Skip to Content
InsightcloudsecAWS Overview & Support

AWS Overview & Support

After InsightCloudSec is successfully installed, you’re ready to enable visibility into your target AWS Organization(s) and/or cloud account(s). This documentation details configuring your Amazon Web Services (AWS) environment to “talk” with InsightCloudSec securely.

Frequently Asked Questions (FAQ)

The following frequently asked questions and answers should help you understand AWS in InsightCloudSec.

What does InsightCloudSec support from AWS?

What does InsightCloudSec support from AWS?

As one of the leading public cloud service providers, InsightCloudSec provides broad support for Amazon Web Services (AWS). Review the full list of AWS-specific supported services in the AWS Commercial Support Reference section.

How do I start seeing my AWS environments in InsightCloudSec?

How do I start seeing my AWS environments in InsightCloudSec?

InsightCloudSec relies on a process called “harvesting” to pull data from various CSPs. Review Onboard an AWS Cloud Account or Onboard an AWS Organization for details.

What do I do after my environments is being harvested?

What do I do after my environments is being harvested?

After at least one AWS account is harvested by InsightCloudSec, you’re free to configure additional AWS services as necessary to enhance, optimize, or further secure your experience. Review AWS Additional Configuration for more information. The items in this section were written in the AWS Commercial context.

How can I optimize harvesting?

How can I optimize harvesting?

InsightCloudSec harvesting is the term we use to describe the process of data collection from a selected cloud service provider (CSP) within InsightCloudSec. Check out our Harvesting Overview documentation to understand the basics and refer to Harvesting Strategies for details on specific strategies.

In addition, for AWS, InsightCloudSec offers Event-Driven Harvesting, which requires additional configuration but optimizes harvesting by only pulling in new data when certain AWS CloudWatch Events occur. Review our AWS Event-Driven Harvesting documentation for more information.

Manage AWS Cloud Accounts

After initial configuration of the account in AWS, you can add the account to InsightCloudSec. In InsightCloudSec, you onboard a cloud account or organization using the onboarding wizard. Review Onboard an AWS Cloud Account or Onboard an AWS Organization for details.

Once an account is successfully being harvested by InsightCloudSec, it can be modified or deleted as necessary.

AWS Commercial Support Reference

Supported Services

Supported Services

Included in this section are all of the AWS services (and their components) supported by InsightCloudSec. If you have questions related to AWS or specific services and their support, contact us through the Customer Support Portal. If you’re interested in the AWS China or GovCloud support for InsightCloudSec, review the China Cloud Support Reference or Government Cloud Support Reference for details instead.

AWS Supported Services & Regions

In general, AWS services included in this section are supported for all regions in which they are available. In some scenarios, some services may not be available in certain regions (or for AWS GovCloud/China in general). This is typically the result of restrictions related to the region itself or otherwise imposed by AWS to comply with regional policies. We recommend that you refer to the AWS documentation on those specific regions for official details. InsightCloudSec now recognizes the EC2 Serial Console as part of general EC2 service support.

