Connecting the AWS Adapter Using an IAM User
  • 30 Apr 2024
  • 6 Minutes to read
  • Dark
    Light
  • PDF

Connecting the AWS Adapter Using an IAM User

  • Dark
    Light
  • PDF

Article summary

Creating an IAM User

  1. Open your AWS Dashboard and go to the IAM service.

image.png

  1. Go to the Policies tab and click Create policy. You need to create a policy that grants read-only access to specific AWS Resources.

image.png

  1. Click JSON and copy-paste the following JSON, which provides Axonius read-only access to the EC2, ECS, EKS, IAM, SSM, RDS, S3, Workspaces and Lambda services.
{
     "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
				"acm:DescribeCertificate",
				"acm:ListCertificates",
                                 "autoscaling:DescribeAutoScalingGroups",
                                 "autoscaling:DescribePolicies",
                                 "autoscaling:DescribeAutoScalingInstances",
				"apigateway:GET",
				"appstream:DescribeFleets",
				"appstream:DescribeStacks",
				"appstream:DescribeUserStackAssociations",
				"appstream:DescribeUsers",
				"appstream:ListAssociatedFleets",
                                 "backup:ListBackupPlans",
                                 "backup:ListBackupVaults",
				"cloudfront:GetDistribution",
				"cloudfront:ListDistributions",
				"dynamodb:DescribeGlobalTable",
				"dynamodb:DescribeGlobalTableSettings",
				"dynamodb:DescribeTable",
				"dynamodb:ListGlobalTables",
				"dynamodb:ListTables",
				"ec2:DescribeAddresses",
				"ec2:DescribeFlowLogs",
				"ec2:DescribeImages",
				"ec2:DescribeInstances",
				"ec2:DescribeInternetGateways",
				"ec2:DescribeNatGateways",
				"ec2:DescribeRouteTables",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeSnapshotAttribute",
				"ec2:DescribeSnapshots",
				"ec2:DescribeSubnets",
				"ec2:DescribeTags",
				"ec2:DescribeVolumes",
				"ec2:DescribeVpcPeeringConnections",
				"ec2:DescribeVpcs",
				"ecr-public:DescribeImages",
				"ecr-public:DescribeRegistries",
				"ecr-public:DescribeRepositories",
				"ecr:DescribeImages",
				"ecr:DescribeRegistry",
				"ecr:DescribeRepositories",
				"ecs:DescribeClusters",
				"ecs:DescribeContainerInstances",
				"ecs:DescribeServices",
				"ecs:DescribeTasks",
				"ecs:ListClusters",
				"ecs:ListContainerInstances",
				"ecs:ListServices",
				"ecs:ListTagsForResource",
				"ecs:ListTasks",
				"eks:DescribeCluster",
				"eks:ListClusters",
				"elasticloadbalancing:DescribeListeners",
				"elasticloadbalancing:DescribeLoadBalancerPolicies",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DescribeSSLPolicies",
				"elasticloadbalancing:DescribeTargetGroups",
				"elasticloadbalancing:DescribeTargetHealth",
				"es:DescribeElasticsearchDomain",
				"es:ListDomainNames",
				"fsx:DescribeFileSystems",
				"guardduty:GetDetector",
				"guardduty:GetFilter",
				"guardduty:GetFindings",
				"guardduty:GetMembers",
				"guardduty:ListDetectors",
				"guardduty:ListFilters",
				"guardduty:ListFindings",
				"guardduty:ListMembers",
				"iam:GenerateCredentialReport",
				"iam:GenerateServiceLastAccessedDetails",
				"iam:GetAccessKeyLastUsed",
				"iam:GetAccountPasswordPolicy",
				"iam:GetAccountSummary",
				"iam:GetCredentialReport",
				"iam:GetLoginProfile",
				"iam:GetPolicy",
				"iam:GetPolicyVersion",
				"iam:GetRole",
				"iam:GetRolePolicy",
				"iam:GetServiceLastAccessedDetails",
				"iam:GetUser",
				"iam:GetUserPolicy",
				"iam:ListAccessKeys",
				"iam:ListAccountAliases",
				"iam:ListAttachedGroupPolicies",
				"iam:ListAttachedRolePolicies",
				"iam:ListAttachedUserPolicies",
				"iam:ListEntitiesForPolicy",
				"iam:ListGroups",
				"iam:ListGroupsForUser",
				"iam:ListInstanceProfilesForRole",
				"iam:ListMFADevices",
				"iam:ListPolicies",
				"iam:ListRolePolicies",
				"iam:ListRoles",
				"iam:ListUserPolicies",
				"iam:ListUserTags",
				"iam:ListUsers",
				"iam:ListVirtualMFADevices",
				"inspector2:ListFindings",
                "inspector2:ListMembers",
                "inspector:ListMembers",
				"inspector:DescribeFindings",
				"inspector:ListFindings",
				"lambda:GetFunctionUrlConfig",
				"lambda:GetPolicy",
				"lambda:ListFunctions",
				"lambda:ListTags",
				"macie2:GetFindings",
				"macie2:ListFindings",
				"macie2:ListMembers",
				"organizations:DescribeAccount",
				"organizations:DescribeEffectivePolicy",
				"organizations:DescribeOrganization",
				"organizations:DescribePolicy",
				"organizations:ListAccounts",
				"organizations:ListPoliciesForTarget",
				"organizations:ListTagsForResource",
				"rds:DescribeDBClusters",
				"rds:DescribeDBInstances",
				"rds:DescribeOptionGroups",
				"route53:ListHostedZones",
				"route53:ListResourceRecordSets",
				"s3:GetAccountPublicAccessBlock",
				"s3:GetBucketAcl",
				"s3:GetBucketLocation",
				"s3:GetBucketLogging",
				"s3:GetBucketPolicy",
				"s3:GetBucketPolicyStatus",
				"s3:GetBucketPublicAccessBlock",
				"s3:GetBucketTagging",
				"s3:GetEncryptionConfiguration",
				"s3:ListAllMyBuckets",
				"s3:ListBucket",
				"secretsmanager:GetResourcePolicy",
				"secretsmanager:ListSecrets",
				"securityhub:DescribeHub",
				"securityhub:GetFindings",
				"securityhub:ListMembers",
				"securityhub:ListTagsForResource",
				"sns:ListSubscriptionsByTopic",
				"ssm:DescribeAvailablePatches",
				"ssm:DescribeInstanceInformation",
				"ssm:DescribeInstancePatches",
				"ssm:DescribePatchGroups",
				"ssm:GetInventorySchema",
				"ssm:ListInventoryEntries",
				"ssm:ListResourceComplianceSummaries",
				"ssm:ListTagsForResource",
				"waf-regional:GetWebACL",
				"waf-regional:GetWebACLForResource",
				"waf-regional:ListWebACLs",
				"waf:GetWebACL",
				"waf:ListWebACLs",
				"wafv2:GetWebACL",
				"wafv2:GetWebACLForResource",
				"wafv2:ListWebACLs",
				"workspaces:DescribeTags",
				"workspaces:DescribeWorkspaceDirectories",
				"workspaces:DescribeWorkspaces",
				"workspaces:DescribeWorkspacesConnectionStatus"
            ],
            "Resource": "*"
        }
    ]
}
Note:

