Axonius.com

Amazon Web Services (AWS)

16 Minutes To Read

Print
Share
Dark

Light

Amazon Web Services (AWS)

16 Minutes To Read

Print
Share
Dark

Light

Amazon Web Services (AWS) adapter includes a broad set of global cloud-based products. It supports EC2, ECS, EKS, IAM, EBS, ELB, RDS, S3, VPC, Workspaces, Lambda, Route 53 and more.

To connect Axonius to your AWS resources, you will need to create an IAM user, assemble the required credentials (Access key id & Secret access key) and configure your account/accounts if necessary.

Parameters

Region Name or Get All Regions (optional, default: empty) - Specify the region name for a specific region or If you would like Axonius to try connecting to all regions, select the "Get All Regions" option.
AWS Access Key ID (optional, default: empty) - Provide AWS Access Key ID or choose to use EC2 instance attached IAM role.
AWS Access Key Secret (optional, default: empty) - Provide AWS Access Key Secret or choose to use EC2 instance attached IAM role.
Account Tag (optional, default: empty) - Optional tag for the EC2 instance ("nickname").
Proxy (optional, default: empty) - An optional https proxy.
Roles to assume (optional, default: empty) – A file with role-ARNs which the AWS Adapter will try to assume for cross-account access with the single IAM user. Two available formats:
- List of comma-delimited role-ARNs
```
arn:aws:iam::111111111111:role/axonius-role, arn:aws:iam::222222222222:role/axonius-role
```
- JSON format - list of dictionaries that define each role.
  - external_id is only supported in the Json format
  - The external_id can be different for every role in the list.
```
[
    {"arn": "arn:aws:iam::111111111111:role/axonius-role"},
    {"arn": "arn:aws:iam::222222222222:role/axonius-role", "external_id": "MY-SECRET"}
]
```
Use attached IAM role (optional, default: empty) - Select to use the EC2 instance (Axonius installed on) attached IAM role / instance profile instead of using the AWS Access Key ID and AWS Access Key Secret credentials supplied. This does not affect the Roles to assume parameter.
Advanced Configuration File (optional, default: empty) - Upload an advanced configuration JSON file. For details, see Advanced Configuration File
For details on the common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Advanced Configuration File

The Advanced Configuration File field lets you upload an advanced configuration JSON file. The file can be empty ({}) or may conatin any combination of the following key/value pairs in a JSON format.

If supplied, when connecting to the source, Axonius will consider the configuration in the uploaded file in addition to the values specified in the various fields of the connection for this adapter.
If not supplied, when connecting to the source, Axonius will only consider the values specified in the various fields of the connection for this adapter.

Key/Value Pair	Behavior when in Use
{"skip_ec2_verification": true}	By default, the specified IAM user / roles of the connection for this adapter must have at least ec2 permissions. If the file contains this key/value pair, Axonius skips the ec2 permissions verifications. As a result, the connection for this adapter will be considered as valid also if the specified connection parameters are correct, but the specified IAM user / roles does not have ec2 permissions.
{ "aws_mfa_serial_number": "arn:aws:iam:<account_number>:mfa/<name>", "aws_mfa_totp_code": "<totp_code_generator>" }	AWS enables to create policies that require MFA to access some APIs. If those two key/value pair exist, Axonius will use the values to try to authenticate the user with MFA. The MFA settings can be configured and viewed from the IAM entity, under the Security Credentials tab. - "aws_mfa_serial_number": "arn:aws:iam:<account_number>:mfa/<name>" - replace with the virtual MFA device name. - <totp_code_generator> - The virtual MFA device secret key.

Key/Value Pair

Behavior when in Use

{"skip_ec2_verification": true}

By default, the specified IAM user / roles of the connection for this adapter must have at least ec2 permissions. If the file contains this key/value pair, Axonius skips the ec2 permissions verifications.
As a result, the connection for this adapter will be considered as valid also if the specified connection parameters are correct, but the specified IAM user / roles does not have ec2 permissions.

