AWS Overview & Support

After InsightCloudSec is successfully installed, you're ready to enable visibility into your target AWS Organization(s) and/or cloud account(s). This documentation details configuring your Amazon Web Services (AWS) environment to "talk" with InsightCloudSec securely.

Frequently Asked Questions (FAQ)

The following frequently asked questions and answers should help you understand AWS in InsightCloudSec.

What does InsightCloudSec support from AWS?

What does InsightCloudSec support from AWS?

As one of the leading public cloud service providers, InsightCloudSec provides broad support for Amazon Web Services (AWS). Review the full list of AWS-specific supported services in the AWS Commercial Support Reference section.

How do I start seeing my AWS environments in InsightCloudSec?

How do I start seeing my AWS environments in InsightCloudSec?

InsightCloudSec relies on a process called "harvesting" to pull data from various CSPs. Review Onboard an AWS Cloud Account or Onboard an AWS Organization for details.

What do I do after my environments is being harvested?

What do I do after my environments is being harvested?

After at least one AWS account is harvested by InsightCloudSec, you're free to configure additional AWS services as necessary to enhance, optimize, or further secure your experience. Review AWS Additional Configuration for more information. The items in this section were written in the AWS Commercial context.

How can I optimize harvesting?

How can I optimize harvesting?

InsightCloudSec harvesting is the term we use to describe the process of data collection from a selected cloud service provider (CSP) within InsightCloudSec. Check out our Harvesting Overview documentation to understand the basics and refer to Harvesting Strategies for details on specific strategies.

In addition, for AWS, InsightCloudSec offers Event-Driven Harvesting, which requires additional configuration but optimizes harvesting by only pulling in new data when certain AWS CloudWatch Events occur. Review our AWS Event-Driven Harvesting documentation for more information.

Manage AWS Cloud Accounts

After initial configuration of the account in AWS, you can add the account to InsightCloudSec. In InsightCloudSec, you onboard a cloud account or organization using the onboarding wizard. Review Onboard an AWS Cloud Account or Onboard an AWS Organization for details.

Once an account is successfully being harvested by InsightCloudSec, it can be modified or deleted as necessary.

AWS Commercial Support Reference

Supported Services

Supported Services

Included in this section are all of the AWS services (and their components) supported by InsightCloudSec. If you have questions related to AWS or specific services and their support, contact us through the Customer Support Portal. If you're interested in the AWS China or GovCloud support for InsightCloudSec, review the China Cloud Support Reference or Government Cloud Support Reference for details instead.

AWS Supported Services & Regions

In general, AWS services included in this section are supported for all regions in which they are available. In some scenarios, some services may not be available in certain regions (or for AWS GovCloud/China in general). This is typically the result of restrictions related to the region itself or otherwise imposed by AWS to comply with regional policies. We recommend that you refer to the AWS documentation on those specific regions for official details. InsightCloudSec now recognizes the EC2 Serial Console as part of general EC2 service support.

