AWS On-Premises Connector

This topic describes how to onboard the AWS On-Premises connector, which involves the following steps:

To access the latest information about this topic and all Cloud Security releases, check out the Release notes and notices.

Understanding the AWS on-premise connector

The AWS On-Premises connector enables you to gather data about the following AWS services:

  • AWS CloudTrail
  • AWS Elasticsearch domains
  • AWS Identity and Access Management credentials
  • AWS Identity and Access Management Password Policy
  • Remote Desktop Service
  • Amazon S3 buckets
  • SecurityGroups
  • AWS Key Management Service (KMS)
  • Amazon Virtual Private Cloud (VPC)
  • Amazon Elastic Compute Cloud – Elastic Load Balancing (EC2-ELB)
  • Amazon Elastic Compute Cloud (EC2) – Instances
  • Amazon Simple Notification Service (SNS)
  • Amazon Config

This connector is installed on-premise. For AWS connectors hosted on the cloud, see AWS Cloud Connector.

License utilization

The following resources consume a product license:

  • Amazon Elastic Compute Cloud (EC2)
  • Amazon Relational Database Service (Amazon RDS)
  • Amazon Elastisearch Cluster

Completing prerequisites

Ensure that you have the minimum permissions required to run compliance. You specify these permissions in the Permissions tab in AWS, which lists the minimum set of AWS Policies that an IAM user must have for the AWS connector to run. Refer to the following example:

Onboarding the AWS On-Premise connector

  1. Log in to Cloud Security with your registered credentials.
  2. Select Configure icon > Connectors.
  3. Click Add Connector.
  4. Under Connector Type > On Premise Connectors (Installable), click AWS Connector and then click Continue.
  5. In the Name your connector field, specify a name for the connector.
    This name must be unique and must not have already been created.
    If the name entered is not already displayed on the Manage Connectors page, a green check mark and available label appear next to the field.
  6. Specify the AWS Account Access Key for the account to be scanned.
    This key uniquely identifies the user who owns the account.

    Best practice

    For security reasons, BMC recommends that you create a separate IAM user for the AWS account with read-only privileges for the services that you would like to evaluate.

    Supporting Multiple AWS Accounts

    If you wish to support multiple AWS accounts through single connector, please follow the prerequisites mentioned in Multiple AWS Accounts Support.

  7. Specify the AWS Account Secret Key for the account to be scanned.
    This key plays the role of a password.

  8. Select the method for triggering collection cycles from the Collection Mode menu:

    1. On Demand. Enables on-demand scanning.
    2. Scheduled. Specifies the hours or minutes for which AWS resources will be periodically collected and evaluated.

  9. Under AWS Partition, select the required option from AWS (default) or AWS GovCloud (US).

    AWS GovCloud (US) is used for scanning resources in AWS Gov cloud region(us-gov-west-1).

  10. Click Continue.

  11. If the download does not start automatically, click Download Connector setup and unzip the AWS file using any standard compression tool.
    The zip file will have the name that you specified for the connector in Step 4.
    1. (Windows) Double-click run.bat to run the connector in your target environment.

    2. (Linux) Execute the command chmod +x to grant execute permissions to the file. Then run the connector using the command.


      The time to complete data collection depends upon the number of targets that you have in your environment. Leave the command window open and switch over to the UI.
  12. Click Continue.
  13. Clear the policies that you will not use to evaluate your AWS account.

  14. Click Continue.
    The connector is available in Cloud Security and the policies can be evaluated on the schedule or on-demand you have set.  

    Below is the connector running in on-demand mode:

    As soon as the connector begins sending data, it displays in the green 'Running' state. It then collects the data and begins publishing it back to Cloud Security.

          If you select AWS On-Prem Connector, filter for Resource Types and there you will get a drop down to find Resource Types.



Resource Types:

                     Below are the resource types that are supported for AWS Connector:

      • Compute Instance
      • Database Instance
      • Elastic Search Instance
      • Encryption Key
      • Global Configurations
      • IAM Credentials
      • IAM Policy
      • VPC
      • Storage
      • Security Groups

Performing next steps

To manage connector configuration and settings, see Managing connectors.

To assess the resources including why a rule failed, see Managing resources.

Back to top

Was this page helpful? Yes No Submitting... Thank you