Amazon Web Services (AWS)

The Amazon AWS ECS/EC2 adapter includes both the high-performance container orchestration service that supports Docker containers and containerized applications on AWS as well as the EC2 instances themselves.

To connect Axonius to your AWS resources, you will need to create an IAM user, assemble the required credentials (Access key id & Secret access key) and configure your account/accounts if necessary.

The Amazon AWS Adapter connection requires the following parameters:

1. Region Name or Get all Regions (optional) – Set the region name for a specific region or If you would like Axonius to try connecting to all regions, select the "Get All Regions" option.
2. AWS Access Key ID (optional) - Provide AWS Access Key ID or choose to use EC2 instance attached IAM role.
3. AWS Access Key Secret (optional) - Provide AWS Access Key Secret or choose to use EC2 instance attached IAM role.
4. Account Tag (optional) - Optional tag for the EC2 instance ("nickname").
5. Proxy (optional) - An optional https proxy.
6. Roles to assume (optional) – A file with a list of comma-delimited role-ARNs which the AWS Adapter will try to assume for cross-account access with the single IAM user.
7. Use attached IAM role (optional) - Select to use the EC2 instance (Axonius installed on) attached IAM role instead of using the AWS Access Key ID and AWS Access Key Secret credentials supplied.
8. Choose Instance - If you are using multi-nodes, choose the Axonius node that is integrated with the adapter. By default, the 'Master' Axonius node (instance) is used. For details, see Connecting Additional Axonius Nodes

Connecting the Amazon Web Services (AWS) Adapter

To connect this adapter, you will first need to create an IAM user:

1. Open your AWS Dashboard and go to the IAM service.

2. Go to the "Policies" tab and click Create Policy. You will need to create a policy that grants read-only access to specific AWS Resources.

3. Click JSON and copy-paste the following JSON, which provides Axonius read-only access to the EC2, ECS, EKS, IAM and SSM services

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "iam:Get*",
                "iam:List*",
                "ecs:Describe*",
                "eks:Describe*",
                "eks:List*",
                "ecs:List*",
                "ec2:Get*",
                "elasticloadbalancing:Describe*",
                "ssm:Get*",
                "ssm:List*",
                "ssm:Describe*"
            ],
            "Resource": "*"
        }
    ]
}

4. Click "Review policy" and fill in the details. Then click "Create policy"

5. Next, click "Users" and then "Add User". Select "Programmatic access" to allow Axonius use AWS API, and proceed to the permissions screen.

6. In the permissions screen, click "Attach existing policies directly", then attach the policy we just created.

7. Finally, click Create User. You will see an access key ID and a secret access key you can show. Save both of them in a secure location (they will not appear again) for the adapter configuration.

8. At this point we can use the credentials to access Axonius. Fill in all required fields in the adapter configuration, click save, and the AWS adapter is configured.

9. However, if you would like to use AWS EKS or AWS Roles, the configuration requires additional steps. Proceed to the next section to add permissions to your IAM User.

EKS Configuration

When an Amazon EKS cluster is created, the IAM entity (user or role) that creates the cluster is added to the Kubernetes RBAC authorization table as the administrator. Initially, only that IAM user can make calls to the Kubernetes API server using kubectl. Thus, we need to add our new IAM account to the kubectl configurations to get read-only permissions.

First, we need to get the ARN of the user we just created. In the IAM Service, click "Users" and select the new user we just created. Copy its User ARN.

1. We need to use kubctl, Kubernetes' admin command line interface to add a read-only group and map our AWS user to it. For each cluster you want Axonius to connect to, do the following steps.