When using Cloud Asset Compliance, the AWS Policy needs additional permissions.

  1. Click Review policy and fill in the details. Then click Create policy.

  2. Select Users > Add User > Programmatic access to allow Axonius to use the AWS API, and proceed to the Permissions dialog.

image.png

  1. In the Permissions dialog, click Attach existing policies directly, then attach the policy you just created.

image.png

  1. Click Create User. The Access Key ID and Secret Access Key are displayed. Save both of them in a secure location (they will not appear again) for the adapter configuration.

AWSIAM1

  1. At this point, you can use the credentials to access Axonius. Fill in all required fields in the adapter configuration, click Save. The AWS adapter is configured.

  2. If you want to use AWS EKS or AWS Roles, the configuration requires additional steps. Proceed to the next section to add permissions to your IAM User.

Policies for Inspector, GuardDuty, Macie, and SecurityHub

Enable Axonius to fetch information from Inspector, GuardDuty, Macie, and SecurityHub by assigning policies.

To assign policies

  1. In AWS, select Identity and Access Management (IAM).
  2. Select Policies and create a new policy.
  3. Select the service that you want to enable, such as Inspector, GuardDuty, Macie, and SecurityHub.
  4. In the Access level, select all List and Read permissions.
  5. Select Add additional permissions to add additional permissions for other services.
  6. Enter a proper name and description of the new policy.