text
1
Amazon API Gateway (Domain, Key, Stage, Usage Plans)
2
Amazon Bedrock (Model, Training job)
3
Amazon Connect
4
Amazon DocumentDB (Elastic)
5
Amazon Kendra (Index)
6
Amazon Keyspaces
7
Amazon Lookout for Equipment
8
Amazon Lookout for Metrics
9
Amazon Lookout for Vision
10
Amazon Macie
11
Amazon MemoryDB for Redis
12
Amazon MQ
13
Amazon OpenSearch Serverless
14
Amazon QuickSight
15
Amazon SageMaker (Notebook, Training job)
16
Amazon Simple Email Service (Configuration sets, Rules)
17
Amazon Redshift (Serverless Namespace, Serverless Workgroup, Snapshot)
18
Amazon Timestream
19
Amazon Transcription
20
AppStream 2.0
21
Athena (Workgroup)
22
AWS App Runner
23
AWS AppSync
24
AWS Auto Scaling (Group, Launch Configurations)
25
AWS Backup (gateway, Vault)
26
AWS Clean Rooms (Collaborations)
27
AWS Control Tower (Control, Landing zone)
28
AWS Glue (Connection, Crawler, Data Catalog, Database, Job, Security Configuration)
29
AWS Health Dashboard
30
AWS Organizations (Consolidated Bill, Service Control Policy)
31
AWS Outposts
32
AWS Systems Manager (Association, Parameter Store (Parameter), Document)
33
AWS Transfer Family (SFTP Server)
34
Batch (Compute Environment)
35
Certificate Manager (Private Certificate Authority)
36
CloudFormation (Templates)
37
CloudFront
38
CloudHSM
39
CloudSearch (Cluster)
40
CloudTrail
41
CloudWatch (Alarm, Log Group, Logs Destination, Rule, EventBridge event bus, Observability Access Manager)
42
CodeBuild (Project)
43
CodeCommit
44
Cognito (User Pool)
45
Database Migration Service (Endpoint, Replication Instance)
46
DataSync (Task)
47
Direct Connect
48
Directory Service
49
DynamoDB (Accelerator (DAX))
50
EC2 (Amazon EBS Snapshot, Amazon EBS Volume, Dedicated Instance, Instance, Launch Template, Reserved Instance, Resource/Service Limit/Quota, Savings Plans, SSH Key Pairs)
51
EFS
52
Elastic Beanstalk (Application, Environment)
53
Elastic Container Registry (Container Image, Container Registry)
54
Elastic Container Service/Fargate (Cluster, Container, Container Task, Task Definition)
55
Elastic Kubernetes Service (Cluster, Container Instance, Node Group)
56
Elastic Load Balancer (Application Load Balancer, Gateway Load Balancer, Network Load Balancer)
57
Elastic MapReduce
58
Elastic Transcoder (Pipeline)
59
ElastiCache (Snapshot)
60
FSx (Lustre, NetApp ONTAP)
61
Global Accelerator
62
GuardDuty (Detector)
63
IAM (Access Analyzer, Cloud Account, Group, Policy (Customer Managed), Role, IAM/ACM SSL Certificate, User, User Access Key)
64
Key Management Service
65
Kinesis (Data Firehose)
66
Kinesis Analytics (Streaming applications)
67
Kinesis Video Stream
68
Lambda (Layer)
69
Lightsail
70
Managed Apache Airflow (Environment)
71
MSK (Instance)
72
Neptune
73
OpenSearch Service
74
RDS (Aurora, Aurora global database, Cluster, Event Subscription, Instance, Proxy, Snapshot)
75
Recycle Bin
76
Region
77
Resource Access Manager (Resource shares, Shared resources)
78
Route 53 (DNS Zone, Domain, Resolver Configuration)
79
S3 (Access Point, Multi-Region Access Point)
80
S3 Glacier
81
SAML Identity Provider
82
Secrets Manager (Secret)
83
Serverless Application Repository
84
Simple Queue Service
85
Simple Notification Service (Subscription, Topic)
86
Step Function State Machine
87
Storage Gateway (NFS/SMB File Share)
88
Trusted Advisor
89
VPC (Elastic IP, Elastic Network Interface (ENI), Endpoint Service, Endpoint/PrivateLink, Flow Log, Internet Gateway, Managed Prefix List, NACL/Security Group, NACL/Security Group Rules, NAT Gateway, Network Firewall (Rules, Rule Groups), Peer, Route, Route Table, Site-to-Site VPN, Subnet, Traffic Mirror Target, Transit Gateway, Virtual Private Gateway)
90
WAF & Shield (Rules, Rule Groups)
91
WorkSpaces (Instances)
Supported API calls

Supported API Calls

Included in this section are all of the API calls supported across AWS services based on the many policies that InsightCloudSec provides. This list is for administrators who may want to fine tune a policy with granular read/write operations.