As a logged-in admin, create a ClusterRoleBinding that maps the "view" ClusterRole to the group "axonius-readonly":

kubectl create clusterrolebinding axonius-view-cbr --clusterrole=view --group=axonius-readonly

2. Then, edit the Kubernetes AWS auth configurations, and add a new user mapping. If you don't have the mapUsers block already, create it.
   Open the editor to edit the configurations:

kubectl edit -n kube-system configmap/aws-auth

Then, append the new user mapping, while replacing the 'userarn' field with the ARN we got before.

mapUsers: |
    - userarn: arn:aws:iam::405773942477:user/Axonius-Readonly

      username: axonius-readonly

      groups:

        - axonius-readonly

The first part of the most basic configuration file should look similar to this:

3. Save the file.
4. You should see a message indicating your edit was successful.
   

Your IAM account can now authenticate against the Kubernetes cluster.

AWS Roles configuration

Axonius supports IAM Roles in the AWS adapter alongside the current IAM User for cross-account access, meaning that the AWS adapter can assume specified roles to allow fetching devices from other AWS accounts. To do this, you will have to create a role in the desired external AWS account, and allow the IAM User which is being used in the adapter to assume this role. In your external account:

1. Go to IAM and create the same policy created at steps 1-4.
2. Go to IAM -> Roles and create a new role. Choose "Another AWS Account". Fill in your external account ID and leave the other 2 options unchecked.

3. Click Next and select the read-only policy.

4. Click Next and fill in the details to create the role.

5. Now select the role you just created. Change the maximum session duration to 4 hours and click Save changes.

6. Go to "Trust relationships" and click "Edit trust relationship". You will need to edit this trust relationship to allow only your specific IAM user to assume this. Change the 'AWS' parameter in the policy document to the IAM userarn you created in the beginning of the guide. If you don't know it, log in to your main account , go to IAM -> Users and click the IAM user to get its ARN.

7. Save the policy and keep the role ARN.

8. Do this for every external account you want the AWS Adapter to connect to. After you are done, go back to your main account (the one with the IAM User you created). Go to IAM -> Policies to create a policy which allows your IAM User to assume the roles you created. Click "Create Policy" and switch to the JSON tab.

9. Paste the following JSON Policy and append your Role ARNs. In this example, we have 2 roles.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::802876684602:role/Axonius-Readonly-Role",
                "arn:aws:iam::817364327683:role/AxoniusDevRole"
            ]
        }
    ]
}

10. Click Next and give this policy a name, then create it.

11. Finally, go to IAM -> Users, select the user you created for Axonius and click "Add permissions". Attach the policy you created to allow this user to assume the external roles. Attach the policy.

12. At this stage you can use Axonius to assume the roles you created. To assume these roles, create a comma-delimited file which contains all the role ARNS and use it in the adapter settings screen. As an example, such a file could be:

Configuring AWS Correlation Logic and Retrieved Information

The Amazon Web Services (AWS) adapter has unique, advanced settings which enable configuring the logic around correlation of the AWS cloud servers (devices) and the information Axonius will fetch for each of them.

To configure the AWS Adapter advanced settings, open the AWS adapter screen, click Advanced Settings, and then click the AWS Configuration tab:

• Correlate ECS containers with their EC2 Instance - Check this to correlate ECS containers with the EC2 host they are running on. Otherwise, they will be shown as two different devices.
• Correlate EKS containers with their EC2 Instance – Check this to correlate EKS containers with the EC2 host they are running on. Otherwise, they will be shown as two different devices.
• Fetch information about EC2 attached roles – Check this to fetch information about each EC2 attached roles.
• Fetch information about ELB (Elastic Load Balancers) – Check this to fetch information about all available load balancers and assign information to relevant EC2 instances. Each ELB will be represented then as a separate device.
• Fetch information about SSM (System Manager) – Check this to fetch additional information from AWS SSM for each host
• Fetch information about NAT Gateways – Check this to consider NAT gateways as devices. If selected, the adapter will fetch all available NAT gateways as well.
• Fetch ELB IP using current DNS - Check this to fetch the IP of each ELB using the current DNS server.
• Show verbose notifications about connection failures – Check this to create a notification with all failed AWS connections on each cycle.
• Shodan API key for more IP info – Specify an API key which will be used to query information about public IP addresses