AWS Cloud Connector

This topic describes how to onboard the AWS Cloud connector, which gathers data from AWS services and performs compliance and risk assessment on those assets.

Onboarding the AWS Cloud connector involves the following steps:

To access the latest information about this topic and all Cloud Security releases, check out the Release notes and notices.

Understanding the AWS Cloud connector

Using the AWS Cloud connector enables you to gather data about the following AWS services:

  • CloudTrails domains
  • ElasticSearch
  • Identity and Access Management (IAM) credentials
  • Password Policy
  • Remote Desktop Service (RDS)
  • S3 bucket
  • SecurityGroups
  • Key Management Service (KMS)

This connector is hosted on the AWS Cloud. For AWS connectors installed on-premise, see AWS On-Premises Connector.

License Utilization

The following resources consume a product license:

  • Amazon Elastic Compute Cloud (EC2)
  • Amazon Relational Database Service (Amazon RDS)
  • Amazon Elastisearch Cluster

Completing prerequisites

Ensure that you have the minimum permissions required to run compliance. You specify these permissions in the Permissions tab in AWS, which lists the minimum set of AWS Policies that an IAM user must have for the AWS connector to run. Refer to the following example:

Please refer to the following page for configuring minimum permissions required. 

Onboarding the AWS Cloud connector

Tip

For a walkthrough of this procedure, see Walkthrough: Onboarding the AWS Cloud connector.

  1. Log in to Cloud Security with your registered credentials.
  2. Select Configure icon > Connectors.
  3. Click Add Connector.
  4. Under Connector Type > Cloud Based Connectors (Hosted), click AWS Cloud Connector and then click Continue.
  5. In the Name your connector field, specify a name for the connector.
    This name must be unique and must not have already been created.
    If the name entered is not already displayed on the Manage Connectors page, a green check mark and available label appear next to the field.
  6. Choose Key Based and provide these details:
    1. Specify the AWS Account Access Key for the account to be scanned. 
      This key uniquely identifies the user who owns the account.

      Supporting Multiple AWS Accounts

      If you wish to support multiple AWS accounts through single connector, please follow the prerequisites mentioned in Multiple AWS Accounts Support.

    2. Specify the AWS Account Secret Key for the account to be scanned.
      This key plays the role of a password.

      Best practice

      For security reasons, BMC recommends that you create a separate IAM user for the AWS account with read-only privileges for the services that you would like to evaluate.

  7. Select the method for triggering collection cycles from the Collection Mode menu:

    1. On Demand. Enables on-demand scanning.
    2. Scheduled. Specifies the hours or minutes for which AWS resources will be periodically collected and evaluated.

  8. Under AWS Partition, select the required option from AWS (default) or AWS GovCloud (US).

    AWS GovCloud (US) is used for scanning resources in AWS Gov cloud region(us-gov-west-1).

  9. Click Continue.
  10. Clear the policies that you will not use to evaluate your AWS account.

  11. Click Continue.

    The connector is available in Cloud Security and the policies can be evaluated on the schedule you have set.
    As soon as the connector begins sending data, it displays in the 'Running' state, as illustrated in the following screen.

If you select AWS Cloud Connector, filter for Resource Types and there you will get a drop down to find Resource Types.

It then collects the data and begins publishing it back to Cloud Security Note that it might take some time for data collection to begin.

Resource Types:

            Below are the resource types that are supported for AWS Cloud Connector:

    • AWSCloudTrail
      CloudTrail
    • Compute Instance
       AmazonEC2

    • Database Instance
      AmazonRDS
    • Elasticsearch Instance
       AmazonES
    • Encryption Key
      awskms
    • Global Configurations
      Account
    • IAM Credentials
      IAM
    • IAM Policy
      IAM
    • VPC
      AmazonEC2
    • Storage
       AmazonS3
    • Security Groups
      AmazonEC2


Performing next steps

To manage connector configuration and settings, see Managing connectors.

To assess the resources including why a rule failed, see Managing resources.

Back to top

Was this page helpful? Yes No Submitting... Thank you

Comments