Amazon API Gateway (Domain, Key, Stage, Usage Plans) Amazon Bedrock (Agent, Model, Training job) Amazon Connect Amazon DocumentDB (Elastic) Amazon Kendra (Index) Amazon Keyspaces Amazon Lookout for Equipment Amazon Lookout for Metrics Amazon Lookout for Vision Amazon Macie Amazon MemoryDB for Redis Amazon MQ Amazon OpenSearch Serverless Amazon QuickSight Amazon SageMaker (Notebook, Training job) Amazon Simple Email Service (Configuration sets, Rules) Amazon Redshift (Serverless Namespace, Serverless Workgroup, Snapshot) Amazon Timestream Amazon Transcription AppStream 2.0 Athena (Workgroup) AWS App Runner AWS AppSync AWS Auto Scaling (Group, Launch Configurations) AWS Backup (gateway, Vault) AWS Clean Rooms (Collaborations) AWS Control Tower (Control, Landing zone) AWS Glue (Connection, Crawler, Data Catalog, Database, Job, Security Configuration) AWS Health Dashboard AWS Organizations (Consolidated Bill, Service Control Policy) AWS Outposts AWS Systems Manager (Association, Parameter Store (Parameter), Document) AWS Transfer Family (SFTP Server) Batch (Compute Environment) Certificate Manager (Private Certificate Authority) CloudFormation (Templates) CloudFront CloudHSM CloudSearch (Cluster) CloudTrail CloudWatch (Alarm, Log Group, Logs Destination, Rule, EventBridge event bus, Observability Access Manager) CodeBuild (Project) CodeCommit Cognito (User Pool) Database Migration Service (Endpoint, Replication Instance) DataSync (Task) Direct Connect Directory Service DynamoDB (Accelerator (DAX)) EC2 (Amazon EBS Snapshot, Amazon EBS Volume, Dedicated Instance, Instance, Launch Template, Reserved Instance, Resource/Service Limit/Quota, Savings Plans, SSH Key Pairs) EFS Elastic Beanstalk (Application, Environment) Elastic Container Registry (Container Image, Container Registry) Elastic Container Service/Fargate (Cluster, Container, Container Task, Task Definition) Elastic Kubernetes Service (Cluster, Container Instance, Node Group) Elastic Load Balancer (Application Load Balancer, Gateway Load Balancer, Network Load Balancer) Elastic MapReduce Elastic Transcoder (Pipeline) ElastiCache (Snapshot) FSx (Lustre, NetApp ONTAP) Global Accelerator GuardDuty (Detector) IAM (Access Analyzer, Cloud Account, Group, Policy (Customer Managed), Role, IAM/ACM SSL Certificate, User, User Access Key) Key Management Service Kinesis (Data Firehose) Kinesis Analytics (Streaming applications) Kinesis Video Stream Lambda (Layer) Lightsail Managed Apache Airflow (Environment) MSK (Instance) Neptune OpenSearch Service RDS (Aurora, Aurora global database, Cluster, Event Subscription, Instance, Proxy, Snapshot) Recycle Bin Region Resource Access Manager (Resource shares, Shared resources) Route 53 (DNS Zone, Domain, Resolver Configuration) S3 (Access Point, Multi-Region Access Point) S3 Glacier SAML Identity Provider Secrets Manager (Secret) Serverless Application Repository Simple Queue Service Simple Notification Service (Subscription, Topic) Step Function State Machine Storage Gateway (NFS/SMB File Share) Trusted Advisor VPC (Elastic IP, Elastic Network Interface (ENI), Endpoint Service, Endpoint/PrivateLink, Flow Log, Internet Gateway, Managed Prefix List, NACL/Security Group, NACL/Security Group Rules, NAT Gateway, Network Firewall (Rules, Rule Groups), Peer, Route, Route Table, Site-to-Site VPN, Subnet, Traffic Mirror Target, Transit Gateway, Virtual Private Gateway) WAF & Shield (Rules, Rule Groups) WorkSpaces (Instances)

Supported API calls

Supported API Calls

Included in this section are all of the API calls supported across AWS services based on the many policies that InsightCloudSec provides. This list is for administrators who may want to fine tune a policy with granular read/write operations.

