Guardian allows you to scan a wide variety of AWS node types. This guide outlines how to add a single node given your AWS access key and secret and where to find these credentials in AWS.
Prerequisites
- You will need an Amazon Web Services account with web console access.
- At least one EC2 virtual server
Note
This guide outlines how to add a single AWS node. It is perfect if you want to monitor a single S3 bucket, or are testing out a new node type. For more information on bulk detecting and adding a large number of AWS assets, please visit our guide on Bulk Adding Nodes via AWS.
For more information on our recommended method of finding the nodes you actually want to monitor from all of your AWS assets, please visit our guide on Discovery, Detected, Monitored Workflow.
Adding
To add a new AWS based node, navigate to Discover > Add Nodes.
Search for aws to filter down to all of the possible AWS node types you can add.
AWS EC2 or AWS EC2 Instance?
Here you will notice two main classes of AWS node - the high level service node types and the specific instance node types. A good example of this is the AWS EC2 node type compared to the AWS EC2 Instance node type. An AWS EC2 node scan will give you a high level list of EC2 instances you have, as well as lists of other EC2 related assets like load balancers and security groups. It is great if you just want a high level list and basic config of all of your EC2 assets in one scan.
However, if you want to get more detail on specific EC2 instances, buckets, load balancers, etc., you should look to add an AWS EC2 Instance, or AWS S3 Bucket or AWS Load Balancer node, for example. These instance node types contain more configuration information, particularly around linked assets. They also give you the capability of being able to diff instances, group diff instance and assign policies to instances.
Finish adding the node
Select the node type you want to add and then click Go Agentless.
Here you will be asked for general connection and credential information. It is safe to use the Default connection manager group as it will be able to query the AWS API for information during a node scan. However, if you have a custom behind-the-firewall setup, you may need to switch to a group that has internet access. If you are behind a web proxy you can specify the hostname and optional port that API calls to AWS should travel via.
See below for more information about where to locate the Region, Access Key and Secret Key and then click Scan Node to add and scan the node.
Where to find your AWS Region and Credentials
AWS Region
Your AWS region can be found in the URL of your browser address bar after you login into the AWS Management Console.
In the above example, it would be us-west-1.
Access Key and Secret Key
- To obtain these credentials, you will need to add a Guardian user through your AWS management console. To do this, log into your AWS Management Console and click on your account name from the top toolbar. Then click on Security Credentials from the dropdown menu.
- On the Identity and Access Management page click on Users from the left sidebar then Create New Users.
- In the "add new user" form that appears, enter in "Guardian" for the user name, check Generate an access key for each user and click Create to continue.
- Lastly, the user's Access Key and Secret Key can be viewed after expanding Show User Security Credentials.
Warning
The user's Secret Key is only displayed after account creation. Unless you click Download Credentials here to save them, you will need to delete and recreate the user to re-generate/retrieve their Secret Key. Existing applications which use these credentials will then need to be updated.
Supported Services and Required Security Group Permissions
A security group which provides read-only access to AWS is required to be applied to the Guardian user. Applying the appropriate Read Only Access group policy template provided by AWS is recommended.
Once logged into the IAM Management Console, you can create a group with the corresponding template by hitting the blue “Create New Group” button. After naming the group, you can search for various group templates. For EC2 buckets, the Policy Name “AmazonEC2ReadOnlyAccess” will provide sufficient permissions to allow Guardian access. Full-privilege policies are not a requirement to scan the EC2 instance. After creation of the group, you can add the appropriate users to the group to provide them with appropriate permissions to scan.
Guardian have tested and confirmed the following permissions by object and node type:
Access Analyzer
IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity.More…
Required Access Analyzer Permissions
access-analyzer:ListAnalyzers access-analyzer:ListPolicyGenerations access-analyzer:ListTagsForResource kms:GetKeyRotationStatus kms:ListAliases kms:ListResourceTags
Auto Scaling Group
Amazon EC2 Auto Scaling helps you ensure that you have the correct number of Amazon EC2 instances available to handle the load for your application. You create collections of EC2 instances, called Auto Scaling groups. You can specify the minimum number of instances in each Auto Scaling group, and Amazon EC2 Auto Scaling ensures that your group never goes below this size.More…
Required Auto Scaling Group Permissions
autoscaling:DescribeAutoScalingGroups
CloudTrail
AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account.More…
Required CloudTrail Permissions
cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus cloudtrail:ListPublicKeys cloudtrail:ListTrails s3:GetBucketLogging s3:GetBucketPolicy
CloudWatch
Amazon CloudWatch monitors your Amazon Web Services (AWS) resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, which are variables you can measure for your resources and applications.More…
