Skip to main content

AWS

Step to Generate Credentials for AWS

  1. Login to AWS Management Console
  2. Click Users under Access Management on the Left Panel
  3. Click Create User on the top
    1. Fill in the User name as you like
    2. In Set permissions, choose Attach policies directly
    3. Search SecurityAudit in the Search Bar and tickSecurityAudit below
    4. Click Next, confirm all the setting, then click Create user to continue
  4. In the User page, click on the user name of the new user, and enter the user detail page
    1. Click Security Credentials
    2. Scroll down. In the Access Key, click Create Access Key
    3. Tick Third Party Service
    4. Go to Step 3, click Download .csv File to download the Access Key Id and Secret Access Key

Existing Functionalities

info

Go to API Reference to see the list of APIs.

  1. List EC2 regions
    1. List all regions GET /api/v1/aws/ec2/regions
    2. List all enabled regions GET /api/v1/aws/ec2/regions/enabled
  2. List ec2 data for specific region GET /api/v1/aws/ec2 (Note: current handler is listEC2Handler )
    1. Returned information includes
      1. information about EC2 instances, security groups, and key pairs
      2. list of subnets using the provided AWS session
      3. list of VPCs using the provided AWS session
      4. list of EBS volumes using the provided AWS session.
  3. List common data for all regions GET /api/v1/aws/ec2/all (Note: current handler is listAllEC2Handler)
    1. Returned information includes
      1. information about EC2 instances, security groups, and key pairs
      2. list of subnets using the provided AWS session
      3. list of VPCs using the provided AWS session
      4. list of VPCs using the provided AWS session
  4. List S3 buckets for a specific region GET /api/v1/aws/s3
  5. List EBS volumes for a specific region GET /api/v1/aws/ebs
  6. List IAM information
    1. List all IAM information for a specific region GET /api/v1/aws/iam
    2. List IAM users for a specific region GET /api/v1/aws/iam/users
    3. List IAM roles for a specific region GET /api/v1/aws/iam/roles
    4. List IAM policies for a specific region GET /api/v1/aws/iam/policies
    5. List IAM groups for a specific region GET /api/v1/aws/iam/groups
  7. List KMS information
    1. List KMS keys for a specific region GET /api/v1/aws/kms/keys
    2. List KMS keys for all regions GET /api/v1/aws/kms/keys/all
  8. List all AWS information
    1. List all AWS information for all regions GET /api/v1/aws
  9. List K8s information
    1. List all K8s information for all regions GET /api/v1/aws/k8s

AWS Account Required Permissions

Read permission on the following resources:

  • Amazon EC2
  • AWS Identity and Access Management
  • Amazon S3
  • Amazon EC2 Instance Connect
  • Amazon Elastic Kubernetes Service
  • AWS Key Management Service

There are predefined roles on AWS that have these permissions. You can use them directly. The naming convention is usually [ServiceName]ReadOnlyAccess

More Specific Information

warning

Work in Progress

ServiceRequired Permissions
To create access keysiam:UpdateAccessKey, iam:CreateAccessKey, iam:ListAccessKeys
To collect logslogs:GetLogEvents

References

Vulnerability Scan Permission

The following Policies is required:

  • EC2InstanceConnect

In addition to InstanceConnect, the following permissions are required:

  • ec2:CreateSecurityGroup
  • ec2:CreateTags
  • ec2:DeleteSecurityGroup
  • ec2:ModifyNetworkInterfaceAttribute
  • ec2:ModifySecurityGroupRules

The following policy JSON can be used:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteSecurityGroup",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifySecurityGroupRules"
            ],
            "Resource": "*"
        }
    ]
}