#
AWS
ASM supports AWS integrations to expand the functionality of various ASM capabilities. ASM is capable of identifying a range of exposures and cloud security vulnerabilities including:
- Public domain and IP address exposures across multiple AWS services
- S3 buckets with excessively permissive Access Control Lists (ACL)
- S3 buckets with excessively permissive policies
These and future AWS-focused ASM capabilities can be enabled by following the integration steps below.
#
IAM Role
ASM integrates into AWS by using the AssumeRole API. To enable that, you must create an IAM role in your account, that grants NetSPI's ASM AWS account permissions to assume that role.
#
Role Creation
- Login to your AWS console and navigate to the IAM page
- Navigate to Access Management > Roles
- Click "Create Role"
- Select "AWS Account" underneath "Trusted Entity Type"
- Select "Another AWS Account" and provide the ID
308612476554 - Select "Require External ID" and provide a secure, randomly generated, password.
- Save this, as you will need to provide it when adding the account in ASM
- AWS stipulates the ExternalId must match the regular expression
[\w+=,.@:\/-]*
- Select "Next" to advance to the Add Permissions page.
- Open a new tab in IAM and go to the "Policies" page. Select "Create Policy".
- In the newly opened browser window, paste the following JSON template. Note, some of the permissions in this template reflect future resources ASM plans on tracking, but may not currently be available in ASM
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:DescribeAddresses", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices", "appsync:ListDomainNames", "appsync:ListGraphqlApis", "cloudfront:ListDistributions", "eks:ListClusters", "elasticbeanstalk:DescribeEnvironments", "elasticloadbalancing:DescribeLoadBalancers", "es:ListDomainNames", "kafka:DescribeCluster", "kafka:ListClusters", "lightsail:GetInstances", "lightsail:GetLoadBalancers", "rds:DescribeDBClusterEndpoints", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeDBProxies", "rds:DescribeDBProxyEndpoints", "redshift:DescribeClusters", "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:ListTagsForResource", "route53domains:ListDomains", "route53domains:GetDomainDetail", "s3:ListAllMyBuckets", "s3:GetBucketPolicy", "s3:GetBucketAcl" ], "Resource": "*" } ] } - Select "Next", then provide a name for the policy. Select "Create Policy".
- Return to the role creation window, refresh the list of policies, and select the checkbox for newly created policy. Select "Next".
- Enter a name for the role, then review the Trusted Entities section. The trust policy should look like
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::308612476554:root"
},
"Condition": {
"StringEquals": {
"sts:ExternalId": "[RANDOM_PASSWORD]"
}
}
}
]
}- Ensure that the newly created policy appears in the permissions section, then select "Create Role". Note the role ARN.
- Log into ASM, navigate to Assets > Cloud Accounts and click the + sign in the top right. From there, provide a logical name for the account, as well as the ARN of the IAM role that you set up, and the
sts:ExternalIdyou provided.
If you require more granular assume role permissions, the trust policy Principal can be updated to the following:
"AWS": [
"arn:aws:iam::308612476554:role/prod01-cloud-lambda",
"arn:aws:iam::308612476554:role/prod01-ecsTask"
]