AWS Overview & Support
After InsightCloudSec is successfully installed, you're ready to enable visibility into your target AWS Organization(s) and/or cloud account(s). This documentation details configuring your Amazon Web Services (AWS) environment to "talk" with InsightCloudSec securely. Review the sections below to determine the best starting point for your environment.
AWS in InsightCloudSec: Frequently Asked Questions (FAQ)
The following frequently asked questions and answers should help you understand AWS in InsightCloudSec.
What does InsightCloudSec support from AWS?
What does InsightCloudSec support from AWS?
As one of the leading public cloud service providers, InsightCloudSec provides broad support for Amazon Web Services (AWS). Review the full list of AWS-specific supported services on the AWS Support Reference page.
How do I start seeing my AWS environment(s) in InsightCloudSec?
How do I start seeing my AWS environment(s) in InsightCloudSec?
InsightCloudSec relies on a process called "harvesting" to pull data from various CSPs. Review AWS - Onboarding for details.
What do I do after my environment(s) is being harvested?
What do I do after my environment(s) is being harvested?
After at least one AWS account is harvested by InsightCloudSec, you're free to configure additional AWS services as necessary to enhance, optimize, or further secure your experience. Review AWS Additional Configuration for more information. Note: The items in this section were written in the AWS Commercial context.
How can I optimize harvesting?
How can I optimize harvesting?
InsightCloudSec harvesting is the term we use to describe the process of data collection from a selected cloud service provider (CSP) within InsightCloudSec. Check out our Harvesting Overview documentation to understand the basics and refer to Harvesting Strategies for details on specific strategies.
In addition, for AWS, InsightCloudSec offers Event-Driven Harvesting, which requires additional configuration but optimizes harvesting by only pulling in new data when certain AWS CloudWatch Events occur. Review our AWS Event-Driven Harvesting documentation for more information.
Manage AWS Cloud Accounts
After initial configuration of the account in AWS, you can add the account to InsightCloudSec. You can manage and delete existing accounts in InsightCloudSec.
Add a cloud account
Add a cloud account
Onboard a cloud account using the cloud account onboarding wizard. Go to Connect an AWS Cloud Account to get started.
New AWS Onboarding
Beginning with InsightCloudSec version 23.4.11, a new AWS onboarding experience is available. This experience replaces our previous onboarding process.
Modifying and Deleting Existing AWS Cloud Accounts
Modifying and Deleting Existing AWS Cloud Accounts
- Modify: For general information about managing existing AWS Cloud accounts, check out the Clouds section and subsections on Cloud Account Setup & Management. Information about viewing the details of a single cloud account is available on the Cloud Account Detail Page. You can always add additional cloud accounts through the AWS Cloud - Onboarding process
- Delete: Cloud accounts can be deleted through their individual page, details on deleting a cloud account are available here.
AWS Commercial Support Reference
Supported Services
Supported Services
Listed below are all of the AWS services (and their components) supported by InsightCloudSec. If you have questions related to AWS or specific services and their support, contact us through the Customer Support Portal.
Note: If you're interested in the AWS China or GovCloud support for InsightCloudSec, review the China Cloud Support Reference or Government Cloud Support Reference for details instead.
📘 AWS Supported Services & Regions
In general, InsightCloudSec provides support for the AWS services listed below for all regions in which they are available. In some scenarios, some services may not be available in certain regions (or for AWS GovCloud/China in general). This is typically the result of restrictions related to the region itself or otherwise imposed by AWS to comply with regional policies. We recommend that you refer to the AWS documentation on those specific regions for official details.