EKS Configuration

When an Amazon EKS cluster is created, the IAM entity (user or role) that creates the cluster is added to the Kubernetes RBAC authorization table as the administrator. Initially, only that IAM user can make calls to the Kubernetes API server using kubectl. Thus, you need to add your new IAM account to the kubectl configurations to get read-only permissions.

First, you need to get the ARN of the user you just created. In the IAM Service, click "Users" and select the new user you just created. Copy its User ARN.

AWSUSERARN

  1. You need to use kubectl, Kubernetes' admin command line interface to add a read-only group and map our AWS user to it. For each cluster you want Axonius to connect to, do the following steps.

    As a logged-in admin, create a ClusterRole that has permission to list pods and ClusterRoleBinding that maps to this newly created role:

kubectl create clusterrole axonius-view-role --verb=list --resource=pods
kubectl create clusterrolebinding axonius-view-cbr --clusterrole=axonius-view-role --group=axonius-readonly
  1. Edit the Kubernetes AWS auth configurations, and add a new user mapping. If you don't already have the mapUsers block, create it.
    Open the editor to edit the configurations:
kubectl edit -n kube-system configmap/aws-auth

Then, append the new user mapping, while replacing the 'userarn' field with the ARN you previously received.

mapUsers: |
    * userarn: arn:aws:iam::111111111:user/Axonius-Readonly

      username: axonius-readonly

      groups:

        * axonius-readonly

The first part of the most basic configuration file should look similar to this:

AWSCONfig4

  1. Save the file.
  2. You should see a message indicating your edit was successful.
    image.png

Your IAM account can now authenticate against the Kubernetes cluster.

AWS Roles Configuration

Axonius supports IAM Roles in the AWS adapter alongside the current IAM User for cross-account access, meaning that the AWS adapter can assume specified roles to allow fetching devices from other AWS accounts. To do this, you have to create a role in the desired additional AWS account(s), and allow the IAM User which is being used in the adapter to assume this role. In each of your additional accounts:

  1. Go to IAM and create the same policy created at steps 1-4.
  2. Go to IAM -> Roles and create a new role. Choose "Another AWS Account". Fill in your primary account ID (the one in which the primary IAM user resides) and leave the other 2 options unchecked.

image.png

  1. Click "Next" and select the read-only policy.

image.png

  1. Click "Next" and fill in the details to create the role.

AWSAccount5

  1. Now select the role you just created. Change the maximum session duration to 4 hours and click "Save changes".

image.png

  1. Go to "Trust relationships" and click "Edit trust relationship". You need to edit this trust relationship to allow only your specific IAM user to assume this. Change the 'AWS' parameter in the policy document to the IAM UserARN you created in the beginning of the guide. If you don't know it, log in to your primary account , go to IAM -> Users and click the IAM user to get its ARN.

AWSEDitTrust

  1. Save the policy and keep the role ARN.

  2. Do this for every additional account you want the AWS Adapter to connect to. After you are done, go back to your main account (the one with the IAM User you created). Go to IAM -> Policies to create a policy which allows your IAM User to assume the roles you created. Click "Create Policy" and switch to the JSON tab.

  3. Paste the following JSON Policy and append your Role ARNs. In this example, we have 2 roles.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::111111111111:role/Axonius-Readonly-Role",
                "arn:aws:iam::222222222222:role/AxoniusDevRole"
            ]
        }
    ]
}
  1. Click Next and give this policy a name, then create it.

image.png

  1. Navigate to IAM > Users, select the user you created for Axonius and click Add permissions. Attach the policy you created to allow this user to assume the roles.

image.png

  1. At this stage you can use Axonius to assume the roles you created. To assume these roles, create a file that contains all role ARNS and use it in the Adapter Settings screen. Two available formats:
    • List of comma-delimited role-ARNs
    arn:aws:iam::111111111111:role/AxoniusDevRole, arn:aws:iam::222222222222:role/Axonius-Readonly-Role
    
    • JSON format - list of dictionaries that define each role.
      • external_id is only supported in the Json format.
      • The external_id can be different for every role in the list.
    [
        {"arn": "arn:aws:iam::111111111111:role/AxoniusDevRole"},
        {"arn": "arn:aws:iam::222222222222:role/Axonius-Readonly-Role", "external_id": "MY-SECRET"}
    ]
    


Make sure to replace the account ID in our examples(111111111111/222222222222) with your own


Troubleshooting:

In case of missing assets from specific regions when using assume role, check if the target region is enabled in the source role account and target role account.
If they are not both enabled the assume role will fail.



Was this article helpful?