EC2 Commands ============ AllocateAddress AssociateAddress AssociateRouteTable AttachInternetGateway AttachNetworkInterface AttachVolume AuthorizeSecurityGroupIngress CopyImage CopySnapshot CreateDefaultVpc CreateImage CreateInstanceExportTask CreateInternetGateway CreateKeyPair CreateNetworkAcl CreateNetworkInterface CreateRole CreateRoute CreateRouteTable CreateSecurityGroup CreateSnapshot CreateSubnet CreateTags CreateVolume CreateVpc DeleteInternetGateway DeleteKeyPair DeleteNetworkAcl DeleteNetworkAclEntry DeleteNetworkInterface DeleteRoute DeleteRouteTable DeleteSecurityGroup DeleteSnapshot DeleteSubnet SubnetId DeleteTags DeleteVolume DeleteVpc VpcId DeleteVpcPeeringConnection DeregisterImage DescribeAddresses DescribeAddresses DescribeAvailabilityZones DescribeAvailabilityZones DescribeFlowLogs DescribeHosts DescribeImageAttribute DescribeImages DescribeImportImageTasks DescribeInstanceAttribute DescribeInstanceStatus DescribeInstanceTypes DescribeInstances DescribeInternetGateways DescribeKeyPairs DescribeKeyPairs DescribeKeyPairs DescribeNetworkAcls DescribeNetworkInterfaceAttribute DescribeNetworkInterfaces DescribePlacementGroups DescribeRegions DescribeReservedInstances DescribeRouteTables DescribeSecurityGroups DescribeSnapshots DescribeSubnets DescribeTags DescribeVolumeStatus DescribeVolumes DescribeVpcAttribute DescribeVpcPeeringConnections DescribeVpcs DetachInternetGateway DetachNetworkInterface DetachVolume DisassociateAddress DisassociateRouteTable GetConsoleOutput GetPasswordData ImportImage ImportInstance ImportKeyPair ModifyImageAttribute ModifyImageAttribute ModifyInstanceAttribute ModifyNetworkInterfaceAttribute ModifyVolume ModifyVpcAttribute RegisterImage ReleaseAddress ReplaceRouteTableAssociation RunInstances TerminateInstances Redshift Commands ================= CreateClusterSnapshot CreateTags DeleteClusterSnapshot DeleteTags DescribeClusterSnapshots DescribeClusters DescribeTags IAM Commands ============ DeleteUser DeletePolicy GetAccessKeyLastUsed GetAccountPasswordPolicy GetAccountSummary GetLoginProfile GetUser ListAccessKeys ListAttachedRolePolicies ListAttachedUserPolicies ListMFADevices ListPolicies ListRolePolicies ListRoles ListServerCertificates ListUsers UpdateAccessKey UpdateAssumeRolePolicy Autoscale Commands ================== AttachInstances CreateAutoScalingGroup CreateLaunchConfiguration DeleteAutoScalingGroup DeleteLaunchConfiguration DetachInstances PutScalingPolicy PutScalingPolicy SetDesiredCapacity RDS Commands ============ AddTagsToResource CreateDBSnapshot DeleteDBInstance DeleteDBSnapshot DescribeDBEngineVersions DescribeDBInstances DescribeDBSnapshots DescribeReservedDBInstances ListTagsForResource RebootDBInstance RemoveTagsFromResource StartDBInstance StopDBInstance Elasticache Commands ==================== AddTagsToResource CreateSnapshot DeleteCacheCluster DeleteSnapshot DescribeCacheClusters DescribeSnapshots ListTagsForResource RebootCacheCluster RemoveTagsFromResource LoadBalancer Commands ============ AddTags