Onboard AWS Accounts and Organizations with Temporary Delegation
Phased release of this feature
The AWS IAM temporary delegation feature is being rolled out gradually over the next few weeks. Do not share this page outside of Rapid7 or with customers who do not yet have access to this feature. If you have questions or feedback, contact your CSA or reach out through the Customer Support Portal .
After Cloud Security (InsightCloudSec) is deployed, you’re ready to start harvesting data from AWS, which requires securely connecting your Amazon Web Services (AWS) Accounts and Organizations to the Rapid7 Command Platform.
As visibility into your cloud accounts improves and your inventory grows, you can then begin to leverage the rest of Cloud Security (InsightCloudSec), including Insights, Bots, Layered Context, and more.
You can use the AWS IAM temporary delegation feature to allow Rapid7 temporary access to your AWS environment. The temporary delegation capability allows you to maintain control and visibility over the onboarding process using time-bound credentials with delineated permissions.
After you approve a temporary delegation request, Rapid7 will then deploy a CloudFormation template, which will provision the necessary AWS resources required for Rapid7 to collect data from your unique environment, including a custom AWS role used for harvesting. If you would prefer an alternative onboarding method, see the AWS Overview.
Prerequisites
- Access to the target AWS Account or Organization
Reviewing delegation requests?
To review delegation requests in the AWS console, you’ll need the following permissions:
iam:AcceptDelegationRequestiam:GetDelegationRequestiam:RejectDelegationRequestiam:ListDelegationRequests
Connect an account or organization
The IAM temporary delegation connection process involves configuring and sending a delegation request.
To configure and send a delegation request:
- Log in to the AWS console for the target account.
- In a separate browser tab, log in to the Command Platform .
- Go to Data Connectors > Cloud Accounts.
- Open the Add Cloud interface:
- First-time users:
- Click Onboard a Cloud Account.
- Select Amazon Web Services, then click Next.
- Select Yes, then click Next.
- Select AWS IAM Temporary Delegation, then click Next.
- Returning users:
- Click + Add Cloud.
- Click Amazon Web Services.
- Click AWS IAM Temporary Delegation.
- First-time users:
- Enter a Nickname for the AWS account. This is a unique value that can be used to search and filter across Cloud Security (InsightCloudSec).
- Indicate if you are adding an AWS Organization or an individual AWS Account.
- Select the checkbox to acknowledge that Rapid7 will assume a temporary AWS role on your behalf to complete the onboarding process.
- Enter the AWS Account ID for the individual Account or root Account for the Organization.
- Enter an IAM Role name to associate with the onboarding process.
- Click Send Delegation Request. An AWS window opens.
- Optionally, click View JSON to review the policy that Rapid7 will use.
- Review the delegation request:
- AWS Delegation Admin users:
- Click Allow access to approve the request.
- Other users:
- Click Request approval.
- Share the Request link and ID with someone in your Organization with the proper permissions to approve the request.
- AWS Delegation Admin users:
If the request is approved, Rapid7 will automatically set up the account and add it to Cloud Security (InsightCloudSec). You can find the account on the Clouds Listing page.
Do not close the Add Cloud interface
You cannot re-open the Add Cloud interface for this request, so if you leave the interface and the request fails, expires, or is denied, you will need to re-configure and re-send the request. The Add Cloud interface provides real-time updates for the process, so you can stay on the page and wait for someone to approve the request. If you are ready to close the Add Cloud interface, click View Accounts. You can monitor the progress for the request on the Delegation Requests page.