Also note that InsightCloudSec now recognizes the EC2 Serial Console as part of general EC2 service support.
text
1Amazon API Gateway (Domain, Key, Stage, Usage Plans)2Amazon Connect3Amazon DocumentDB (Elastic)4Amazon Kendra (Index)5Amazon Keyspaces6Amazon Lookout for Equipment7Amazon Lookout for Metrics8Amazon Lookout for Vision9Amazon Macie10Amazon MemoryDB for Redis11Amazon MQ12Amazon OpenSearch Serverless13Amazon QuickSight14Amazon SageMaker (Notebook, Training job)15Amazon Simple Email Service (Configuration sets, Rules)16Amazon Redshift (Serverless Namespace, Serverless Workgroup, Snapshot)17Amazon Timestream18Amazon Transcription19AppStream 2.020Athena (Workgroup)21AWS App Runner22AWS AppSync23AWS Auto Scaling (Group, Launch Configurations)24AWS Backup (gateway, Vault)25AWS Glue (Data Catalog, Database, Security Configuration)26AWS Health Dashboard27AWS Organizations (Consolidated Bill, Service Control Policy)28AWS Outposts29AWS Transfer Family (SFTP Server)30Batch (Compute Environment)31Certificate Manager (Private Certificate Authority)32CloudFormation (Templates)33CloudFront34CloudHSM35CloudSearch (Cluster)36CloudTrail37CloudWatch (Alarm, Log Group, Logs Destination, Rule, EventBridge event bus, Observability Access Manager)38CodeBuild (Project)39CodeCommit40Cognito (User Pool)41Database Migration Service (Endpoint, Replication Instance)42DataSync (Task)43Direct Connect44Directory Service45DynamoDB (Accelerator (DAX))46EC2 (Amazon EBS Snapshot, Amazon EBS Volume, Dedicated Instance, Instance, Launch Template, Reserved Instance, Resource/Service Limit/Quota, Savings Plans, SSH Key Pairs)47EFS48Elastic Beanstalk (Application, Environment)49Elastic Container Registry (Container Image, Container Registry)50Elastic Container Service/Fargate (Cluster, Container, Container Task, Task Definition)51Elastic Kubernetes Service (Cluster, Container Instance, Node Group)52Elastic Load Balancer (Application Load Balancer, Gateway Load Balancer, Network Load Balancer)53Elastic MapReduce54Elastic Transcoder (Pipeline)55ElastiCache (Snapshot)56FSx (Lustre, NetApp ONTAP)57Global Accelerator58GuardDuty (Detector)59IAM (Access Analyzer, Cloud Account, Group, Policy (Customer Managed), Role, IAM/ACM SSL Certificate, User, User Access Key)60Key Management Service61Kinesis (Data Firehose)62Kinesis Analytics (Streaming applications)63Kinesis Video Stream64Lambda (Layer)65Lightsail66Managed Apache Airflow (Environment)67MSK (Instance)68Neptune69OpenSearch Service70RDS (Aurora, Aurora global database, Cluster, Event Subscription, Instance, Proxy, Snapshot)71Recycle Bin72Region73Route 53 (DNS Zone, Domain, Resolver Configuration)74S3 (Access Point, Multi-Region Access Point)75S3 Glacier76SAML Identity Provider77Secrets Manager (Secret)78Serverless Application Repository79Simple Queue Service80Simple Notification Service (Subscription, Topic)81Step Function State Machine82Storage Gateway (NFS/SMB File Share)83Systems Manager (Parameter Store (Parameter), Document)84Trusted Advisor85VPC (Elastic IP, Elastic Network Interface (ENI), Endpoint Service, Endpoint/PrivateLink, Flow Log, Internet Gateway, Managed Prefix List, NACL/Security Group, NACL/Security Group Rules, NAT Gateway, Peer, Route, Route Table, Site-to-Site VPN, Subnet, Traffic Mirror Target, Transit Gateway, Virtual Private Gateway)86WAF & Shield87WorkSpaces (Instances)
Supported API calls
Supported API Calls
Listed below are all of the API calls supported across AWS services based on the many policies that InsightCloudSec provides. This list is for administrators who may want to fine tune a policy with granular read/write operations.
