AWS - Connect to Cloud Configuration Assessment

NOTE: Cloud Configuration Assessment is currently available in "preview" form

A feature that is in "preview" has made enough progress to be suitable for customer use, albeit still in active development.

InsightVM customers can take advantage of this preview offering to provide early feedback and usage data that will shape the final version of Cloud Configuration Assessment when it becomes Generally Available (GA).

Like other preview features, the Cloud Configuration Assessment preview may not yet have all the functionality planned for the GA version and may only be accessible from cloud-enabled pages in InsightVM (such as the Dashboard tab). Using this preview will not affect your production data.

You can provide your feedback on the Cloud Configuration Assessment preview by completing the following survey:

https://www.surveygizmo.com/s3/4936396/VM-Cloud-Configuration-Assessment-Survey

The following features are not yet available in the preview, but are planned for GA:

  • Ability to group rules into benchmarks

This article explains how to create an Amazon Web Services (AWS) connection and an optional supporting CloudTrail connection for use with the Cloud Configuration Assessment feature.

How this connection works

Configuring a baseline AWS connection allows InsightVM to collect configuration data from your AWS resources on a scheduled interval basis. Cloud Configuration Assessment can then use this data to determine your level of compliance against our rules library.

If you want InsightVM to respond dynamically to configuration changes among your AWS resources in addition to interval collection, you can configure a supporting CloudTrail connection to do so. Adding a CloudTrail connection is optional, but implementing one enables Cloud Configuration Assessment to show real-time results for AWS environments.

CloudTrail connection details

A CloudTrail connection allows InsightVM to respond to event messages that CloudTrail logs in a Simple Queue Service (SQS) queue by way of a Simple Notification Service (SNS) topic. InsightVM can then pull the event document from your specified S3 bucket that corresponds to the affected resource and collect new data. This process supplements your baseline AWS connection with the following capabilities:

  • Allows InsightVM to discover newly created entities since the last data collection period
  • Allows InsightVM to re-collect data on resources that have undergone a configuration change
  • Allows InsightVM to delete resources in Cloud Configuration Assessment that no longer exist

How InsightVM Manages Simultaneous Connections to AWS Services

In the course of collecting data for Cloud Configuration Assessment, InsightVM will only connect to one AWS service per account at the same time. In order to mitigate against any potential service disruption, InsightVM will exponentially scale back data collection if rate limits are exceeded on the account.

AWS connection requirements

InsightVM must assume a custom IAM role with cross-account access in order to assess your AWS infrastructure. This role includes two policies made entirely of read-only permissions:

  • The default AWS “SecurityAudit” policy
  • A custom policy that grants additional permissions required by the Cloud Configuration Assessment feature

Custom policy permissions

The read-only permissions encompassed by this custom policy represent the auditable cloud configuration areas that are not included in the default AWS “SecurityAudit” policy.

If you elect to configure a supporting CloudTrail connection alongside your AWS connection, your custom policy will also have some additional write permissions relevant to a CloudTrail SQS queue.

CloudTrail connection requirements

Configuring a supporting CloudTrail connection requires some setup in your AWS environment beforehand:

  • You must configure CloudTrail to publish event documents to an S3 bucket. To facilitate this, your trail must capture all write-only events.
    • InsightVM consults these documents to collect the latest data after the configuration of the corresponding resource has changed.
  • CloudTrail must also send corresponding event messages to an SNS topic that will forward those messages to an SQS queue.

The CloudTrail portion of the AWS connection configuration wizard in InsightVM requires the following values:

  • The ARN of your SQS queue
  • The name of your S3 bucket

Configure an AWS connection in InsightVM

Use InsightVM’s Cloud Configuration Assessment connection wizard to create your connection. The wizard supports your choice of using either the AWS Management Console or AWS scripts in a Command Line Interface (CLI) to complete the following:

  • The creation of your IAM Role
  • The creation of your custom policy detailed in the requirements
  • The attachment of both the default SecurityAudit AWS policy and the custom policy to your IAM Role

Prepare your browser for this procedure

Configuring an AWS connection involves completing steps in both your AWS environment and InsightVM. Having both of these interfaces open in separate browser tabs will make this procedure easier to complete.