{
"aws_mfa_serial_number": "arn:aws:iam:<account_number>:mfa/<name>",
"aws_mfa_totp_code": "<totp_code_generator>"
}

AWS enables to create policies that require MFA to access some APIs. If those two key/value pair exist, Axonius will use the values to try to authenticate the user with MFA.

The MFA settings can be configured and viewed from the IAM entity, under the Security Credentials tab.

- "aws_mfa_serial_number": "arn:aws:iam:<account_number>:mfa/<name>" - replace with the virtual MFA device name.
- <totp_code_generator> - The virtual MFA device secret key.

Advanced Settings

The Amazon Web Services (AWS) adapter has unique, advanced settings which enable configuring the logic around correlation of the AWS cloud servers (devices) and the information Axonius will fetch for each of them.

Correlate ECS containers with their EC2 Instance (required, default: False) - Select whether to correlate ECS containers with the EC2 host they are running on.
- If enabled, all connections for this adapter will correlate ECS containers with the EC2 host they are running on.
- If disabled, all connections for this adapter will not correlate ECS containers with the EC2 host they are running on. Such ECS and EC2 will be created in Axonius as two different devices.
Correlate EKS containers with their EC2 Instance (required, default: False) - Select whether to correlate EKS containers with the EC2 host they are running on.
- If enabled, all connections for this adapter will correlate EKS containers with the EC2 host they are running on.
- If disabled, all connections for this adapter will not correlate EKS containers with the EC2 host they are running on. Such EKS and EC2 will be created in Axonius as two different devices.
Fetch information about EC2 attached roles (required, default: False) - Select whether to fetch information about each EC2 attached roles.
- If enabled, all connections for this adapter will fetch information about each EC2 attached roles from AWS.
- If disabled, all connections for this adapter will not fetch any information about each EC2 attached roles from AWS.
Fetch information about ELB (Elastic Load Balancers) (required, default: False) - Select whether to fetch information about all available load balancers and add that information to relevant EC2 instances.
- If enabled, all connections for this adapter will fetch information about all available load balancers and add that information to relevant EC2 instances. Each ELB will be represented then as a separate device.
- If disabled, all connections for this adapter will not fetch any information about all load balancers.
Fetch information about SSM (System Manager) (required, default: False) - Select whether to fetch additional information from AWS SSM for each host.
- If enabled, all connections for this adapter will fetch additional information from AWS SSM for each host.
- If disabled, all connections for this adapter will not fetch any information about AWS SSM.
Fetch information about NAT Gateways (required, default: False) - Select whether to fetch NAT gateways as devices assets.
- If enabled, all connections for this adapter will fetch all available NAT gateways data from AWS.
- If disabled, all connections for this adapter will not fetch any NAT gateways data from AWS.
Fetch internet gateways as devices (required, default: False) - Select whether to fetch internet gateways as devices assets.
- If enabled, all connections for this adapter will fetch all available internet gateways data from AWS. Each internet gateway will be added as a unique device.
- If disabled, all connections for this adapter will not fetch any internet gateways data from AWS.
Fetch route tables as devices (required, default: False) - Select whether to route tables as devices assets.
- If enabled, all connections for this adapter will fetch all available route tables data from AWS. Each route table will be added as a unique device.
- If disabled, all connections for this adapter will not fetch any route tables data from AWS.
Add route tables to devices (required, default: False) - Select whether to fetch information about route tables and add it to the appropriate devices.
- If enabled, all connections for this adapter will fetch all route tables data from AWS for the following services:
  - EC2
  - ELB
  - IGW
  - NAT
  - RDS
  - Workspaces
  - ECS - only if Correlate ECS Containers with their EC2 Instance checkbox is enabled.
  - EKS - only if Correlate EKS Containers with their EC2 Instance checkbox is enabled.
- If disabled, all connections for this adapter will not fetch any route tables data from AWS.
Fetch information about Elasticsearch (required, default: False) - Select whether to fetch information on the existing Elasticsearch instances.
- If enabled, all connections for this adapter will fetch all existing Elasticsearch instances data from AWS.
- If disabled, all connections for this adapter will not fetch any Elasticsearch instances data from AWS.
Fetch ELB IP using current DNS (required, default: False) - Select whether to resolve the IP address of each ELB using the current DNS server.
- If enabled, all connections for this adapter will resolve the IP address of each ELB using the current DNS server.
- If disabled, all connections for this adapter will not resolve the IP address of each ELB.
  