ApplySecurityGroupsToLoadBalancer AttachLoadBalancerToSubnets CreateLoadBalancer CreateLoadBalancerListeners CreateLoadBalancerPolicy DeleteLoadBalancer DeleteLoadBalancerListeners DeleteLoadBalancerPolicy DeregisterInstancesFromLoadBalancer DeregisterInstancesFromLoadBalancer DescribeLoadBalancerAttributes DescribeLoadBalancerPolicies DescribeLoadBalancerPolicyTypes DescribeLoadBalancers DescribeLoadBalancers DescribeTags DetachLoadBalancerFromSubnets RegisterInstancesWithLoadBalancer RegisterInstancesWithLoadBalancer RemoveTags SetLoadBalancerPoliciesForBackendServer SetLoadBalancerPoliciesOfListener CloudTrail Commands =================== DeleteTrail DescribeTrails GetTrailStatus StartLogging StopLogging Route53 Commands ================ ChangeResourceRecordSets ChangeTagsForResource CreateHostedZone DeleteHostedZone ListHostedZones ListHostedZonesByName ListGeoLocations ListHealthChecks ListResourceRecordSets ListTagsForResource ListTagsForResources ListVPCAssociationAuthorizations S3 Commands =========== DELETE Bucket DELETE Bucket CORS DELETE Bucket Policy DELETE Bucket Tagging GET Bucket GET Bucket ACL GET Bucket CORS GET Bucket Logging GET Bucket Policy GET Bucket Tagging GET Bucket Versioning GET Bucket Website PUT Bucket ACL PUT Bucket CORS PUT Bucket Policy PUT Bucket Tagging PUT Bucket Logging Cloudwatch Commands =================== DescribeAlarms GetMetricStatistics ListMetrics Organizations Commands ====================== ListAccounts DescribeOrganization Certificate Manager (ACM) Commands ================================== ListCertificates DescribeCertificate Elastic File System (EFS) Commands ================================== DescribeFileSystems DescribeTags CreateTags DeleteTags CreateFileSystem DescribeMountTargetSecurityGroups DescribeMountTargets DeleteMountTarget CreateMountTarget ModifyMountTargetSecurityGroups Lambda Commands =============== ListFunctions ListTags Elasticsearch Commands ====================== ListDomainNames ListTags DescribeElasticsearchDomains Config Commands =============== DescribeConfigurationRecorders DescribeConfigurationRecorderStatus DescribeDeliveryChannels DescribeDeliveryChannelStatus STS Commands ============ AssumeRole GetCallerIdentity Stack Template Commands ======================= DescribeStacks ListStackResources ListStacks DescribeStackResource DescribeStackResources GetTemplate DeleteStack DynamoDB ======== DescribeTable DescribeGlobalTable ListBackups ListTables ListGlobalTables ListTagsOfResource DynamoDB DAX ============ DescribeClusters DescribeTable ListTables ListTags SQS === GetQueueAttributes ListQueues ListQueueTags Workspaces ========== DescribeTags DescribeWorkspaces DescribeWorkspaceBundles DescribeWorkspacesConnectionStatus DescribeWorkspaceDirectories Kinesis ======= ListStreams DescribeStream DeleteStream ListShards AddTagsToStream ListTagsForStream RemoveTagsFromStream Firehose ======== ListDeliveryStreams DescribeDeliveryStream DeleteDeliveryStream TagDeliveryStream ListTagsForDeliveryStream UntagDeliveryStream

