region:account-id:file-system/*
  • Fetch FSx metadata (Adapter Advanced Settings)
    GuardDuty
  • guardduty:ListDetectors
  • guardduty:ListFindings
  • guardduty:GetFindings
  • IAM
  • iam:GenerateCredentialReport
  • iam:GenerateServiceLastAccessedDetails
  • iam:GetAccessKeyLastUsed
  • iam:GetCredentialReport
  • iam:GetLoginProfile
  • iam:GetPolicy
  • iam:GetPolicyVersion
  • iam:GetRole
  • iam:GetRolePolicy
  • iam:GetUser
  • iam:GetUserPolicy
  • iam:ListAccessKeys
  • iam:ListAccountAliases
  • iam:ListAttachedGroupPolicies
  • iam:ListAttachedRolePolicies
  • iam:ListAttachedUserPolicies
  • iam:ListGroupsForUser
  • iam:ListInstanceProfilesForRole
  • iam:ListMFADevices
  • iam:ListRolePolicies
  • iam:ListRoles
  • iam:ListUserPolicies
  • iam:ListUsers
  • iam:ListVirtualMFADevices
  • Fetch information about IAM Users
  • Fetch IAM roles as users
  • Parse IAM policies
    (Adapter Advanced Settings)
  • IAM - Last Accessed Services
  • iam:GetServiceLastAccessed
  • Fetch IAM Users' AWS Services
    (Adapter Advanced Settings)
    Lambda
  • lambda:GetPolicy
  • lambda:ListFunctions
  • Fetch information about Lambdas
    (Adapter Advanced Settings)
    Organizations - Base
  • organizations:DescribeAccount
  • organizations:DescribeOrganization
  • Basic Fetch
    Organizations - Account Name
  • organizations:ListAccounts
  • 'Advanced Configuration File' setting: roles_for_account_name
    Organizations - Complete
  • organizations:DescribeOrganization
  • organizations:DescribeEffectivePolicy
  • organizations:DescribePolicy
  • organizations:ListAccounts
  • organizations:ListPoliciesForTarget
  • organizations:ListTagsForResource
  • Fetch Organizations as devices
    (Adapter Advanced Settings)
    RDS
  • rds:DescribeDBInstances
  • rds:DescribeOptionGroups
  • Fetch information about RDS (Relational Database Service)
    (Adapter Advanced Settings)
    Route53
  • route53:ListHostedZones
  • route53:ListResourceRecordSets
  • Fetch information about Route 53
    (Adapter Advanced Settings)
    S3
  • s3:GetAccountPublicAccessBlock
  • s3:GetBucketAcl
  • s3:GetBucketLocation
  • s3:GetBucketLogging
  • s3:GetBucketPolicy
  • s3:GetBucketPolicyStatus
  • s3:GetBucketPublicAccessBlock
  • s3:GetBucketTagging
  • s3:ListAllMyBuckets
  • s3:ListBucket
  • Fetch information about S3
    (Adapter Advanced Settings)
    S3 - Complete
  • s3:GetAccountPublicAccessBlock
  • s3:CreateBucket
  • s3:GetBucketAcl
  • s3:GetBucketLocation
  • s3:GetBucketLogging
  • s3:GetBucketPolicy
  • s3:GetBucketPolicyStatus
  • s3:GetBucketPublicAccessBlock
  • s3:GetBucketTagging
  • s3:GetObject
  • s3:HeadBucket
  • s3:ListAllMyBuckets
  • s3:ListBuckets
  • s3:PutObject
  • Contains all permissions relevant to Adapter Advanced Settings to fetch information about S3 and permissions for Enforcement Center Actions
    S3 - Data Sync (Central Core)
  • kms:GenerateDataKey
  • kms:Decrypt
  • Central Core
    S3 - AssumeRole Fetch
  • s3:GetObject
  • s3:ListAllMyBuckets
  • 'Advanced Configuration File' setting:
    remote_roles_to_assume
    SSM
  • ssm:DescribeAvailablePatches
  • ssm:DescribeInstanceInformation
  • ssm:DescribeInstancePatches
  • ssm:DescribePatchGroups
  • ssm:GetInventorySchema
  • ssm:ListInventoryEntries
  • ssm:ListResourceComplianceSummaries
  • ssm:ListTagsForResource
  • Fetch information about SSM (System Manager)
    (Adapter Advanced Settings)
    SSM
  • ssm:CreateAssociation
  • ssm:RegisterTaskWithMaintenanceWindow
  • EC Action for Install Software and Patch Instances
    STS
  • sts:AssumeRole
  • sts:GetCallerIdentity
  • Basic Fetch (AssumeRole is needed only if roles are assumed as part of the discovery process)
    WAFv1
  • waf:GetWebACL
  • waf:ListWebACLs
  • Add WAF to devices
    (Adapter Advanced Settings)
    WAFRegional
  • waf-regional:GetWebACL
  • waf-regional:GetWebACLForResource
  • waf-regional:ListWebACLs
  • Add WAF to devices
    (Adapter Advanced Settings)
    WAFv2
  • wafv2:GetWebACL
  • wafv2:GetWebACLForResource
  • wafv2:ListWebACLs
  • Add WAF to devices
    (Adapter Advanced Settings)
    Workspaces
  • workspaces:DescribeTags
  • workspaces:DescribeWorkspaceDirectories
  • workspaces:DescribeWorkspaces
  • workspaces:DescribeWorkspacesConnectionStatus
  • Fetch information about Workspaces
    (Adapter Advanced Settings)
    SecretsManager - Vault
  • secretsmanager:GetSecretValue
  • Only needed if using AWS Secrets Manager as a Vault

    The following permissions are required for Axonius Cloud Asset Compliance with CIS Benchmark for Amazon Web Services Foundations.

    Permissions
    Usage
  • cloudtrail:DescribeTrails
  • cloudtrail:GetEventSelectors
  • cloudtrail:GetTrailStatus
  • cloudwatch:DescribeAlarmsForMetric
  • config:DescribeConfigurationRecorders
  • config:DescribeConfigurationRecorderStatus
  • ec2:DescribeFlowLogs
  • ec2:DescribeSecurityGroups
  • ec2:DescribeVpcs
  • Axonius Cloud Asset Compliance for AWS
  • ecr:DescribeImages
  • ecr:DescribeRegistry
  • ecr:DescribeRepositories
  • ecr-public:DescribeImages
  • ecr-public:DescribeRegistries
  • ecr-public:DescribeRepositories
  • ECR
  • iam:GetAccountSummary
  • iam:GetCredentialReport
  • iam:GenerateCredentialReport
  • iam:GetAccountPasswordPolicy
  • iam:GetPolicyVersion
  • iam:ListAccountAliases
  • iam:ListAttachedUserPolicies
  • iam:ListEntitiesForPolicy
  • iam:ListPolicies
  • iam:ListUserPolicies
  • iam:ListUsers
  • iam:ListVirtualMFADevices
  • kms:ListKeys
  • logs:DescribeMetricFilters
  • sns:ListSubscriptionsByTopic
  • sts:GetCallerIdentity
  • s3:GetBucketAcl
  • s3:GetBucketLogging
  • s3:GetBucketPolicy
  • IAM


    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.