text
1EC2 Commands2============34AllocateAddress5AssociateAddress6AssociateRouteTable7AttachInternetGateway8AttachNetworkInterface9AttachVolume10AuthorizeSecurityGroupIngress11CopyImage12CopySnapshot13CreateDefaultVpc14CreateImage15CreateInstanceExportTask16CreateInternetGateway17CreateKeyPair18CreateNetworkAcl19CreateNetworkInterface20CreateRole21CreateRoute22CreateRouteTable23CreateSecurityGroup24CreateSnapshot25CreateSubnet26CreateTags27CreateVolume28CreateVpc29DeleteInternetGateway30DeleteKeyPair31DeleteNetworkAcl32DeleteNetworkAclEntry33DeleteNetworkInterface34DeleteRoute35DeleteRouteTable36DeleteSecurityGroup37DeleteSnapshot38DeleteSubnet SubnetId39DeleteTags40DeleteVolume41DeleteVpc VpcId42DeleteVpcPeeringConnection43DeregisterImage44DescribeAddresses45DescribeAddresses46DescribeAvailabilityZones47DescribeAvailabilityZones48DescribeFlowLogs49DescribeHosts50DescribeImageAttribute51DescribeImages52DescribeImportImageTasks53DescribeInstanceAttribute54DescribeInstanceStatus55DescribeInstanceTypes56DescribeInstances57DescribeInternetGateways58DescribeKeyPairs59DescribeKeyPairs60DescribeKeyPairs61DescribeNetworkAcls62DescribeNetworkInterfaceAttribute63DescribeNetworkInterfaces64DescribePlacementGroups65DescribeRegions66DescribeReservedInstances67DescribeRouteTables68DescribeSecurityGroups69DescribeSnapshots70DescribeSubnets71DescribeTags72DescribeVolumeStatus73DescribeVolumes74DescribeVpcAttribute75DescribeVpcPeeringConnections76DescribeVpcs77DetachInternetGateway78DetachNetworkInterface79DetachVolume80DisassociateAddress81DisassociateRouteTable82GetConsoleOutput83GetPasswordData84ImportImage85ImportInstance86ImportKeyPair87ModifyImageAttribute88ModifyImageAttribute89ModifyInstanceAttribute90ModifyNetworkInterfaceAttribute91ModifyVolume92ModifyVpcAttribute93RegisterImage94ReleaseAddress95ReplaceRouteTableAssociation96RunInstances97TerminateInstances9899Redshift Commands100=================101CreateClusterSnapshot102CreateTags103DeleteClusterSnapshot104DeleteTags105DescribeClusterSnapshots106DescribeClusters107DescribeTags108109IAM Commands110============111DeleteUser112DeletePolicy113GetAccessKeyLastUsed114GetAccountPasswordPolicy115GetAccountSummary116GetLoginProfile117GetUser118ListAccessKeys119ListAttachedRolePolicies120ListAttachedUserPolicies121ListMFADevices122ListPolicies123ListRolePolicies124ListRoles125ListServerCertificates126ListUsers127UpdateAccessKey128UpdateAssumeRolePolicy129130Autoscale Commands131==================132AttachInstances133CreateAutoScalingGroup134CreateLaunchConfiguration135DeleteAutoScalingGroup136DeleteLaunchConfiguration137DetachInstances138PutScalingPolicy139PutScalingPolicy140SetDesiredCapacity141142RDS Commands143============144AddTagsToResource145CreateDBSnapshot146DeleteDBInstance147DeleteDBSnapshot148DescribeDBEngineVersions149DescribeDBInstances150DescribeDBSnapshots151DescribeReservedDBInstances152ListTagsForResource153RebootDBInstance154RemoveTagsFromResource155StartDBInstance156StopDBInstance157158Elasticache Commands159====================160AddTagsToResource161CreateSnapshot162DeleteCacheCluster163DeleteSnapshot164DescribeCacheClusters165DescribeSnapshots166ListTagsForResource167RebootCacheCluster168RemoveTagsFromResource169170LoadBalancer