text
1
EC2 Commands
2
============
3
4
AllocateAddress
5
AssociateAddress
6
AssociateRouteTable
7
AttachInternetGateway
8
AttachNetworkInterface
9
AttachVolume
10
AuthorizeSecurityGroupIngress
11
CopyImage
12
CopySnapshot
13
CreateDefaultVpc
14
CreateImage
15
CreateInstanceExportTask
16
CreateInternetGateway
17
CreateKeyPair
18
CreateNetworkAcl
19
CreateNetworkInterface
20
CreateRole
21
CreateRoute
22
CreateRouteTable
23
CreateSecurityGroup
24
CreateSnapshot
25
CreateSubnet
26
CreateTags
27
CreateVolume
28
CreateVpc
29
DeleteInternetGateway
30
DeleteKeyPair
31
DeleteNetworkAcl
32
DeleteNetworkAclEntry
33
DeleteNetworkInterface
34
DeleteRoute
35
DeleteRouteTable
36
DeleteSecurityGroup
37
DeleteSnapshot
38
DeleteSubnet SubnetId
39
DeleteTags
40
DeleteVolume
41
DeleteVpc VpcId
42
DeleteVpcPeeringConnection
43
DeregisterImage
44
DescribeAddresses
45
DescribeAddresses
46
DescribeAvailabilityZones
47
DescribeAvailabilityZones
48
DescribeFlowLogs
49
DescribeHosts
50
DescribeImageAttribute
51
DescribeImages
52
DescribeImportImageTasks
53
DescribeInstanceAttribute
54
DescribeInstanceStatus
55
DescribeInstanceTypes
56
DescribeInstances
57
DescribeInternetGateways
58
DescribeKeyPairs
59
DescribeKeyPairs
60
DescribeKeyPairs
61
DescribeNetworkAcls
62
DescribeNetworkInterfaceAttribute
63
DescribeNetworkInterfaces
64
DescribePlacementGroups
65
DescribeRegions
66
DescribeReservedInstances
67
DescribeRouteTables
68
DescribeSecurityGroups
69
DescribeSnapshots
70
DescribeSubnets
71
DescribeTags
72
DescribeVolumeStatus
73
DescribeVolumes
74
DescribeVpcAttribute
75
DescribeVpcPeeringConnections
76
DescribeVpcs
77
DetachInternetGateway
78
DetachNetworkInterface
79
DetachVolume
80
DisassociateAddress
81
DisassociateRouteTable
82
GetConsoleOutput
83
GetPasswordData
84
ImportImage
85
ImportInstance
86
ImportKeyPair
87
ModifyImageAttribute
88
ModifyImageAttribute
89
ModifyInstanceAttribute
90
ModifyNetworkInterfaceAttribute
91
ModifyVolume
92
ModifyVpcAttribute
93
RegisterImage
94
ReleaseAddress
95
ReplaceRouteTableAssociation
96
RunInstances
97
TerminateInstances
98
99
Redshift Commands
100
=================
101
CreateClusterSnapshot
102
CreateTags
103
DeleteClusterSnapshot
104
DeleteTags
105
DescribeClusterSnapshots
106
DescribeClusters
107
DescribeTags
108
109
IAM Commands
110
============
111
DeleteUser
112
DeletePolicy
113
GetAccessKeyLastUsed
114
GetAccountPasswordPolicy
115
GetAccountSummary
116
GetLoginProfile
117
GetUser
118
ListAccessKeys
119
ListAttachedRolePolicies
120
ListAttachedUserPolicies
121
ListMFADevices
122
ListPolicies
123
ListRolePolicies
124
ListRoles
125
ListServerCertificates
126
ListUsers
127
UpdateAccessKey
128
UpdateAssumeRolePolicy
129
130
Autoscale Commands
131
==================
132
AttachInstances
133
CreateAutoScalingGroup
134
CreateLaunchConfiguration
135
DeleteAutoScalingGroup
136
DeleteLaunchConfiguration
137
DetachInstances
138
PutScalingPolicy
139
PutScalingPolicy
140
SetDesiredCapacity
141
142
RDS Commands
143
============
144
AddTagsToResource
145
CreateDBSnapshot
146
DeleteDBInstance
147
DeleteDBSnapshot
148
DescribeDBEngineVersions
149
DescribeDBInstances
150
DescribeDBSnapshots
151
DescribeReservedDBInstances
152
ListTagsForResource
153
RebootDBInstance
154
RemoveTagsFromResource
155
StartDBInstance
156
StopDBInstance
157
158
Elasticache Commands
159
====================
160
AddTagsToResource
161
CreateSnapshot
162
DeleteCacheCluster
163
DeleteSnapshot
164
DescribeCacheClusters
165
DescribeSnapshots
166
ListTagsForResource
167
RebootCacheCluster
168
RemoveTagsFromResource
169
170
LoadBalancer Commands
171
============
172
AddTags
173
ApplySecurityGroupsToLoadBalancer
174
AttachLoadBalancerToSubnets