AWS Management Console method

If you elect to use the AWS Management Console to configure your connection, you’ll need to perform the following steps.

Create the IAM Role

Follow these steps to create the necessary IAM role in the AWS Management Console:

  1. In your AWS Management Console, expand the Services dropdown. Under the Security, Identity, & Compliance section, click the IAM link.
  2. On your left navigation menu, click the Roles tab to change the tab view. Click the Create role button.
  3. On the Create role page, select the Another AWS account option.
  4. Enter 336818582268 in the Account ID field.
  5. In the Options section, check the Require external ID box.
    • Checking this box produces an additional External ID field.
  6. To get your External ID, switch to the browser tab that has your InsightVM interface and click the Cloud Configuration tab on your left menu.
  7. When the Cloud Configuration page loads, click Add/Manage Connections in the upper right corner. The Management view displays with the Connections tab open.
  8. Browse to the Cloud Infrastructure category on the left side of your connection list and click Add next to Amazon Web Services. The Add Cloud Connection wizard displays.
  9. Browse to the IAM Role Creation Methods section at the bottom of step 1 and click the AWS Console tab. Expand the External ID dropdown to copy your External ID.
  10. Return to your AWS Management Console browser tab and paste this value in the External ID field.
  11. Make sure that the Require MFA box is not checked.
  12. Click the Next: Permissions button when finished to move to the next page.
  13. You’ll attach permissions to this role in a later procedure, so skip this for now. Click the Next: Tags button to continue.
  14. Feel free to apply any tags to this role according to your organization’s management best practices. Click the Next: Review button to continue.
  15. On the Review page, give your role a name and an optional description. Click Create role when finished.
  16. Now that you’ve created your role, click its name link in the Roles table to open its Summary page. Copy the Role ARN and return to the connection wizard in InsightVM.
  17. In step 1 of the wizard, give your connection a name.
  18. Paste the IAM Role ARN you just copied into the provided field. If you like, you can test the connection to your IAM Role with the Test Assume Role button.
  19. If you intend to add and configure a supporting CloudTrail connection for this AWS connection, check the Include a CloudTrail connection box.

Do not skip this step if you want to use CloudTrail with Cloud Configuration Assessment!

Checking the provided box unlocks the Optional Connections step of the wizard and ensures that your custom policy document generated in the Attach Policies step includes the necessary permissions relevant to CloudTrail.

  1. Click Continue to advance the wizard to the next step.

Configure CloudTrail connection fields (optional)

If you checked the Include a CloudTrail connection box in the previous procedure, the Optional Connections step of the wizard will activate and become navigable. This step contains required fields for CloudTrail functionality.

Follow these steps to configure your CloudTrail connection:

  1. In step 2 of the connection wizard in InsightVM, enter the ARN of your SQS queue that this connection should monitor for new messages.

CloudTrail connections require the configuration of SNS notifications

As covered previously in the requirements, InsightVM can only respond to CloudTrail events when an SNS topic forwards CloudTrail messages to an SQS queue. If you have not deployed this functionality yet, see the following AWS documentation for instructions:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html

  1. Enter the name of the S3 bucket that CloudTrail is sending event documents to.
  2. Click Continue to advance the wizard to the next step.

Attach policies to the IAM Role

Now that your IAM Role is in place, you can create and attach the required policies using step 3 of the connection wizard.

