AWS Cloud Connector
This topic describes how to onboard the AWS Cloud connector, which gathers data from AWS services and performs compliance and risk assessment on those assets.
Onboarding the AWS Cloud connector involves the following steps:
Understanding the AWS Cloud connector
Using the AWS Cloud connector enables you to gather data about the following AWS services:
- CloudTrails domains
- ElasticSearch
- Identity and Access Management (IAM) credentials
- Password Policy
- Remote Desktop Service (RDS)
- S3 bucket
- SecurityGroups
- Key Management Service (KMS)
This connector is hosted on the AWS Cloud. For AWS connectors installed on-premise, see AWS-On-Premises-Connector.
License Utilization
The following resources consume a product license:
- Amazon Elastic Compute Cloud (EC2)
- Amazon Relational Database Service (Amazon RDS)
- Amazon Elastisearch Cluster
Completing prerequisites
Ensure that you have the minimum permissions required to run compliance. You specify these permissions in the Permissions tab in AWS, which lists the minimum set of AWS Policies that an IAM user must have for the AWS connector to run. Refer to the following example:
Please refer to the following page for configuring minimum permissions required.
Onboarding the AWS Cloud connector
- Log in to Cloud Security with your registered credentials.
- Select Configure icon > Connectors.
- Click Add Connector.
- Under Connector Type > Cloud Based Connectors (Hosted), click AWS Cloud Connector and then click Continue.
- In the Name your connector field, specify a name for the connector.
This name must be unique and must not have already been created.
If the name entered is not already displayed on the Manage Connectors page, a green check mark and available label appear next to the field. - Choose Key Based and provide these details:
Specify the AWS Account Access Key for the account to be scanned.
This key uniquely identifies the user who owns the account.Specify the AWS Account Secret Key for the account to be scanned.
This key plays the role of a password.
- Select the method for triggering collection cycles from the Collection Mode menu:
- On Demand. Enables on-demand scanning.
- Scheduled. Specifies the hours or minutes for which AWS resources will be periodically collected and evaluated.
Under AWS Partition, select the required option from AWS (default) or AWS GovCloud (US).
- Click Continue.
- Clear the policies that you will not use to evaluate your AWS account.
- Click Continue.
The connector is available in Cloud Security and the policies can be evaluated on the schedule you have set.
As soon as the connector begins sending data, it displays in the 'Running' state, as illustrated in the following screen.
If you select AWS Cloud Connector, filter for Resource Types and there you will get a drop down to find Resource Types.
It then collects the data and begins publishing it back to Cloud Security Note that it might take some time for data collection to begin.
Resource Types:
Below are the resource types that are supported for AWS Cloud Connector:
- AWSCloudTrail
CloudTrail
- AWSCloudTrail
- Compute Instance
AmazonEC2 - Database Instance
AmazonRDS
- Compute Instance
- Elasticsearch Instance
AmazonES
- Elasticsearch Instance
- Encryption Key
awskms
- Encryption Key
- Global Configurations
Account
- Global Configurations
- IAM Credentials
IAM
- IAM Credentials
- IAM Policy
IAM
- IAM Policy
- VPC
AmazonEC2
- VPC
- Storage
AmazonS3
- Storage
- Security Groups
AmazonEC2
- Security Groups
Performing next steps
To manage connector configuration and settings, see Managing-connectors.
To assess the resources including why a rule failed, see Managing-resources.