Create an Amazon Web Services (AWS) Connection for Cloud Configuration Assessment (CCA)

CCA End-of-Life Notice

As of February 15, 2024, Rapid7 will start the End-of-Life (EOL) process for Cloud Configuration Assessment. On February 15, 2025 support will officially end and the feature will be permanently removed from InsightVM for all customers.

While we will continue to support this feature in the interim with security patches, we will not be updating or enhancing CCA further. See our Cloud Risk Complete offering if you’re still interested in the capabilities of CCA.

Configure an Amazon Web Services (AWS) connection that allows the Insight Platform to collect data from your AWS resources for Cloud Configuration Assessment (CCA).

Fields subject to change

Third party UI elements may be subject to change. Updates to the doc will be made accordingly.

AWS connection requirements

In order for the Insight Platform to connect to your AWS resources, you must have the following:

  • An AWS account with appropriate permissions to create policies and roles

Note

You must create a new cloud infrastructure connection for each individual AWS subscription you want to assess.

Configure AWS

Log in to your AWS console and access the Identity and Access Management (IAM) service.

Copy External ID from CCA
  1. On the Management page in InsightVM, click Add/Manage Connections.
  2. In the Cloud Infrastructure section, click Add.
  3. Copy the External ID provided in Account Details. You need to enter this value later on in AWS.
Create a custom AWS policy
  1. On the IAM dashboard, select Policies and click Create policy.

  2. On the JSON tab, delete any existing text and enter the following:

    AWS Supplemental Policy
    json
    1
    {
    2
    "Version": "2012-10-17",
    3
    "Statement": [
    4
    {
    5
    "Sid": "AwsReadOnlyMissingPermissions",
    6
    "Action": [
    7
    "airflow:GetEnvironment",
    8
    "apprunner:DescribeService",
    9
    "apprunner:ListServices",
    10
    "inspector2:List*",
    11
    "memorydb:DescribeClusters",
    12
    "memorydb:DescribeSubnetGroups",
    13
    "memorydb:ListTags",
    14
    "pricing:GetProducts",
    15
    "rbin:GetRule",
    16
    "rbin:ListRules",
    17
    "support:*"
    18
    ],
    19
    "Effect": "Allow",
    20
    "Resource": "*"
    21
    },
    22
    {
    23
    "Sid": "AwsReadOnlyDenyPermissions",
    24
    "Action": [
    25
    "s3:GetObject*"
    26
    ],
    27
    "Effect": "Deny",
    28
    "Resource": "*"
    29
    }
    30
    ]
    31
    }
  3. Click Next: Tags > Next: Review.

    • You can add tags to your custom policy, but they are not required for CCA.
  4. Enter a Policy name and click Create policy.

    • You need to search for this policy later in the setup process, so make note of the name that you choose. We recommend using a name that indicates the purpose of this policy, such as InsightVM-CCA-Supplemental-ReadOnly-Policy.
    • Optionally, add a policy description to clarify the use of the policy.
Create a Custom Role
  1. On the IAM dashboard, select Roles and click Create Role.
  2. In the Trusted entity type section, select AWS account.
  3. In the An AWS account section, select Another AWS account.
  4. In the Account ID field, enter: 336818582268
    • This is the account ID for the Rapid7 AWS account that connects to your AWS accounts with read-only permissions to perform assessment.
  5. Select Require external ID and enter the value you copied from CCA in the External ID field.
  6. Click Next.
  7. On the Add permissions page, select both the built-in ReadOnlyAccess policy and your custom policy.
  8. Click Next.
  9. Enter a Role name and click Create role.
    • We recommend using a name that indicates the purpose of this role, such as InsightVM-CCA.
Configure your custom role
  1. From the IAM dashboard, select Roles and click on your custom role.
  2. Select Trust relationships and click Edit trust relationship.
  3. On the JSON tab, enter the following:
json
1
{
2
"Version": "2012-10-17",
3
"Statement": [
4
{
5
"Effect": "Allow",
6
"Principal": {
7
"AWS": "arn:aws:iam::336818582268:role/Platform_InfrastructureAssessment"
8
},
9
"Action": "sts:AssumeRole",
10
"Condition": {
11
"StringEquals": {
12
"sts:ExternalId": "ENTER ID FROM CCA"
13
}
14
}
15
}
16
]
17
}
  1. Substitute your external ID for "ENTER ID FROM CCA".

Updating an existing trust relationship

If you previously configured a trust relationship using a non-Rapid7 provided External ID or did not include an External ID at all, we recommend updating to the best practice above.

Configure InsightVM

Create an AWS connection
  1. On the Cloud Configuration page, click Add/Manage Connections.
  2. In the Cloud Infrastructure section, click Add.
  3. Enter an Account Nickname.
    • This is the name for the connection you are creating in InsightVM. We recommend creating a nickname to help you easily identify the AWS account that is being assessed, such as including the AWS account alias.
  4. Enter the following information from AWS:
    • Account Number – Your AWS account number for the account that CCA connects to for assessment.
    • Role ARN – The ARN for the custom role that you created.
  5. Click Save.

AWS credentials

You can reference the required AWS information at any time in the IAM dashboard within the AWS management console:

  • The Account ID is displayed on the IAM dashboard
  • The Role ARN is displayed when viewing the details of your custom role