  NOTE
  
  This setting will take affect only if the Fetch information about ELB (Elastic Load Balancers) checkbox is enabled.
Fetch information about RDS (Relational Database Service) (required, default: False) - Select whether to fetch the information on the existing Amazon RDS instances.
- If enabled, all connections for this adapter will fetch all existing Amazon RDS instances data from AWS.
- If disabled, all connections for this adapter will not fetch any Amazon RDS instances data from AWS.
Fetch information about S3 (required, default: False) - Select whether to fetch information about Amazon S3 buckets, such as their ACL's, locations and their public status.
- If enabled, all connections for this adapter will fetch information about Amazon S3 buckets data from AWS.
- If disabled, all connections for this adapter will not fetch any Amazon S3 buckets data from AWS.
- When using the Cloud Asset Compliance, this settings is required to view Affected Devices of type S3 buckets.
Fetch information about IAM Users (required, default: False) - Select whether to fetch information about IAM users, attached groups, attached policies and access keys.
- If enabled, all connections for this adapter will fetch information about IAM users, attached groups, attached policies and access keys.
- If disabled, all connections for this adapter will not fetch any information about IAM users from AWS.
- When using the Cloud Asset Compliance, this settings is required to view Affected Devices of type IAM Users.
Parse IAM policies (required, default: False) - Select whether to fetch information about the privileges that are granted to each AWS IAM user by group, inline and attached IAM policies.
- If enabled, all connections for this adapter will query each AWS IAM user to determine the privileges that are granted to it by group, inline and attached IAM policies.
- If disabled, all connections for this adapter will not fetch information about the privileges that are granted to each AWS IAM user.
Fetch IAM Users' AWS Services (required, default: False) - Select whether to fetch the AWS Services accessed by an IAM User.
- If enabled, all connections for this adapter will fetch the AWS Services accessed by an IAM User.
- If disabled, all connections for this adapter will not fetch the AWS Services accessed by an IAM User.
Fetch information about Workspaces (required, default: False) - Select whether to fetch information about Amazon Workspaces.
- If enabled, all connections for this adapter will fetch Amazon Workspaces data from AWS.
- If disabled, all connections for this adapter will not fetch any Amazon Workspaces data from AWS.
Fetch information about Lambdas (required, default: False) - Select whether to fetch information on AWS Lambdas.
- If enabled, all connections for this adapter will fetch AWS Lambdas data from AWS.
- If disabled, all connections for this adapter will not fetch any AWS Lambdas data from AWS.
Fetch information about Route 53 (required, default: False) - Select whether to fetch information on Amazon Route 53 DNS records.
- If enabled, all connections for this adapter will fetch Amazon Route 53 DNS records from AWS.
- If disabled, all connections for this adapter will not fetch any Amazon Route 53 DNS records from AWS.
Fetch information about Cloudfront (required, default: False) - Select whether to fetch information on Cloudfront.
- If enabled, all connections for this adapter will fetch Cloudfront information from AWS.
- If disabled, all connections for this adapter will not fetch Cloudfront information from AWS.
Show verbose notifications about connection failures (required, default: False) - Select whether to create a system notification with all failed AWS connections on each discovery cycle.
- If enabled, all connections for this adapter will create a system notification with all failed AWS connections on each discovery cycle.
- If disabled, all connections for this adapter will not create a system notification with all failed AWS connections on each discovery cycle.
Shodan API key for more IP info (optional, default: empty) – Specify an API key which will be used to query information about public IP addresses.
Verify all IAM roles (required, default: True) - Select whether to verify all IAM roles.
- If enabled, all connections for this adapter will verify all IAM roles. If one of the IAM roles is not valid, the adapter connection will fail.
- If disabled, all connections for this adapter will not verify all IAM roles. Only if all the IAM roles are not valid, the adapter connection will fail.
Verify primary account permissions (required, default: True) - Whether or not the primary account permissions should be used when the adapter connections fetch data from AWS.
- If enabled, all connections for this adapter will use the primary account permissions to fetch data from AWS. If the primary account permissions are insufficient, the adapter connections will fail to fetch the data.
- If disabled, all connections for this adapter will only use the primary account to assume the roles attached to it, and the adapter connections will use those role permissions to fetch data from AWS. This setting should be disabled only if you want to use the primary account assumed roles permissions instead of the primary account permissions when fetching assets from AWS.
Do not fetch EC2 machines that are turned off (required, default: False) - Whether or not to fetch EC2 devices that their power state is turned off.
- If enabled, all connections for this adapter will only fetch EC2 devices which their power state is turned on.
- If disabled, all connections for this adapter will fetch all EC2 devices, regardless of their power state.
Number of accounts to fetch in parallel (required, default: 5) - For all connections for this adapter, specify the number of AWS accounts Axonius will fetch data from in parallel.