Follow these steps to create and attach the policies to your IAM Role:

  1. In step 3 of the connection wizard in InsightVM, click the AWS Console tab under Policy Attachment Methods and copy the managed policy document.
    • You can expand this policy dropdown to see exactly what permissions this policy contains. If you chose to include a CloudTrail connection, this policy will contain additional permissions based on the information you provided in the fields in step 2.
  2. Return to the Roles page in your AWS Management Console and click the name link of the role you created in step 1.
  3. On the Summary page of your role, click Attach Policies under the Permissions tab. The Attach Permissions page appears.
  4. Click Create policy. Your AWS Management Console will open a second browser tab with the Create policy interface.
  5. Switch to the JSON entry format and paste the entire managed policy body that you copied earlier. Make sure you overwrite the template braces and key-value pairs that the editor provides automatically. Click Review policy to proceed.
  6. On the Review policy page, give your policy a name and an optional description. Click Create policy when finished.
  7. Navigate to your original Attach Permissions browser tab and refresh the policy list to ensure that your custom policy is accounted for.
  8. In the Filter policies field, search for and check the box next to the custom policy you just created. Repeat this step for the default SecurityAudit policy offered by AWS.
  9. Click Attach policy to finish.
  10. Now that your IAM role has the necessary policies attached, return to the connection wizard in InsightVM and click Continue to advance to the final step.

Review and save your connection

With all necessary configurations complete, take a moment to review the details of your connection in step 4 of the wizard. After you verify that everything is correct, click Submit to finish. InsightVM will immediately begin an initial collection of AWS resource configuration data for viewing in the Cloud Configuration interface.

Your AWS connection is ready!

InsightVM should now have a working connection to your AWS environment for the purpose of using Cloud Configuration Assessment. You will begin to see results as InsightVM collects data, but note that the size and scope of your account ultimately affects how long this initial process takes. The initial collection period for large accounts can take up to a few hours, so keep this in mind while your interface continues to update with new assessment results.

Next, take a look at the Cloud Configuration Assessment Interface Guide to learn how to use this feature to its full potential.

AWS CLI method

If you elect to use the command line to configure your connection, you’ll need to install the AWS CLI if you have not done so already. This installation ensures that your Linux terminal or Windows command prompt can understand AWS scripts and commands.

Important note for role and policy name customization

The IAM Role and custom policy creation scripts and the associated attachment commands provided by the connection wizard in InsightVM all use the Rapid7-Security-Audit name for command consistency. You can customize these names if you want to, but be aware you will have to adjust dependent commands with the correct name if you do so. To avoid unnecessary complexity with this CLI method, we recommend that you leave these names unchanged.

To configure your connection using the CLI method, you’ll need to perform the following steps.

Create the IAM Role (CLI)

Follow these steps to create the necessary IAM role using the command line:

  1. Open your InsightVM interface and click the Cloud Configuration tab on your left menu.
  2. When the Cloud Configuration page loads, click Add/Manage Connections in the upper right corner. The Management view displays with the Connections tab open.
  3. Browse to the Cloud Infrastructure category on the left side of your connection list and click Add next to Amazon Web Services. The Add Cloud Connection wizard displays.
  4. Browse to the IAM Role Creation Methods section at the bottom of step 1 and click one of the CLI tabs according to your operating system.
  5. Copy the IAM Role creation script.
    • You can expand the Create IAM Role dropdown to see exactly what this script looks like. The script automatically contains your organization’s External ID.
  6. Open an instance of your operating system’s command line interface (either a terminal or command prompt) and paste and run the IAM Role creation script.
  7. With your IAM Role created, your command line interface will output the ARN onscreen. Copy the Role ARN and return to the connection wizard in InsightVM.
  8. In step 1 of the wizard, give your connection a name.
  9. Paste the IAM Role ARN you just copied into the provided field. If you like, you can test the connection to your IAM Role with the Test Assume Role button.
  10. If you intend to add and configure a supporting CloudTrail connection for this AWS connection, check the Include a CloudTrail connection box.

Do not skip this step if you want to use CloudTrail with Cloud Configuration Assessment!

Checking the provided box unlocks the Optional Connections step of the wizard and ensures that your custom policy document generated in the Attach Policies step includes the necessary permissions relevant to CloudTrail.

  1. Click Continue to advance the wizard to the next step.

Configure CloudTrail connection fields (CLI, optional)

If you checked the Include a CloudTrail connection box in the previous procedure, the Optional Connections step of the wizard will activate and become navigable. This step contains required fields for CloudTrail functionality.

Follow these steps to configure your CloudTrail connection:

  1. In step 2 of the connection wizard in InsightVM, enter the ARN of your SQS queue that this connection should monitor for new messages.