Commands171============172AddTags173ApplySecurityGroupsToLoadBalancer174AttachLoadBalancerToSubnets175CreateLoadBalancer176CreateLoadBalancerListeners177CreateLoadBalancerPolicy178DeleteLoadBalancer179DeleteLoadBalancerListeners180DeleteLoadBalancerPolicy181DeregisterInstancesFromLoadBalancer182DeregisterInstancesFromLoadBalancer183DescribeLoadBalancerAttributes184DescribeLoadBalancerPolicies185DescribeLoadBalancerPolicyTypes186DescribeLoadBalancers187DescribeLoadBalancers188DescribeTags189DetachLoadBalancerFromSubnets190RegisterInstancesWithLoadBalancer191RegisterInstancesWithLoadBalancer192RemoveTags193SetLoadBalancerPoliciesForBackendServer194SetLoadBalancerPoliciesOfListener195196CloudTrail Commands197===================198DeleteTrail199DescribeTrails200GetTrailStatus201StartLogging202StopLogging203204Route53 Commands205================206ChangeResourceRecordSets207ChangeTagsForResource208CreateHostedZone209DeleteHostedZone210ListHostedZones211ListHostedZonesByName212ListGeoLocations213ListHealthChecks214ListResourceRecordSets215ListTagsForResource216ListTagsForResources217ListVPCAssociationAuthorizations218219S3 Commands220===========221DELETE Bucket222DELETE Bucket CORS223DELETE Bucket Policy224DELETE Bucket Tagging225GET Bucket226GET Bucket ACL227GET Bucket CORS228GET Bucket Logging229GET Bucket Policy230GET Bucket Tagging231GET Bucket Versioning232GET Bucket Website233PUT Bucket ACL234PUT Bucket CORS235PUT Bucket Policy236PUT Bucket Tagging237PUT Bucket Logging238239Cloudwatch Commands240===================241DescribeAlarms242GetMetricStatistics243ListMetrics244245Organizations Commands246======================247ListAccounts248DescribeOrganization249250Certificate Manager (ACM) Commands251==================================252ListCertificates253DescribeCertificate254255Elastic File System (EFS) Commands256==================================257DescribeFileSystems258DescribeTags259CreateTags260DeleteTags261CreateFileSystem262DescribeMountTargetSecurityGroups263DescribeMountTargets264DeleteMountTarget265CreateMountTarget266ModifyMountTargetSecurityGroups267268Lambda Commands269===============270ListFunctions271ListTags272273Elasticsearch Commands274======================275ListDomainNames276ListTags277DescribeElasticsearchDomains278279Config Commands280===============281DescribeConfigurationRecorders282DescribeConfigurationRecorderStatus283DescribeDeliveryChannels284DescribeDeliveryChannelStatus285286STS Commands287============288AssumeRole289GetCallerIdentity290291Stack Template Commands292=======================293DescribeStacks294ListStackResources295ListStacks296DescribeStackResource297DescribeStackResources298GetTemplate299DeleteStack300301DynamoDB302========303DescribeTable304DescribeGlobalTable305ListBackups306ListTables307ListGlobalTables308ListTagsOfResource309310DynamoDB DAX311============312DescribeClusters313DescribeTable314ListTables315ListTags316317SQS318===319GetQueueAttributes320ListQueues321ListQueueTags322323Workspaces324==========325DescribeTags326DescribeWorkspaces327DescribeWorkspaceBundles328DescribeWorkspacesConnectionStatus329DescribeWorkspaceDirectories330331Kinesis332=======333ListStreams334DescribeStream335DeleteStream336ListShards337AddTagsToStream338ListTagsForStream339RemoveTagsFromStream340341Firehose342========343ListDeliveryStreams344DescribeDeliveryStream345DeleteDeliveryStream346TagDeliveryStream347ListTagsForDeliveryStream348UntagDeliveryStream
AWS policies
InsightCloudSec offers several different AWS policies for harvesting resource information found in your AWS accounts and enabling features such as Event-driven Harvesting (EDH), Least Privileged Access (LPA), Host Vulnerability Management (HVM), and Container Vulnerability Management (CVM).
If you're interested in setting up an AWS China or GovCloud account, review the China Cloud Support Reference or Government Cloud Support Reference for details instead.
