AWS Adapter Configuration for Cloud Asset Compliance
  • 08 Mar 2022
  • 1 Minute to read
  • Dark
    Light
  • PDF

AWS Adapter Configuration for Cloud Asset Compliance

  • Dark
    Light
  • PDF

Article summary

All of the Cloud Asset Compliance calculations are done as part of your discovery cycle using the same AWS accounts that were configured as part of the existing AWS adapters.

Updated AWS Policy

In order to check all benchmark rules, the AWS policy needs to be updated.

  • If you already have an AWS account/role configured in your AWS adapter, you can add following permissions to its AWS policy.

    config:DescribeConfigurationRecorders
    config:DescribeConfigurationRecorderStatus
    iam:GenerateCredentialReport
    logs:DescribeMetricFilters
    cloudwatch:DescribeAlarmsForMetric
    sns:ListSubscriptionsByTopic
    kms:ListKeys
    

    For details on how to configure AWS Policy, see Amazon Web Services (AWS) Adapter.

  • The following JSON represents the minimum AWS policy required for Cloud Asset Compliance for AWS, which provides Axonius read-only access to resources required for checking all CIS AWS Foundation Benchmark v1.2 rules.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "iam:GenerateCredentialReport",
                    "iam:GetPolicyVersion",
                    "iam:GetAccountPasswordPolicy",
                    "cloudtrail:GetTrailStatus",
                    "s3:GetBucketLogging",
                    "ec2:DescribeFlowLogs",
                    "logs:DescribeMetricFilters",
                    "cloudtrail:GetEventSelectors",
                    "iam:ListVirtualMFADevices",
                    "s3:GetBucketPolicy",
                    "cloudwatch:DescribeAlarmsForMetric",
                    "iam:ListAttachedUserPolicies",
                    "iam:GetCredentialReport",
                    "iam:ListPolicies",
                    "sns:ListSubscriptionsByTopic",
                    "iam:ListEntitiesForPolicy",
                    "iam:ListUserPolicies",
                    "s3:GetBucketAcl",
                    "config:DescribeConfigurationRecorderStatus",
                    "cloudtrail:DescribeTrails",
                    "ec2:DescribeSecurityGroups",
                    "kms:ListKeys",
                    "config:DescribeConfigurationRecorders",
                    "ec2:DescribeVpcs",
                    "iam:ListAccountAliases",
                    "iam:ListUsers",
                    "sts:GetCallerIdentity",
                    "iam:GetAccountSummary"
                ],
                "Resource": "*"
            }
        ]
    }
    

Update Advanced Settings to view Affected Assets

The Affected Assets displays IAM Users, EC2 machines, and S3 buckets that are affected from AWS entities that failed the check of rules in the CIS benchmarks.
In order to display this assets the following must be enabled in the Advanced Settings in the AWS Adapter:

  • Fetch information about IAM Users
  • Fetch information about S3

image.png

Without these settings enabled, you will not be able to see the affected assets in the Devices/Users page.


Was this article helpful?