- You will need an Amazon Web Services account with web console access.
- At least one EC2 virtual server
This guide outlines how to add a single AWS node. It is perfect if you want to monitor a single S3 bucket, or are testing out a new node type. For more information around bulk detecting and adding a large number of AWS assets, please visit our guide on Bulk Adding Nodes via AWS. For more information on how recommended method of finding the nodes you actually want to monitor from all of your AWS assets, please visit our guide on Discovery, Detected, Monitored Workflow.
To add a new AWS based node, navigate to Discover > Add Nodes.
aws to filter down to all of the possible AWS node types you can add.
AWS EC2 or AWS EC2 Instance?
Here you will notice two main classes of AWS node - the high level service node types and the specific instance node types. A good example of this is the AWS EC2 node type compared to the AWS EC2 Instance node type. An AWS EC2 node scan will give you a high level list of EC2 instances you have, as well as lists of other EC2 related assets like load balancers and security groups. It is great if you just want a high level list and basic config of all of your EC2 assets in one scan.
However, if you want to get more detail on specific EC2 instances, buckets, load balancers, etc., you should look to add an AWS EC2 Instance, or AWS S3 Bucket or AWS Load Balancer node, for example. These instance node types contain more configuration information, particularly around linked assets. They also give you the capability of being able to diff instances, group diff instance and assign policies to instances.
Finish adding the node
Select the node type you want to add and then click Go Agentless.
Here you will be asked for general connection and credential information. It is safe to use the Default connection manager group as it will be able to query the AWS API for information during a node scan. However, if you have a custom behind-the-firewall setup, you may need to switch to a group that has internet access. If you are behind a web proxy you can specify the hostname and optional port that API calls to AWS should travel via.
See below for more information about where to locate the Region, Access Key and Secret Key and then click Scan Node to add and scan the node.
Where to find your AWS Region and Credentials
Your AWS region can be found in the URL of your browser address bar after you login into the AWS Management Console.
In the above example it would be
Access Key and Secret Key
To obtain these credentials, you will need to add an UpGuard user through your AWS management console. To do this, log into your AWS Management Console and click on your account name from the top toolbar. Then click on Security Credentials from the dropdown menu.
On the Identity and Access Management page click on Users from the left sidebar then Create New Users.
In the “add new user” form that appears, enter in “UpGuard” for the user name, check Generate an access key for each user and click Create to continue.
Lastly, the users
Secret Keycan be viewed after expanding Show User Security Credentials.Warning:
The user's Secret Key is only displayed after account creation. Unless you click Download Credentials here to save them, you will need to delete and recreate the user to re-generate/retrieve their Secret Key. Existing applications which use these credentials will then need to be updated.
Security Group Permissions
A security group which provides read-only access to AWS is required to be applied to the UpGuard user. Applying the appropriate Read Only Access group policy template provided by AWS is recommended.
Once logged into the IAM Management Console, you can create a group with the corresponding template by hitting the blue “Create New Group” button. After naming the group, you can search for various group templates. For EC2 buckets, the Policy Name “AmazonEC2ReadOnlyAccess” will provide sufficient permissions to allow UpGuard access. Full-privilege policies are not a requirement to scan the EC2 instance. After creation of the group, you can add the appropriate users to the group to provide them with appropriate permissions to scan.
UpGuard have tested and confirmed the following permissions by object and node type:
Auto Scaling Group
ec2:DescribeInstances ec2:DescribeLoadBalancers ec2:DescribeSecurityGroups
iam:GetAccessKeyLastUsed iam:GetAccountPasswordPolicy iam:ListAccessKeys iam:ListAttachedGroupPolicies iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListGroups iam:ListGroupsForUser iam:ListGroupPolicies iam:ListMFADevices iam:ListPolicies iam:ListRoles iam:ListRolePolicies iam:ListUsers iam:ListUserPolicies
s3:GetBucketAcl s3:GetBucketCORS s3:GetBucketEncryption s3:GetBucketLocation s3:GetBucketLogging s3:GetBucketPolicy s3:GetBucketReplication s3:GetBucketTagging s3:GetObjectAcl s3:ListObjectsV2Pages
VPC Peering Connections
Master List of All AWS Permissions Required to Detect, Sync and Scan All AWS Types
autoscaling:DescribeAutoScalingGroups cloudwatch:ListDashboards ec2:DescribeFlowLogs ec2:DescribeInstances ec2:DescribeLoadBalancers ec2:DescribeSecurityGroups ec2:DescribeVolumes ec2:DescribeVpcPeeringConnections ec2:DescribeVpcs elb:DescribeLoadBalancers iam:GetAccessKeyLastUsed iam:GetAccountPasswordPolicy iam:ListAccessKeys iam:ListAttachedGroupPolicies iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListGroupPolicies iam:ListGroups iam:ListGroupsForUser iam:ListMFADevices iam:ListPolicies iam:ListRolePolicies iam:ListRoles iam:ListUserPolicies iam:ListUsers lambda:GetFunction rds:DescribeDBInstances s3:GetBucketAcl s3:GetBucketCORS s3:GetBucketEncryption s3:GetBucketLocation s3:GetBucketLogging s3:GetBucketPolicy s3:GetBucketReplication s3:GetBucketTagging s3:GetObjectAcl s3:ListBuckets s3:ListObjectsV2Pages
For more information on bulk detecting, organizing and monitoring all of your AWS assets, please view our guide on Bulk Adding Nodes in AWS.