175
CreateLoadBalancer
176
CreateLoadBalancerListeners
177
CreateLoadBalancerPolicy
178
DeleteLoadBalancer
179
DeleteLoadBalancerListeners
180
DeleteLoadBalancerPolicy
181
DeregisterInstancesFromLoadBalancer
182
DeregisterInstancesFromLoadBalancer
183
DescribeLoadBalancerAttributes
184
DescribeLoadBalancerPolicies
185
DescribeLoadBalancerPolicyTypes
186
DescribeLoadBalancers
187
DescribeLoadBalancers
188
DescribeTags
189
DetachLoadBalancerFromSubnets
190
RegisterInstancesWithLoadBalancer
191
RegisterInstancesWithLoadBalancer
192
RemoveTags
193
SetLoadBalancerPoliciesForBackendServer
194
SetLoadBalancerPoliciesOfListener
195
196
CloudTrail Commands
197
===================
198
DeleteTrail
199
DescribeTrails
200
GetTrailStatus
201
StartLogging
202
StopLogging
203
204
Route53 Commands
205
================
206
ChangeResourceRecordSets
207
ChangeTagsForResource
208
CreateHostedZone
209
DeleteHostedZone
210
ListHostedZones
211
ListHostedZonesByName
212
ListGeoLocations
213
ListHealthChecks
214
ListResourceRecordSets
215
ListTagsForResource
216
ListTagsForResources
217
ListVPCAssociationAuthorizations
218
219
S3 Commands
220
===========
221
DELETE Bucket
222
DELETE Bucket CORS
223
DELETE Bucket Policy
224
DELETE Bucket Tagging
225
GET Bucket
226
GET Bucket ACL
227
GET Bucket CORS
228
GET Bucket Logging
229
GET Bucket Policy
230
GET Bucket Tagging
231
GET Bucket Versioning
232
GET Bucket Website
233
PUT Bucket ACL
234
PUT Bucket CORS
235
PUT Bucket Policy
236
PUT Bucket Tagging
237
PUT Bucket Logging
238
239
Cloudwatch Commands
240
===================
241
DescribeAlarms
242
GetMetricStatistics
243
ListMetrics
244
245
Organizations Commands
246
======================
247
ListAccounts
248
DescribeOrganization
249
250
Certificate Manager (ACM) Commands
251
==================================
252
ListCertificates
253
DescribeCertificate
254
255
Elastic File System (EFS) Commands
256
==================================
257
DescribeFileSystems
258
DescribeTags
259
CreateTags
260
DeleteTags
261
CreateFileSystem
262
DescribeMountTargetSecurityGroups
263
DescribeMountTargets
264
DeleteMountTarget
265
CreateMountTarget
266
ModifyMountTargetSecurityGroups
267
268
Lambda Commands
269
===============
270
ListFunctions
271
ListTags
272
273
Elasticsearch Commands
274
======================
275
ListDomainNames
276
ListTags
277
DescribeElasticsearchDomains
278
279
Config Commands
280
===============
281
DescribeConfigurationRecorders
282
DescribeConfigurationRecorderStatus
283
DescribeDeliveryChannels
284
DescribeDeliveryChannelStatus
285
286
STS Commands
287
============
288
AssumeRole
289
GetCallerIdentity
290
291
Stack Template Commands
292
=======================
293
DescribeStacks
294
ListStackResources
295
ListStacks
296
DescribeStackResource
297
DescribeStackResources
298
GetTemplate
299
DeleteStack
300
301
DynamoDB
302
========
303
DescribeTable
304
DescribeGlobalTable
305
ListBackups
306
ListTables
307
ListGlobalTables
308
ListTagsOfResource
309
310
DynamoDB DAX
311
============
312
DescribeClusters
313
DescribeTable
314
ListTables
315
ListTags
316
317
SQS
318
===
319
GetQueueAttributes
320
ListQueues
321
ListQueueTags
322
323
Workspaces
324
==========
325
DescribeTags
326
DescribeWorkspaces
327
DescribeWorkspaceBundles
328
DescribeWorkspacesConnectionStatus
329
DescribeWorkspaceDirectories
330
331
Kinesis
332
=======
333
ListStreams
334
DescribeStream
335
DeleteStream
336
ListShards
337
AddTagsToStream
338
ListTagsForStream
339
RemoveTagsFromStream
340
341
Firehose
342
========
343
ListDeliveryStreams
344
DescribeDeliveryStream
345
DeleteDeliveryStream
346
TagDeliveryStream
347
ListTagsForDeliveryStream
348
UntagDeliveryStream

