AWS Overview & Support

Rapid7 Cloud Security (InsightCloudSec) offers extensive support for Amazon Web Services, which can be enabled using custom IAM roles that securely allow Rapid7 access to your Accounts and Organizations.

If you have questions related to AWS or specific services and their support, contact us through the Customer Support Portal . If you’re interested in the AWS China or GovCloud support for Cloud Security (InsightCloudSec), review the China Cloud Support Reference or Government Cloud Support Reference for details instead.

ℹ️

AWS services by region support

Cloud Security (InsightCloudSec) supports AWS services in all regions they are available. For details on which services are available by region, see the AWS Regional Product Service page .

Onboard and manage accounts

You can onboard AWS Organizations and Accounts using several different methods:

After the accounts have been added to Cloud Security (InsightCloudSec), you can manage, modify, or delete the configurations as necessary. See Clouds and Cloud Account Setup & Management for more details.

AWS policies

Cloud Security (InsightCloudSec) offers several different AWS policies for harvesting resource information found in your AWS accounts and enabling features such as Event-driven Harvesting (EDH), Least Privileged Access (LPA), and Cloud Vulnerability Management.

Useful Terminology

Some concepts and terminology you should be aware of while reviewing the policies:

Term Description

Consolidated Roles and Policies both use the naming convention rapid7-<access type>-<feature/usecase> for easy identification.

You’ll note the IAM Role name, rapid7-consolidated, which denotes that policies for all three access types of readonly, egress (a.k.a. data access), and automation are attached to the same role. We reserve this naming convention if we decide to support multiple Roles for each access type use case.

Access Types

Term	Description
Consolidated	Roles and Policies both use the naming convention `rapid7-<access type>-<feature/usecase>` for easy identification. You’ll note the IAM Role name, `rapid7-consolidated`, which denotes that policies for all three access types of `readonly`, `egress` (a.k.a. data access), and `automation` are attached to the same role. We reserve this naming convention if we decide to support multiple Roles for each access type use case.
Access Types	The onboarding CloudFormation template creates different roles to collect various types of information from your AWS accounts: Read Only: Explicit and fully enumerated read only permissions for cloud configuration control plane APIs without explicit scoping that gives the customer full visibility into their cloud inventory. Egress: To facilitate features that require collecting/analyzing both cloud control and data plane data that cannot practically be done with cloud APIs. This often requires permissions to create, modify, delete and read from resources in the customer’s account. Automation: Customers can attach as few or as many polices to the consolidated Role to facilitate the customer’s automation strategy for a given account. Automation is any action to notify systems Cloud Security (InsightCloudSec) doesn’t own or mutate resources Cloud Security (InsightCloudSec) don’t own.

The onboarding CloudFormation template creates different roles to collect various types of information from your AWS accounts:

Read Only: Explicit and fully enumerated read only permissions for cloud configuration control plane APIs without explicit scoping that gives the customer full visibility into their cloud inventory.
Egress: To facilitate features that require collecting/analyzing both cloud control and data plane data that cannot practically be done with cloud APIs. This often requires permissions to create, modify, delete and read from resources in the customer’s account.
Automation: Customers can attach as few or as many polices to the consolidated Role to facilitate the customer’s automation strategy for a given account. Automation is any action to notify systems Cloud Security (InsightCloudSec) doesn’t own or mutate resources Cloud Security (InsightCloudSec) don’t own.

New required permissions are announced in our release notes. The API calls that are supported with any of the policies can be found in the Supported API Calls section.

Onboarding and Harvesting Policies

Consolidated Assume Role Policy

The Consolidated Assume Role Policy (https://s3.amazonaws.com/get.divvycloud.com/policies/v2/AWS-rapid7-consolidated-assume-role-policy-document.json ) is used to establish the trust relationship to the Authenticating Principal (your Cloud Security (InsightCloudSec) installation role). Note: This link contains placeholder values for Cloud Security (InsightCloudSec)-specific account information.

Standard Self Referential Policy

The Standard Self Referential Policy (https://s3.amazonaws.com/get.divvycloud.com/policies/v2/AWS-rapid7-standard-self-referential-policy.json ) allows for the role to refer to itself, the account, and organization it exists within.

