UpGuard allows you to scan a wide variety of AWS node types. This guide outlines how to add a single node given your AWS access key and secret and where to find these credentials in AWS.

Prerequisites

  • You will need an Amazon Web Services account with web console access.
  • At least one EC2 virtual server

Adding

To add a new AWS based node, navigate to Discover > Add Nodes.

w500

Search for aws to filter down to all of the possible AWS node types you can add.

w300

AWS EC2 or AWS EC2 Instance?

Here you will notice two main classes of AWS node - the high level service node types and the specific instance node types. A good example of this is the AWS EC2 node type compared to the AWS EC2 Instance node type. An AWS EC2 node scan will give you a high level list of EC2 instances you have, as well as lists of other EC2 related assets like load balancers and security groups. It is great if you just want a high level list and basic config of all of your EC2 assets in one scan.

However, if you want to get more detail on specific EC2 instances, buckets, load balancers, etc., you should look to add an AWS EC2 Instance, or AWS S3 Bucket or AWS Load Balancer node, for example. These instance node types contain more configuration information, particularly around linked assets. They also give you the capability of being able to diff instances, group diff instance and assign policies to instances.

Finish adding the node

Select the node type you want to add and then click Go Agentless.

Here you will be asked for general connection and credential information. It is safe to use the Default connection manager group as it will be able to query the AWS API for information during a node scan. However, if you have a custom behind-the-firewall setup, you may need to switch to a group that has internet access. If you are behind a web proxy you can specify the hostname and optional port that API calls to AWS should travel via.

See below for more information about where to locate the Region, Access Key and Secret Key and then click Scan Node to add and scan the node.

Where to find your AWS Region and Credentials

AWS Region

Your AWS region can be found in the URL of your browser address bar after you login into the AWS Management Console.

w400

In the above example it would be us-west-1.

Access Key and Secret Key

  1. To obtain these credentials, you will need to add an UpGuard user through your AWS management console. To do this, log into your AWS Management Console and click on your account name from the top toolbar. Then click on Security Credentials from the dropdown menu.

    aws-03

  2. On the Identity and Access Management page click on Users from the left sidebar then Create New Users.

    aws-04

  3. In the “add new user” form that appears, enter in “UpGuard” for the user name, check Generate an access key for each user and click Create to continue.

    aws-05

  4. Lastly, the users Access Key and Secret Key can be viewed after expanding Show User Security Credentials.

    aws-06

Security Group Permissions

A security group which provides read-only access to AWS is required to be applied to the UpGuard user. Applying the appropriate Read Only Access group policy template provided by AWS is recommended.

Once logged into the IAM Management Console, you can create a group with the corresponding template by hitting the blue “Create New Group” button. After naming the group, you can search for various group templates. For EC2 buckets, the Policy Name “AmazonEC2ReadOnlyAccess” will provide sufficient permissions to allow UpGuard access. Full-privilege policies are not a requirement to scan the EC2 instance. After creation of the group, you can add the appropriate users to the group to provide them with appropriate permissions to scan.

aws-07

UpGuard have tested and confirmed the following permissions by object and node type:

Auto Scaling Group

autoscaling:DescribeAutoScalingGroups

CloudWatch

cloudwatch:ListDashboards

EBS

ec2:DescribeVolumes

EC2

ec2:DescribeInstances
ec2:DescribeLoadBalancers
ec2:DescribeSecurityGroups

IAM

iam:GetAccessKeyLastUsed
iam:GetAccountPasswordPolicy
iam:ListAccessKeys
iam:ListAttachedGroupPolicies
iam:ListAttachedRolePolicies
iam:ListAttachedUserPolicies
iam:ListGroups
iam:ListGroupsForUser
iam:ListGroupPolicies
iam:ListMFADevices
iam:ListPolicies
iam:ListRoles
iam:ListRolePolicies
iam:ListUsers
iam:ListUserPolicies

Lambda

lambda:GetFunction

Load Balancer

elb:DescribeLoadBalancers

RDS

rds:DescribeDBInstances

S3

s3:GetBucketAcl
s3:GetBucketCORS
s3:GetBucketEncryption
s3:GetBucketLocation
s3:GetBucketLogging
s3:GetBucketPolicy
s3:GetBucketReplication
s3:GetBucketTagging
s3:GetObjectAcl
s3:ListObjectsV2Pages

Security Groups

ec2:DescribeSecurityGroups

VPCs

ec2:DescribeVpcs
ec2:DescribeFlowLogs

VPC FlowLogs

ec2:DescribeFlowLogs

VPC Peering Connections

ec2:DescribeVpcs
ec2:DescribeVpcPeeringConnections

Master List of All AWS Permissions Required to Detect, Sync and Scan All AWS Types

autoscaling:DescribeAutoScalingGroups
cloudwatch:ListDashboards
ec2:DescribeFlowLogs
ec2:DescribeInstances
ec2:DescribeLoadBalancers
ec2:DescribeSecurityGroups
ec2:DescribeVolumes
ec2:DescribeVpcPeeringConnections
ec2:DescribeVpcs
elb:DescribeLoadBalancers
iam:GetAccessKeyLastUsed
iam:GetAccountPasswordPolicy
iam:ListAccessKeys
iam:ListAttachedGroupPolicies
iam:ListAttachedRolePolicies
iam:ListAttachedUserPolicies
iam:ListGroupPolicies
iam:ListGroups
iam:ListGroupsForUser
iam:ListMFADevices
iam:ListPolicies
iam:ListRolePolicies
iam:ListRoles
iam:ListUserPolicies
iam:ListUsers
lambda:GetFunction
rds:DescribeDBInstances
s3:GetBucketAcl
s3:GetBucketCORS
s3:GetBucketEncryption
s3:GetBucketLocation
s3:GetBucketLogging
s3:GetBucketPolicy
s3:GetBucketReplication
s3:GetBucketTagging
s3:GetObjectAcl
s3:ListBuckets
s3:ListObjectsV2Pages

What Next?

For more information on bulk detecting, organizing and monitoring all of your AWS assets, please view our guide on Bulk Adding Nodes in AWS.