AWS policies

InsightCloudSec offers several different AWS policies for harvesting resource information found in your AWS accounts and enabling features such as Event-driven Harvesting (EDH), Least Privileged Access (LPA), and Cloud Vulnerability Management.

If you’re interested in setting up an AWS China or GovCloud account, review the China Cloud Support Reference or Government Cloud Support Reference for details instead.

Policy URLs during onboarding

As of InsightCloudSec v. 23.4.11, the new universal onboarding experience for AWS accounts uses CloudFormation Templates (CFTs) to automatically provision relevant accounts with the necessary policies and roles that contain your specific, unique InsightCloudSec account information.

We highly recommend using the new AWS onboarding experience to add your AWS accounts and only use the policies in this section for reference as some of the URLs provided on this page represent the generic versions of the policies, i.e., there are placeholder values for account-specific information.

Useful Terminology

Some concepts and terminology you should be aware of while reviewing the policies:

TermDescription
ConsolidatedAll IAM Resources deployed by the onboarding CFT include a path prefix of /rapid7/, which helps organize all Rapid7 IAM resources together.

Additionally, Roles and Policies both use the naming convention rapid7-<access type>-<feature/usecase> for easy identification.

You’ll note the IAM Role name, rapid7-consolidated, which denotes that policies for all three access types of readonly, egress (a.k.a. data access), and automation are attached to the same role. We reserve this naming convention if we decide to support multiple Roles for each access type use case.
Access TypesThe onboarding CFT creates different roles to collect various types of information from your AWS accounts:

  • Read Only: Explicit and fully enumerated read only permissions for cloud configuration control plane APIs without explicit scoping that gives the customer full visibility into their cloud inventory.
  • Egress: To facilitate features that require collecting/analyzing both cloud control and data plane data that cannot practically be done with cloud APIs. This often requires permissions to create, modify, delete and read from resources in the customer’s account.
  • Automation: Customers can attach as few or as many polices to the consolidated Role to facilitate the customer’s automation strategy for a given account. Automation is any action to notify systems InsightCloudSec doesn’t own or mutate resources InsightCloudSec don’t own.

New required permissions are announced in our release notes. The API calls that are supported with any of the policies can be found in the Supported API Calls section.

Onboarding and Harvesting Policies

Consolidated Assume Role Policy

Consolidated Assume Role Policy

The Consolidated Assume Role Policy (<https://s3.amazonaws.com/get.divvycloud.com/policies/v2/AWS-rapid7-consolidated-assume-role-policy-document.json>) is used to establish the trust relationship to the Authenticating Principal (your InsightCloudSec installation role). Note: This link contains placeholder values for InsightCloudSec-specific account information.

Standard Self Referential Policy

Standard Self Referential Policy

The Standard Self Referential Policy (<https://s3.amazonaws.com/get.divvycloud.com/policies/v2/AWS-rapid7-standard-self-referential-policy.json>) allows for the role to refer to itself, the account, and organization it exists within.

Read-Only Policy

Read-Only Policy

The Read-Only policy consists of three parts (the permissions have exceeded AWS’s limitation on policy size). These policies only contain read only-type permissions, e.g., List, Describe, Get, etc., and will need to be updated any time InsightCloudSec supports a new AWS Service.

Feature Enablement Policies

Egress EventBridge Auto Provisioning Policy

Egress EventBridge Auto Provisioning Policy

The Egress EventBridge Auto Provisioning Policy grants the Rapid7 IAM Role permission to create/manage EventBridge Rules/Targets and create/manage an SQS queue from consuming the Events. Review AWS Event-Driven Harvesting for more information.

Egress LPA Auto Provisioning Policy

Egress LPA Auto Provisioning Policy

The Egress LPA Auto Provisioning Policy grants the Rapid7 IAM Role permission to access CloudTrail, to create the necessary AWS Glue tables and to create/execute Athena queries with a S3 bucket for results. Review AWS Least-Privileged Access (LPA) for more information.

Egress Host Vulnerability Assessment Via Role Policy

Egress Host Vulnerability Assessment Via Role Policy

The Egress Host Vulnerability Assessment Via Role Policy grants the Rapid7 IAM Role permissions to create and download EBS snapshots for vulnerability scanning. Review Vulnerability Management Overview for more information.

Egress Container Vulnerability Assessment Via Role Policy

Egress Container Vulnerability Assessment Via Role Policy

The Egress Container Vulnerability Assessment Via Role Policy grants the Rapid7 IAM Role ECR read permission to all ECR repositories in the AWS Account. This allows for pulling images and scanning for vulnerabilities. Some read permissions overlap with the Rapid7 Read-Only Policies, which are used for general visibility and discovery. This Policy duplicates those permissions because the Rapid7 IAM Role may need to access additional metadata before or after pulling an image to capture the most recent context when producing a finding. Review Vulnerability Management Overview for more information.

Example Deployment Policies

These IAM Policies can be used as a reference example for a dedicated IAM Role to be used via automation or CI/CD pipeline. These policies allow for programmatically deploying the onboarding CFT, but you’ll need to periodically update the CFT for new permissions.

The statements scope the permissions to only IAM Roles and Policies related to Rapid7 using our naming conventions but could be expanded upon with more fine grain conditionals.