- You will need an Amazon Web Services account with web console access.
- At least one EC2 virtual server
- Log into UpGuard and click Add Node.
From the node select screen click Cloud Services and then select Amazon Web Services from the dropdown list.
Field Description AWS Region Identifies which region your EC2 instance is located. API URLs will change accordingly. AWS Access Key The Access Key for the user that will be making requests to AWS. It is recommended that a UpGuard user is created using the AWS Management Console for this. AWS Secret Key The Secret Key generated by AWS for the above user. This is shown on-screen when the user is first created. It is not retrieval otherwise.
- Once you have located these credentials (see below), click Continue to add the node and kick off a node scan.
Your AWS region can be found in the URL of your browser address bar after you login into the AWS Management Console.
In the above example it would be
Access Key and Secret Key
To obtain these credentials, you will need to add an UpGuard user through your AWS management console. To do this, log into your AWS Management Console and click on your account name from the top toolbar. Then click on Security Credentials from the dropdown menu.
On the Identity and Access Management page click on Users from the left sidebar then Create New Users.
In the “add new user” form that appears, enter in “UpGuard” for the user name, check Generate an access key for each user and click Create to continue.
Lastly, the users
Secret Keycan be viewed after expanding Show User Security Credentials.Warning:
The user's Secret Key is only displayed after account creation. Unless you click Download Credentials here to save them, you will need to delete and recreate the user to re-generate/retrieve their Secret Key. Existing applications which use these credentials will then need to be updated.
Security Group Permissions
A security group which provides read-only access to AWS is required to be applied to the UpGuard user. Applying the appropriate Read Only Access group policy template provided by AWS is recommended.
Once logged into the IAM Management Console, you can create a group with the corresponding template by hitting the blue “Create New Group” button. After naming the group, you can search for various group templates. For EC2 buckets, the Policy Name “AmazonEC2ReadOnlyAccess” will provide sufficient permissions to allow UpGuard access. Full-privilege policies are not a requirement to scan the EC2 instance. After creation of the group, you can add the appropriate users to the group to provide them with appropriate permissions to scan.
UpGuard have tested and confirmed the following permissions by object and node type:
ec2:DescribeInstances ec2:DescribeLoadBalancers ec2:DescribeSecurityGroups
iam:GetAccessKeyLastUsed iam:GetAccountPasswordPolicy iam:ListAccessKeys iam:ListAttachedGroupPolicies iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListGroups iam:ListGroupsForUser iam:ListGroupPolicies iam:ListMFADevices iam:ListPolicies iam:ListRoles iam:ListRolePolicies iam:ListUsers iam:ListUserPolicies
s3:GetBucketAcl s3:GetBucketCORS s3:GetBucketEncryption s3:GetBucketLogging s3:GetBucketPolicy s3:GetBucketReplication s3:GetBucketTagging s3:GetObjectAcl s3:ListObjectsV2Pages
VPC Peering Connections
Master List of All AWS Permissions Required to Detect, Sync and Scan All AWS Types
cloudwatch:ListDashboards ec2:DescribeFlowLogs ec2:DescribeInstances ec2:DescribeLoadBalancers ec2:DescribeSecurityGroups ec2:DescribeVolumes ec2:DescribeVpcPeeringConnections ec2:DescribeVpcs elb:DescribeLoadBalancers iam:GetAccessKeyLastUsed iam:GetAccountPasswordPolicy iam:ListAccessKeys iam:ListAttachedGroupPolicies iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListGroupPolicies iam:ListGroups iam:ListGroupsForUser iam:ListMFADevices iam:ListPolicies iam:ListRolePolicies iam:ListRoles iam:ListUserPolicies iam:ListUsers lambda:GetFunction rds:DescribeDBInstances s3:GetBucketAcl s3:GetBucketCORS s3:GetBucketEncryption s3:GetBucketLogging s3:GetBucketPolicy s3:GetBucketReplication s3:GetBucketTagging s3:GetObjectAcl s3:ListBuckets s3:ListObjectsV2Pages