Amazon Web Services (AWS) legacy discovery connection End-of-Life announcement
As of February 8th, 2020, Rapid7 will no longer support the AWS Legacy Discovery Connection in Nexpose. The AWS Legacy Discovery Connection allowed you to import your AWS assets into Nexpose. A newer option, called AWS Asset Sync, has replaced the AWS Legacy Discovery Connection, so the latter will be removed from Nexpose. As a result of this change, you will need to change your AWS Legacy Discovery Connection to AWS Asset Sync.
AWS Asset Sync Migration Overview
Here’s a high-level overview of how to migrate to AWS Asset Sync:
- Add or edit your Scan Engine.
- Configure your AWS environment with Nexpose.
- Create the AWS Asset Sync Connection in the Security Console.
Add or Edit Your Existing Scan Engine
The first thing you need to do is confirm whether your Scan Engine is deployed inside your AWS environment in the form of the AMI, or deployed as standard Scan Engine. For more information, see the following resources:
Configure Your AWS Environment with Nexpose
Next, configure the AWS environment by creating security groups and establishing IAM Users or Roles.
Create Security Groups
We recommend creating two security groups: one for the scan engine and one for the scan targets. For more information, see “Configuring Your AWS Environment with Nexpose" in the Amazon Web Services documentation. The steps needed to create a scan engine and scan targets security group follow that section.
Create an IAM User or Role
In order to give the Security Console access to the AWS environment, you will need to add permissions to your existing account using CloudTrail logs. See “Creating an IAM User or Role” section in our Amazon Web Services documentation.
Add the AWS Asset Sync Connection in the Security Console
To add an AWS Asset Sync Connection in Nexpose, use the AWS Asset Sync option as the “Connection Type” instead of the AWS Legacy Discovery Connection.
You must have Global Administrator permissions to add an AWS Asset Sync Connection.
See the Discovering Amazon Web Services instances article for step-by-step instructions. This process allows Nexpose to scan and manage assets on the AWS server.
When migrating from the legacy connection to the AWS Asset Sync, deleting the original site with the legacy connection will result in losing that site’s asset scan history. These assets will be synced back to Nexpose with the new connection but history will not carry over. Also, legacy connections cannot be deleted until associated sites are deleted.
For more details on the AWS Asset Sync, see our AWS Asset Sync Connection: More Visibility Into Your AWS Infrastructure blog.
Schedule of Events
February 8, 2019
Rapid7 announces the end-of-life of legacy AWS Discovery Connection.
February 8, 2020
AWS Legacy Connection will be removed and no longer accessible from Nexpose.
Frequently Asked Questions
What is the difference between AWS Legacy Discovery Connection and AWS Asset Sync?
All capabilities of the AWS Legacy Discovery Connection are replicated and improved. AWS Asset Sync offers additional capabilities over the legacy connection.
Here are some improvements:
- When instances are terminated on the AWS side, they are automatically deleted from Nexpose, keeping license counts up-to-date
- A single connection allows cross-region and AWS cross-account capabilities
- Supports ingesting AWS metadata as tags in Nexpose
Who can I contact if I have more questions that are not addressed in this announcement?
Customers should contact their Customer Success Manager or Support with any questions or concerns.