AWS policies

InsightCloudSec offers several different AWS policies for harvesting resource information found in your AWS accounts and enabling features such as Event-driven Harvesting (EDH), Least Privileged Access (LPA), and Cloud Vulnerability Management.

If you're interested in setting up an AWS China or GovCloud account, review the China Cloud Support Reference or Government Cloud Support Reference for details instead.

Policy URLs during onboarding

As of InsightCloudSec v. 23.4.11, the new universal onboarding experience for AWS accounts uses CloudFormation Templates (CFTs) to automatically provision relevant accounts with the necessary policies and roles that contain your specific, unique InsightCloudSec account information.

We highly recommend using the new AWS onboarding experience to add your AWS accounts and only use the policies in this section for reference as some of the URLs provided on this page represent the generic versions of the policies, i.e., there are placeholder values for account-specific information.

Useful Terminology

Some concepts and terminology you should be aware of while reviewing the policies:

TermDescription
ConsolidatedAll IAM Resources deployed by the onboarding CFT include a path prefix of /rapid7/, which helps organize all Rapid7 IAM resources together.

Additionally, Roles and Policies both use the naming convention rapid7-<access type>-<feature/usecase> for easy identification.

You'll note the IAM Role name, rapid7-consolidated, which denotes that policies for all three access types of readonly, egress (a.k.a. data access), and automation are attached to the same role. We reserve this naming convention if we decide to support multiple Roles for each access type use case.
Access TypesThe onboarding CFT creates different roles to collect various types of information from your AWS accounts:

  • Read Only: Explicit and fully enumerated read only permissions for cloud configuration control plane APIs without explicit scoping that gives the customer full visibility into their cloud inventory.
  • Egress: To facilitate features that require collecting/analyzing both cloud control and data plane data that cannot practically be done with cloud APIs. This often requires permissions to create, modify, delete and read from resources in the customer's account.
  • Automation: Customers can attach as few or as many polices to the consolidated Role to facilitate the customer's automation strategy for a given account. Automation is any action to notify systems InsightCloudSec doesn't own or mutate resources InsightCloudSec don’t own.

New required permissions are announced in our release notes. The API calls that are supported with any of the policies can be found in the Supported API Calls section.

Onboarding and Harvesting Policies

Consolidated Assume Role Policy

Consolidated Assume Role Policy

The Consolidated Assume Role Policy is used to establish the trust relationship to the Authenticating Principal (your InsightCloudSec installation role). Note: This link contains placeholder values for InsightCloudSec-specific account information.

Standard Self Referential Policy

Standard Self Referential Policy

The Standard Self Referential Policy allows for the role to refer to itself, the account, and organization it exists within.

Read-Only Policy

Read-Only Policy

The Read-Only policy consists of three parts (the permissions have exceeded AWS's limitation on policy size). These policies only contain read only-type permissions, e.g., List, Describe, Get, etc., and will need to be updated any time InsightCloudSec supports a new AWS Service.

Feature Enablement Policies

Egress EventBridge Auto Provisioning Policy

Egress EventBridge Auto Provisioning Policy

The Egress EventBridge Auto Provisioning Policy grants the Rapid7 IAM Role permission to create/manage EventBridge Rules/Targets and create/manage an SQS queue from consuming the Events. Review AWS Event-Driven Harvesting for more information.

Egress LPA Auto Provisioning Policy

Egress LPA Auto Provisioning Policy

The Egress LPA Auto Provisioning Policy grants the Rapid7 IAM Role permission to access CloudTrail, to create the necessary AWS Glue tables and to create/execute Athena queries with a S3 bucket for results. Review AWS Least-Privileged Access (LPA) for more information.

Egress Host Vulnerability Assessment Via Role Policy

Egress Host Vulnerability Assessment Via Role Policy

The Egress Host Vulnerability Assessment Via Role Policy grants the Rapid7 IAM Role permissions to create and download EBS snapshots for vulnerability scanning. Review Vulnerability Management Overview for more information.

Egress Container Vulnerability Assessment Via Role Policy

Egress Container Vulnerability Assessment Via Role Policy

The Egress Container Vulnerability Assessment Via Role Policy grants the Rapid7 IAM Role ECR read permission to all ECR repositories in the AWS Account. This allows for pulling images and scanning for vulnerabilities. Some read permissions overlap with the Rapid7 Read-Only Policies, which are used for general visibility and discovery. This Policy duplicates those permissions because the Rapid7 IAM Role may need to access additional metadata before or after pulling an image to capture the most recent context when producing a finding. Review Vulnerability Management Overview for more information.

Example Deployment Policies

These IAM Policies can be used as a reference example for a dedicated IAM Role to be used via automation or CI/CD pipeline. These policies allow for programmatically deploying the onboarding CFT, but you'll need to periodically update the CFT for new permissions.

The statements scope the permissions to only IAM Roles and Policies related to Rapid7 using our naming conventions but could be expanded upon with more fine grain conditionals.