Contents x
    AWS Advanced Configuration File
    • 23 Feb 2025
    • 5 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    AWS Advanced Configuration File

    • Updated on 23 Feb 2025
    • 5 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    The Advanced Configuration File field lets you upload an advanced configuration JSON file. The file can be empty ({}) or can contain any combination of the following key/value pairs in a JSON format.

    • If supplied, when connecting to the source, Axonius will consider the configuration in the uploaded file in addition to the values specified in the various fields of the connection for this adapter.
    • If not supplied, when connecting to the source, Axonius will only consider the values specified in the various fields of the connection for this adapter.

    Skip Verification

    Key/Value Pair

    {
    "skip_ec2_verification": true
}

    Using the JSON file
    By default, the specified IAM user / roles of the connection for this adapter must have at least ec2 permissions. If the file contains this key/value pair, Axonius skips the ec2 permissions verifications.
    As a result, the connection for this adapter will be considered as valid even if the specified connection parameters are correct, but the specified IAM user / roles does not have ec2 permissions.

    Authenticate with MFA

    The attached file contrains the procedure of how to get the information needed to set up the MFA portion of the AWS adapter.

    Your browser does not support PDF.click here to download

    Key/Value Pair

    {
  "aws_mfa_serial_number": "arn:aws:iam:<account_number>:mfa/<name<name>>",
  "aws_mfa_totp_code": "<totp_code_generator>"
}

    Using the JSON file
    AWS allows creating policies that require MFA to access some APIs. If those two key/value pairs exist, Axonius will use the values to try to authenticate the user with MFA.

    The MFA settings can be configured and viewed from the IAM entity, under the Security Credentials tab.

    - "aws_mfa_serial_number": "arn:aws:iam:<account_number>:mfa/<name>" - replace with the virtual MFA device name.
    - <totp_code_generator> - The virtual MFA device secret key.

    Remote Roles to Assume

    Key/Value Pair

    {
  "remote_roles_to_assume": [
    {
      "service": "S3",
      "bucket_name": "<bucket_name>",
      "key_name": "<path_to_key>",
      "region": "<region_name>"
    }
  ]
}

    Using the JSON file
    The assumed role path location will be located at: s3://<bucket_name>/<path_to_key>.
    This file uses the exact same conventions as the 'Roles to assume’ in the adapter configuration dialog. The roles to assume can be either a comma-separated string of roles or a JSON list of dictionaries.
    Note: More than 1 entry in the remote_roles_to_assume section of the advanced config can be specified
    Note: You cannot populate both the advanced config AND the ‘Roles to assume’ in the adapter configuration dialog.

    Roles for Account Name

    Key/Value Pair

    {
  "roles_for_account_name": [
    {
      "role_arn": "arn:aws:iam::111111111111:role/Axonius-Adapter",
      "role_arn": "arn:aws:iam::222222222222:role/Axonius-Adapter"
    }
  ],
  "skip_ec2_verification": true
}

    Using the JSON file
    Adds the 'Account name' to the AWS Organization data that is populated in every AWS device and user.
    Each IAM Role in this advanced configuration is used to query an individual AWS Organization. In case there are multiple AWS Organizations, each should be populated as an individual role_arn entry.

    Note:
    • It is highly recommended that skip_ec2_verification is set to true, since per AWS Best Practices, only IAM resources should be present in the root organization account and this is the account that we will query to fetch the organization account name.
    • This feature requires the organizations:ListAccounts IAM permission for the roles that will be inherited:

    Fetch Roles from Organization

    Key/Value Pair

    {
  "fetch_roles_from_organization": {
    "organization_role_for_discovery": "arn:aws:iam::111111111111:role/Axonius-Adapter",
    "role_name": "<role_name>",
    "role_path": "",
    "external_id": "",
    "region": "<region_name>",
    "excluded_accounts": ["123456789001", "123456789002", "123456789003"]
  },
  "skip_ec2_verification": true
}

    Using the JSON file
    This feature allows the user to set a role in the advanced configuration that allows Axonius to discover all member accounts in an AWS Organization. Axonius can then assume roles in each of these member accounts in order to perform asset discovery using a single adapter connection.
    The adapter will query the AWS Organization API to find all member accounts.
    The role ARN specified in organization_role_for_discovery will be assumed by the IAM user and we will use this role to perform organizations:listaccounts.

    The role specified in role_name will then be assumed by the IAM user in all member accounts.
    Note that the role_names to assume in the member account must be consistent in all accounts, otherwise Axonius will not have access to that member account.
    role_path is optional. region is optional, if not input, the default value is us-east-1
    Note: It is recommended that skip_ec2_verification is set to true, when the user account configured in the adapter connection has no IAM rights other than sts:AssumeRole. If the user account has no resources in the root account, this must be set in the advanced config. If this is not set, or if the rights to query for EC2 are not granted to the role, the adapter will fail completely.
    Note: This feature requires the following IAM permission for the role(s) that will be inherited:

    • organizations:ListAccounts
    • sts:AssumeRole

    Fetch only OU Specific accounts (optional)
    ou_id_to_fetch_from - This is an optional setting that can be used to fetch only accounts that are hierarchically under the specific OU (instead of the entire organization). The syntax is
    ou_id_to_fetch_from: ["ou-aaaa-aaaa", ou-bbbb-bbbb"], when you replace the second string here with the OU ID. The following permissions are required for the organization role when you use this:organizations:ListAccountsForParentorganizations:ListChildren`

    Common Role Name

    The role_name is the name of the role that must be present in all member accounts and the role that will be used for the normal device and user discovery by Axonius. This role should have all of the normal permissions for the adapter.

    Role Path

    If your IAM strategy uses special paths for IAM roles, that path should be entered here. In most AWS deployments, this field will be left empty.

    Tag Allow/Block List for Fetching Devices

    Key/Value Pair

    {
  "tags_to_match": {
    "tags": [
      {
        "Key": "First Key",
        "Value": "First Value"
      },
      {
        "Key": "Second Key",
        "Value": "Second Value"
      },
    ],
    "include_device": true
  }
}

    Using the JSON file

    Use this configuration to set an allow list of AWS tags or an exclude list of AWS tags. Add a list of tags to an adapter connections and Axonius will either fetch ONLY devices that have the tags, or NOT fetch devices that have these tags.
    Set the parameters as follows:

    • tags_to_match - the name of the advanced configuration file section for this feature.
    • tags - a list of dictionaries that define a dictionary key and a dictionary value to search for.
    • Set include_device to true to include only those EC2 devices that match one or more tags from the tags section. Set to false to remove EC2 devices that match one or more of the tags from the tags section.
    Was this article helpful?
    What's Next