Note

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Connecting the Amazon Web Services (AWS) Adapter

To connect this adapter, you will first need to create an IAM user:

Open your AWS Dashboard and go to the IAM service.

Go to the "Policies" tab and click "Create policy". You will need to create a policy that grants read-only access to specific AWS Resources.

Click JSON and copy-paste the following JSON, which provides Axonius read-only access to the EC2, ECS, EKS, IAM, SSM, RDS,S3, Workspaces and Lambda services

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:Get*",
                "iam:List*",
                "ecs:Describe*",
                "eks:Describe*",
                "eks:List*",
                "ecs:List*",
                "ec2:Get*",
                "es:List*",
                "elasticloadbalancing:Describe*",
                "ssm:Get*",
                "ssm:List*",
                "ssm:Describe*",
                "rds:List*",
                "rds:Describe*",
                "s3:List*",
                "s3:Get*",
                "cloudtrail:Get*",
                "cloudtrail:List*",
                "cloudtrail:Describe*",
                "cloudfront:List*",
                "cloudfront:Get*",
                "Workspaces:Describe*",
                "Workspaces:List*",
                "Lambda:Get*",
                "Lambda:List*",
                "apigateway:Get*",
                "route53:Get*",
                "route53:List*"
            ],
            "Resource": "*"
        }
    ]
}

NOTE

When using Cloud Asset Compliance, the AWS Policy needs additional permissions.

Click "Review policy" and fill in the details. Then click "Create policy".
Next, click "Users" and then "Add User". Select "Programmatic access" to allow Axonius use the AWS API, and proceed to the permissions screen.

In the permissions screen, click "Attach existing policies directly", then attach the policy we just created.

Finally, click "Create User". You will see an access key ID and a secret access key you can show. Save both of them in a secure location (they will not appear again) for the adapter configuration.

At this point, you can use the credentials to access Axonius. Fill in all required fields in the adapter configuration, click save, and the AWS adapter is configured.
However, if you would like to use AWS EKS or AWS Roles, the configuration requires additional steps. Proceed to the next section to add permissions to your IAM User.

EKS Configuration

When an Amazon EKS cluster is created, the IAM entity (user or role) that creates the cluster is added to the Kubernetes RBAC authorization table as the administrator. Initially, only that IAM user can make calls to the Kubernetes API server using kubectl. Thus, you need to add our new IAM account to the kubectl configurations to get read-only permissions.

