UpGuard scans cloud services on your behalf by first authenticating to an exposed API. The credentials required to successfully authenticate to a cloud service fall into either keypair or password based authentication categories. Where possible, UpGuard will only request what API access it actually needs.

Prerequisites

  • You will need an Amazon Web Services account with web console access.
  • At least one EC2 virtual server

Adding

  1. Log into UpGuard and click Add Node.
  2. From the node select screen click Cloud Services and then select Amazon Web Services from the dropdown list.

    w500

    Field Description
    AWS Region Identifies which region your EC2 instance is located. API URLs will change accordingly.
    AWS Access Key The Access Key for the user that will be making requests to AWS. It is recommended that a UpGuard user is created using the AWS Management Console for this.
    AWS Secret Key The Secret Key generated by AWS for the above user. This is shown on-screen when the user is first created. It is not retrieval otherwise.
  3. Once you have located these credentials (see below), click Continue to add the node and kick off a node scan.

AWS Region

Your AWS region can be found in the URL of your browser address bar after you login into the AWS Management Console.

w400

In the above example it would be us-west-1.

Access Key and Secret Key

  1. To obtain these credentials, you will need to add an UpGuard user through your AWS management console. To do this, log into your AWS Management Console and click on your account name from the top toolbar. Then click on Security Credentials from the dropdown menu.

    aws-03

  2. On the Identity and Access Management page click on Users from the left sidebar then Create New Users.

    aws-04

  3. In the “add new user” form that appears, enter in “UpGuard” for the user name, check Generate an access key for each user and click Create to continue.

    aws-05

  4. Lastly, the users Access Key and Secret Key can be viewed after expanding Show User Security Credentials.

    aws-06

Security Group Permissions

A security group which provides read-only access to AWS is required to be applied to the UpGuard user. Applying the appropriate Read Only Access group policy template provided by AWS is recommended.

Once logged into the IAM Management Console, you can create a group with the corresponding template by hitting the blue “Create New Group” button. After naming the group, you can search for various group templates. For EC2 buckets, the Policy Name “AmazonEC2ReadOnlyAccess” will provide sufficient permissions to allow UpGuard access. Full-privilege policies are not a requirement to scan the EC2 instance. After creation of the group, you can add the appropriate users to the group to provide them with appropriate permissions to scan.

aws-07

UpGuard have tested and confirmed the following permissions by object and node type:

CloudWatch

cloudwatch:ListDashboards

EBS

ec2:DescribeVolumes

EC2

ec2:DescribeInstances
ec2:DescribeLoadBalancers
ec2:DescribeSecurityGroups

IAM

iam:GetAccessKeyLastUsed
iam:GetAccountPasswordPolicy
iam:ListAccessKeys
iam:ListAttachedGroupPolicies
iam:ListAttachedRolePolicies
iam:ListAttachedUserPolicies
iam:ListGroups
iam:ListGroupsForUser
iam:ListGroupPolicies
iam:ListMFADevices
iam:ListPolicies
iam:ListRoles
iam:ListRolePolicies
iam:ListUsers
iam:ListUserPolicies

Lambda

lambda:GetFunction

Load Balancer

elb:DescribeLoadBalancers

RDS

rds:DescribeDBInstances

S3

s3:GetBucketAcl
s3:GetBucketCORS
s3:GetBucketEncryption
s3:GetBucketLogging
s3:GetBucketPolicy
s3:GetBucketReplication
s3:GetBucketTagging
s3:GetObjectAcl
s3:ListObjectsV2Pages

Security Groups

ec2:DescribeSecurityGroups

VPCs

ec2:DescribeVpcs
ec2:DescribeFlowLogs

VPC FlowLogs

ec2:DescribeFlowLogs

VPC Peering Connections

ec2:DescribeVpcs
ec2:DescribeVpcPeeringConnections

Master List of All AWS Permissions Required to Detect, Sync and Scan All AWS Types

cloudwatch:ListDashboards
ec2:DescribeFlowLogs
ec2:DescribeInstances
ec2:DescribeLoadBalancers
ec2:DescribeSecurityGroups
ec2:DescribeVolumes
ec2:DescribeVpcPeeringConnections
ec2:DescribeVpcs
elb:DescribeLoadBalancers
iam:GetAccessKeyLastUsed
iam:GetAccountPasswordPolicy
iam:ListAccessKeys
iam:ListAttachedGroupPolicies
iam:ListAttachedRolePolicies
iam:ListAttachedUserPolicies
iam:ListGroupPolicies
iam:ListGroups
iam:ListGroupsForUser
iam:ListMFADevices
iam:ListPolicies
iam:ListRolePolicies
iam:ListRoles
iam:ListUserPolicies
iam:ListUsers
lambda:GetFunction
rds:DescribeDBInstances
s3:GetBucketAcl
s3:GetBucketCORS
s3:GetBucketEncryption
s3:GetBucketLogging
s3:GetBucketPolicy
s3:GetBucketReplication
s3:GetBucketTagging
s3:GetObjectAcl
s3:ListBuckets
s3:ListObjectsV2Pages