Create an Amazon Web Services (AWS) Connection to Cloud Configuration Assessment

You can configure an Amazon Web Services (AWS) connection to Cloud Configuration Assessment (CCA). This connection allows CCA to collect data from your AWS resources on a scheduled interval basis. Cloud Configuration Assessment uses this data to assess your vulnerabilities in the cloud.

AWS connection requirements

You must meet the following requirements before you can connect your AWS resources to Cloud Configuration Assessment in InsightVM.

  • Custom IAM role with cross-account access to supported resources
  • A custom policy that grants additional permissions required by the Cloud Configuration Assessment feature

Prepare your browser for this procedure

Configuring an AWS connection involves completing steps in both your AWS environment and InsightVM. Having both of these interfaces open in separate browser tabs will make this procedure easier to complete.

Setup AWS
  1. From the AWS console, navigate to IAM (Identity and Access Management).

  2. On the IAM dashboard, select Policies and click Create policy

  3. On the JSON tab, enter the following:

    AWS Supplemental Policy
    json
    1
    {
    2
    "Version": "2012-10-17",
    3
    "Statement": [
    4
    {
    5
    "Sid": "AwsReadOnlyMissingPermissions",
    6
    "Action": [
    7
    "airflow:GetEnvironment",
    8
    "apprunner:DescribeService",
    9
    "apprunner:ListServices",
    10
    "memorydb:DescribeClusters",
    11
    "memorydb:DescribeSubnetGroups",
    12
    "memorydb:ListTags",
    13
    "pricing:GetProducts",
    14
    "rbin:GetRule",
    15
    "rbin:ListRules",
    16
    "support:*"
    17
    ],
    18
    "Effect": "Allow",
    19
    "Resource": "*"
    20
    },
    21
    {
    22
    "Sid": "AwsReadOnlyDenyPermissions",
    23
    "Action": [
    24
    "s3:GetObject*"
    25
    ],
    26
    "Effect": "Deny",
    27
    "Resource": "*"
    28
    }
    29
    ]
    30
    }
  4. Click Next: Tags > Next: Review.

  5. Enter a Policy name and click Create policy.

Create a Custom Role
  1. From the IAM dashboard, navigate to Roles and click Create Role.
  2. Select Another AWS account and enter the Account ID: 336818582268. This is Rapid7's account. We will use this role to perform assessment.
  3. Select Require external ID.
  4. Generate an external ID. It can include any characters that you choose.
  5. Click Next: Permissions.
  6. Use the search bar to filter for the ReadOnlyAccess policy and the custom policy that you created. Select both policies.
  7. Select Next:Tags > Next:Review.
  8. Enter a Role name and description. Click Create Role.
Configure your custom role
  1. From the IAM dashboard, select Roles and click on your custom role.
  2. Select Trust relationships and click Edit trust relationship.
  3. On the JSON tab, enter the following. Substiute your external ID for "ENTER ID HERE":
json
1
{
2
"Version": "2012-10-17",
3
"Statement": [
4
{
5
"Effect": "Allow",
6
"Principal": {
7
"AWS": "arn:aws:iam::336818582268:role/Platform_InfrastructureAssessment"
8
},
9
"Action": "sts:AssumeRole",
10
"Condition": {
11
"StringEquals": {
12
"sts:ExternalId": "ENTER ID HERE"
13
}
14
}
15
}
16
]
17
}

Updating an existing trust relationship

If you have a previously configured trust relationship, but did not include the External ID, we recommend updating to the best practice above.

  1. Click Update Trust Policy.
  2. Copy and store the Account Nickname, Role ARN, and external ID.
Configure an AWS connection in CCA

Use InsightVM’s Cloud Configuration Assessment connection wizard to create your connection.

  1. Go to the Cloud Configuration page and click on Add/Manage Connections.
  2. In the Cloud Infrastructure section, click Add next to Amazon Web Services.
  3. Enter your preferred Account Nickname. This will be the name for your connection.
  4. Enter the Account Number, Role ARN and External ID.
  5. Click Save.

AWS credentials

You can reference your AWS credentials at any time by viewing the details of the role you created.