First, you need to get the ARN of the user we just created. In the IAM Service, click "Users" and select the new user we just created. Copy its User ARN.

You need to use kubctl, Kubernetes' admin command line interface to add a read-only group and map our AWS user to it. For each cluster you want Axonius to connect to, do the following steps.

As a logged-in admin, create a ClusterRoleBinding that maps the "view" ClusterRole to the group "axonius-readonly":

kubectl create clusterrolebinding axonius-view-cbr --clusterrole=view --group=axonius-readonly

Then, edit the Kubernetes AWS auth configurations, and add a new user mapping. If you don't have the mapUsers block already, create it.
Open the editor to edit the configurations:

kubectl edit -n kube-system configmap/aws-auth

Then, append the new user mapping, while replacing the 'userarn' field with the ARN we got before.

mapUsers: |
    - userarn: arn:aws:iam::405799742499:user/Axonius-Readonly

      username: axonius-readonly

      groups:

        - axonius-readonly

The first part of the most basic configuration file should look similar to this:

Save the file.
You should see a message indicating your edit was successful.

Your IAM account can now authenticate against the Kubernetes cluster.

AWS Roles configuration

Axonius supports IAM Roles in the AWS adapter alongside the current IAM User for cross-account access, meaning that the AWS adapter can assume specified roles to allow fetching devices from other AWS accounts. To do this, you will have to create a role in the desired additional AWS account(s), and allow the IAM User which is being used in the adapter to assume this role. In each of your additional accounts:

Go to IAM and create the same policy created at steps 1-4.
Go to IAM -> Roles and create a new role. Choose "Another AWS Account". Fill in your primary account ID (the one in which the primary IAM user resides) and leave the other 2 options unchecked.

Click "Next" and select the read-only policy.

Click "Next" and fill in the details to create the role.

Now select the role you just created. Change the maximum session duration to 4 hours and click "Save changes".

Go to "Trust relationships" and click "Edit trust relationship". You will need to edit this trust relationship to allow only your specific IAM user to assume this. Change the 'AWS' parameter in the policy document to the IAM UserARN you created in the beginning of the guide. If you don't know it, log in to your primary account , go to IAM -> Users and click the IAM user to get its ARN.

Save the policy and keep the role ARN.
Do this for every additional account you want the AWS Adapter to connect to. After you are done, go back to your main account (the one with the IAM User you created). Go to IAM -> Policies to create a policy which allows your IAM User to assume the roles you created. Click "Create Policy" and switch to the JSON tab.
Paste the following JSON Policy and append your Role ARNs. In this example, we have 2 roles.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::405799742499:role/Axonius-Readonly-Role",
                "arn:aws:iam::405799742498:role/AxoniusDevRole"
            ]
        }
    ]
}

Click "Next" and give this policy a name, then create it.

Finally, go to IAM -> Users, select the user you created for Axonius and click "Add permissions". Attach the policy you created to allow this user to assume the roles. Attach the policy.

At this stage you can use Axonius to assume the roles you created. To assume these roles, create a file which contains all the role ARNS and use it in the adapter settings screen. Two available formats:
- List of comma-delimited role-ARNs
```
arn:aws:iam::405799742499:role/AxoniusDevRole, arn:aws:iam::405799742498:role/Axonius-Readonly-Role
```
- JSON format - list of dictionaries that define each role.
  - external_id is only supported in the Json format
  - The external_id can be different for every role in the list.
```
[
    {"arn": "arn:aws:iam::405799742499:role/AxoniusDevRole"},
    {"arn": "arn:aws:iam::405799742498:role/Axonius-Readonly-Role", "external_id": "MY-SECRET"}
]
```

Make sure to replace the account ID in our examples(405799742499/405799742498) with your own

Was This Article Helpful?

Table Of Contents

Amazon Web Services (AWS)

Parameters

Advanced Configuration File

Advanced Settings

Connecting the Amazon Web Services (AWS) Adapter

EKS Configuration

AWS Roles configuration

Related Articles