CloudTrail connections require the configuration of SNS notifications

As covered previously in the requirements, InsightVM can only respond to CloudTrail events when an SNS topic forwards CloudTrail messages to an SQS queue. If you have not deployed this functionality yet, see the following AWS documentation for instructions:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html

  1. Enter the name of the S3 bucket that CloudTrail is sending event documents to.
  2. Click Continue to advance the wizard to the next step.

Attach policies to the IAM Role (CLI)

Now that your IAM Role is in place, you can create and attach the required policies using step 3 of the connection wizard.

Follow these steps to create and attach the policies to your IAM Role:

  1. In step 3 of the connection wizard in InsightVM, click one of the CLI tabs according to your operating system under Policy Attachment Methods and copy the custom managed policy creation script.
    • You can expand the Create Custom Managed Policy dropdown to see exactly what permissions this policy contains. If you chose to include a CloudTrail connection, this policy will contain additional permissions based on the information you provided in the fields in step 2.
  2. Paste and run this script in your command line interface.
  3. Next, copy the Attach AWS SecurityAudit Policy to your IAM Role command in the connection wizard. Run this command in your command line interface to attach the default SecurityAudit policy to your IAM Role.
  4. Finally, copy the Attach the Custom Policy to your IAM Role command in the connection wizard. Run this command in your command line interface to attach the custom policy you just created to your IAM Role.
  5. Now that your IAM role has the necessary policies attached, return to the connection wizard in InsightVM and click Continue to advance to the final step.

Review and save your connection (CLI)

With all necessary configurations complete, take a moment to review the details of your connection in step 4 of the wizard. After you verify that everything is correct, click Submit to finish. InsightVM will immediately begin an initial collection of AWS resource configuration data for viewing in the Cloud Configuration interface.

Your AWS connection is ready!

InsightVM should now have a working connection to your AWS environment for the purpose of using Cloud Configuration Assessment. You will begin to see results as InsightVM collects data, but note that the size and scope of your account ultimately affects how long this initial process takes. The initial collection period for large accounts can take up to a few hours, so keep this in mind while your interface continues to update with new assessment results.

Next, take a look at the Cloud Configuration Assessment Interface Guide to learn how to use this feature to its full potential.

How to add a CloudTrail connection to an existing AWS connection

If you want to configure a new CloudTrail connection for an AWS connection that already exists, you can do so by triggering the connection wizard from the Management screen and making the necessary changes:

  1. Open your InsightVM interface and click the Cloud Configuration tab on your left menu.
  2. When the Cloud Configuration page loads, click Add/Manage Connections in the upper right corner. The Management view displays with the Connections tab open.
  3. Browse to and click the Cloud Infrastructure category on the left side of your connection list to show all existing Cloud Configuration connections.
  4. Click Edit on the connection you want to modify. The connection wizard appears with current field values displayed.
  5. Check the Include a CloudTrail connection box. Click Continue to proceed to the now unlocked CloudTrail field configuration step.
  6. In step 2 of the connection wizard, enter the ARN of your SQS queue that this connection should monitor for new messages.

CloudTrail connections require the configuration of SNS notifications

As covered previously in the requirements, InsightVM can only respond to CloudTrail events when an SNS topic forwards CloudTrail messages to an SQS queue. If you have not deployed this functionality yet, see the following AWS documentation for instructions:

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html

  1. Enter the name of the S3 bucket that CloudTrail is sending event documents to.
  2. Click Continue to advance the wizard to the policy attachment step.
  3. Since you are adding onto an existing AWS connection, you will only need to modify the permission content of the custom managed policy that is already attached to your IAM Role. Expand the Create Custom Managed Policy dropdowns in the CLI tabs or the Managed Policy Document dropdown in the AWS Console tab to retrieve your updated policy body.
  4. Update your existing custom policy using either the CLI or AWS Management Console.
  5. After you update your custom policy, advance the connection wizard to step 4 and review your new CloudTrail connection details.
  6. Click Submit to finish.