Required CloudWatch Permissions
cloudwatch:DescribeAlarms cloudwatch:ListDashboards cloudwatch:ListTagsForResource logs:DescribeLogGroups
Config Service
AWS Config Service provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. More…
Required Config Service Permissions
config:DescribeConfigurationRecorders
EBS (Elastic Block Store)
Amazon Elastic Block Store (Amazon EBS) provides block level storage volumes for use with EC2 instances. EBS volumes behave like raw, unformatted block devices. You can mount these volumes as devices on your instances.More…
Required EBS Permissions
ec2:DescribeVolumes
EC2 (Elastic Compute Cloud)
Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. More…
Required EC2 Permissions
ec2:DescribeInstances ec2:DescribeRouteTables ec2:DescribeSecurityGroups elasticloadbalancing:DescribeLoadBalancers
IAM (Identity and Access Management)
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.More…
Required IAM Permissions
iam:GenerateCredentialReport iam:GetAccessKeyLastUsed iam:GetAccountPasswordPolicy iam:GetAccountSummary iam:GetCredentialReport iam:GetPolicyVersion iam:ListAccessKeys iam:ListAttachedGroupPolicies iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListGroupPolicies iam:ListGroups iam:ListGroupsForUser iam:ListMFADevices iam:ListPolicies iam:ListRolePolicies iam:ListRoles iam:ListServerCertificates iam:ListUserPolicies iam:ListUsers iam:ListUserTags iam:ListVirtualMFADevices
KMS (Key Management Service)
AWS Key Management Service (AWS KMS) is an encryption and key management service scaled for the cloud. AWS KMS keys and functionality are used by other AWS services, and you can use them to protect data in your own applications that use AWS. More…
Required KMS Permissions
kms:DescribeKey kms:kms:ListAliases
Lambda
Lambda is a compute service that lets you run code without provisioning or managing servers. More…
Required Lambda Permissions
lambda:GetFunction lambda:ListTags
Load Balancer V1/V2
Elastic Load Balancers automatically distribute your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. More…
Required Load Balancer Permissions
elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeTags
RDS (Relational Database Service)
Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. More…
Required RDS Permissions
rds:DescribeDBInstances rds:ListTagsForResource
S3 (Simple Storage Service)
Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. Customers of all sizes and industries can use Amazon S3 to store and protect any amount of data for a range of use cases, such as data lakes, websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics. More…
Required S3 Permissions
s3:GetBucketAcl s3:GetBucketCORS s3:GetBucketEncryption s3:GetBucketEncryptionConfiguration s3:GetBucketLocation s3:GetBucketLogging s3:GetBucketPolicy s3:GetBucketPublicAccessBlock s3:GetBucketReplication s3:GetBucketTagging s3:GetBucketVersioning s3:GetObjectAcl s3:ListAllMyBuckets
Security Groups
Security groups control the traffic that is allowed to reach and leave the resources that they are associated with. More…
Required Security Group Permissions
ec2:DescribeSecurityGroups
VPC FlowLogs
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. More…
Required VPC FlowLogs Permissions
ec2:DescribeFlowLogs
VPC Peering Connections
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. More…
Required VPC Connection Permissions
ec2:DescribeVpcs ec2:DescribeVpcPeeringConnections
VPC Subnet
A VPC subnet is a range of IP addresses in your VPC. Each subnet must reside entirely within one Availability Zone and cannot span zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single zone. More…
Required VPC Subnet Permissions
ec2:DescribeSubnets
VPC (Virtual Private Cloud)
Amazon Virtual Private Cloud (Amazon VPC) enables you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you’ve defined. More…
Required VPC Permissions
ec2:DescribeVpcs ec2:DescribeFlowLogs
Master List of All AWS Permissions Required to Detect, Sync and Scan All AWS Types
access-analyzer:ListAnalyzers access-analyzer:ListPolicyGenerations access-analyzer:ListTagsForResource cloudtrail:DescribeTrails cloudtrail:GetEventSelectors cloudtrail:GetTrailStatus cloudtrail:ListPublicKeys cloudtrail:ListTrails cloudwatch:DescribeAlarms cloudwatch:ListDashboards cloudwatch:ListTagsForResource config:DescribeConfigurationRecorderStatus ec2:DescribeFlowLogs ec2:DescribeInstances ec2:DescribeRouteTables ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVolumes ec2:DescribeVpcPeeringConnections ec2:DescribeVpcs ec2:DescribeVpnConnections elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeTags iam:GenerateCredentialReport iam:GetAccessKeyLastUsed iam:GetAccountPasswordPolicy iam:GetAccountSummary iam:GetCredentialReport iam:GetPolicyVersion iam:ListAccessKeys iam:ListAttachedGroupPolicies iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListGroupPolicies iam:ListGroups iam:ListGroupsForUser iam:ListMFADevices iam:ListPolicies iam:ListRolePolicies iam:ListRoles iam:ListServerCertificates iam:ListUserPolicies iam:ListUsers iam:ListUserTags iam:ListVirtualMFADevices kms:DescribeKey kms:GetKeyRotationStatus kms:ListAliases kms:ListResourceTags lambda:GetFunction lambda:ListTags logs:DescribeLogGroups rds:DescribeDBInstances rds:ListTagsForResource s3:GetBucketAcl s3:GetBucketCORS s3:GetBucketEncryption s3:GetBucketEncryptionConfiguration s3:GetBucketLocation s3:GetBucketLogging s3:GetBucketPolicy s3:GetBucketPublicAccessBlock s3:GetBucketReplication s3:GetBucketTagging s3:GetBucketVersioning s3:GetObjectAcl s3:ListAllMyBuckets sts:GetAccessKeyInfo
What Next?
For more information on bulk detecting, organizing and monitoring all of your AWS assets, please view our guide on Bulk Adding Nodes in AWS.