Read-Only Policy

The Read-Only policy consists of three parts (the permissions have exceeded AWS’s limitation on policy size). These policies only contain read only-type permissions, e.g., List, Describe, Get, etc., and will need to be updated any time Cloud Security (InsightCloudSec) supports a new AWS Service.

Feature Enablement Policies

Egress EventBridge Auto Provisioning Policy

The Egress EventBridge Auto Provisioning Policy grants the Rapid7 IAM Role permission to create/manage EventBridge Rules/Targets and create/manage an SQS queue from consuming the Events. Review AWS Event-Driven Harvesting for more information.

Egress LPA Auto Provisioning Policy

The Egress LPA Auto Provisioning Policy grants the Rapid7 IAM Role permission to access CloudTrail, to create the necessary AWS Glue tables and to create/execute Athena queries with a S3 bucket for results. Review AWS Least-Privileged Access (LPA) for more information.

Egress Host Vulnerability Assessment Via Role Policy

The Egress Host Vulnerability Assessment Via Role Policy grants the Rapid7 IAM Role permissions to create and download EBS snapshots for vulnerability scanning. Review Vulnerability Management Overview for more information.

Egress Container Vulnerability Assessment Via Role Policy

The Egress Container Vulnerability Assessment Via Role Policy grants the Rapid7 IAM Role ECR read permission to all ECR repositories in the AWS Account. This allows for pulling images and scanning for vulnerabilities. Some read permissions overlap with the Rapid7 Read-Only Policies, which are used for general visibility and discovery. This Policy duplicates those permissions because the Rapid7 IAM Role may need to access additional metadata before or after pulling an image to capture the most recent context when producing a finding. Review Vulnerability Management Overview for more information.

Example Deployment Policies

These IAM Policies can be used as a reference example for a dedicated IAM Role to be used via automation or CI/CD pipeline. These policies allow for programmatically deploying the onboarding CloudFormation template, but you’ll need to periodically update the CloudFormation template for new permissions.

The statements scope the permissions to only IAM Roles and Policies related to Rapid7 using our naming conventions but could be expanded upon with more fine grain conditionals.

Example Deployment Automation Role Assume Role Policy: https://s3.amazonaws.com/get.divvycloud.com/policies/v2/AWS-rapid7-role-deployment-automation-role-assume-role-policy-document.json
Example IAM Roles and Policies Deployment Policy: https://s3.amazonaws.com/get.divvycloud.com/policies/v2/AWS-rapid7-minimum-iam-role-and-policy-deployment-permissions.json
Example CloudFormation templates Update and Deployment Policy: https://s3.amazonaws.com/get.divvycloud.com/policies/v2/AWS-rapid7-minimum-iam-cft-deployment-permissions.json

Frequently Asked Questions (FAQ)

What does Cloud Security (InsightCloudSec) support from AWS?

As one of the leading public cloud service providers, Cloud Security (InsightCloudSec) provides broad support for Amazon Web Services (AWS). Review the full list of AWS-specific supported services in the AWS Commercial Support Reference section.

How do I start seeing my AWS accounts in Cloud Security (InsightCloudSec)?

To see your accounts in Cloud Security (InsightCloudSec), Rapid7 relies on harvesting, which is the process of collecting data from a selected cloud service provider (CSP) and making it visible within Cloud Security (InsightCloudSec). To understand the basics, check out our Harvesting documentation, where we also provide details on specific harvesting strategies.

What do I do after my accounts are being harvested?

After at least one AWS account is harvested by Cloud Security (InsightCloudSec), you’re free to configure additional AWS services as necessary to enhance, optimize, or further secure your experience. You can also begin to view data insights like Layered Context, Attack Paths, Misconfigurations, and more.

How can I optimize harvesting?

To optimize harvesting, Cloud Security (InsightCloudSec) offers Event-Driven Harvesting, which requires additional configuration but only pulls in new data when certain AWS CloudWatch Events occur. Review our AWS Event-Driven Harvesting documentation for more information.