Policy URLs during onboarding
As of InsightCloudSec v. 23.4.11, the new universal onboarding experience for AWS accounts uses CloudFormation Templates (CFTs) to automatically provision relevant accounts with the necessary policies and roles that contain your specific, unique InsightCloudSec account information.
We highly recommend using the new AWS onboarding experience to add your AWS accounts and only use the policies below for reference as some of the URLs provided on this page represent the generic versions of the policies, i.e., there are placeholder values for account-specific information.
Useful Terminology
Some concepts and terminology you should be aware of while reviewing the sections below:
Term | Description |
---|---|
Consolidated | All IAM Resources deployed by the onboarding CFT include a path prefix of /rapid7/ , which helps organize all Rapid7 IAM resources together. Additionally, Roles and Policies both use the naming convention rapid7-<access type>-<feature/usecase> for easy identification. You'll note the IAM Role name, rapid7-consolidated , which denotes that policies for all three access types of readonly , egress (a.k.a. data access), and automation are attached to the same role. We reserve this naming convention if we decide to support multiple Roles for each access type use case. |
Access Types | The onboarding CFT creates different roles to collect various types of information from your AWS accounts:
|
New required permissions are announced in our release notes. The API calls that are supported with any of the policies can be found in the Supported API Calls section.
Onboarding and Harvesting Policies
Consolidated Assume Role Policy
Consolidated Assume Role Policy
The Consolidated Assume Role Policy is used to establish the trust relationship to the Authenticating Principal (your InsightCloudSec installation role). Note: This link contains placeholder values for InsightCloudSec-specific account information.
Standard Self Referential Policy
Standard Self Referential Policy
The Standard Self Referential Policy allows for the role to refer to itself, the account, and organization it exists within.
Read-Only Policy
Read-Only Policy
The Read-Only policy consists of three parts (the permissions have exceeded AWS's limitation on policy size). These policies only contain read only-type permissions, e.g., List
, Describe
, Get
, etc., and will need to be updated any time InsightCloudSec supports a new AWS Service.
Feature Enablement Policies
Egress EventBridge Auto Provisioning Policy
Egress EventBridge Auto Provisioning Policy
The Egress EventBridge Auto Provisioning Policy grants the Rapid7 IAM Role permission to create/manage EventBridge Rules/Targets and create/manage an SQS queue from consuming the Events. Review AWS Event-Driven Harvesting for more information.
Egress LPA Auto Provisioning Policy
Egress LPA Auto Provisioning Policy
The Egress LPA Auto Provisioning Policy grants the Rapid7 IAM Role permission to access CloudTrail, to create the necessary AWS Glue tables and to create/execute Athena queries with a S3 bucket for results. Review AWS Least-Privileged Access (LPA) for more information.
Egress Host Vulnerability Management Via Role Policy
Egress Host Vulnerability Management Via Role Policy
The Egress Host Vulnerability Management Via Role Policy grants the Rapid7 IAM Role permissions to create and download EBS snapshots for vulnerability scanning. Review Host Vulnerability Management for more information.
Egress Container Vulnerability Management Via Role Policy
Egress Container Vulnerability Management Via Role Policy
The Egress Container Vulnerability Management Via Role Policy grants the Rapid7 IAM Role ECR read permission to all ECR repositories in the AWS Account. This allows for pulling images and scanning for vulnerabilities. Some read permissions overlap with the Rapid7 Read-Only Policies, which are used for general visibility and discovery. This Policy duplicates those permissions because the Rapid7 IAM Role may need to access additional metadata before or after pulling an image to capture the most recent context when producing a finding. Review Container Vulnerability Management for more information.
Example Deployment Policies
These IAM Policies can be used as a reference example for a dedicated IAM Role to be used via automation or CI/CD pipeline. These policies allow for programmatically deploying the onboarding CFT, but you'll need to periodically update the CFT for new permissions.
The statements scope the permissions to only IAM Roles and Policies related to Rapid7 using our naming conventions but could be expanded upon with more fine grain conditionals.