In this article you will find:
Cross-account access enables IAM user in one AWS account to access the AWS resources of another AWS account.
If you have several AWS accounts in your organization it is recommended to use cross-account, instead of configuring several AWS connectors within Vulcan.
Role Permissions needed for all the relevant services
EC2: DescribeInstances, DescribeSecurityGroups
Elastic LoadBalancing: DescribeTargetGroups, DescribeLoadBalancers, DescribeTargetHealth
Inspector: ListFindings, ListAssessmentRuns, DescribeAssessmentRuns, DescribeFindings, ListAssessmentTemplates, PreviewAgents
ECR:ListTagsForResource, ListImages, DescribeImages, DescribeRepositories
ECS: DescribeClusters, ListContainerInstances, DescribeContainerInstances, ListClusters
SecurityHub: DescribeProducts, GetFindings, GetInsightResults, ListTagsForResource, DescribeHub, GetInsights
2. How to Configure AWS Cross-Account
Go to the "Add connector" page and choose AWS connector. Under the connector configuration page, follow the steps:
Step 1 - Choose Regions and AWS Services
Select Region - For each account, the connector will try to pull data for all selected regions.
Choose AWS Services - Choose which AWS services the connector will pull data from. Note that each AWS requires different levels
Step 2 - AWS Configuration through AWS Console
Note that this step needs to re-occur in each AWS account you want to enable access to.
1. Log in to the AWS console for the targeted account with the user who has permission to create an IAM role.
2. Navigate to IAM --> Policies --> Create policy --> JSON
3. Via the Vulcan platform, click on Download Policy and paste the content of the JSON file in AWS console (where you stopped in step 2). Note that the JSON derives from the AWS services you chose earlier.
4. Click Review policy
5. Copy from Vulcan the Account ID:
6. Navigate to IAM --> Roles ---> Create role --> Another AWS account --> Paste the Account ID from previous step
7. Copy from Vulcan the External ID from the connector page:
In IAM, Check Require external ID and paste the external ID from the previous step
8. Uncheck Require MFA
9. Click Next: Permissions and attach the policy created on step 4
10. Review the policy and copy the generated ARN - You will use all of the ARNs in next step
Step 3 - Upload ARNs List
Download the CSV template from Vulcan platform
Add all the ARNs from step 2. Make sure to follow the format as in the template.
Upload the ARNs CSV
Click on Create
3. Supported services by the AWS integration
Vulcan ingests the AWS items and presents them in different places in the platform based on the item data type.
EC2, ECR, ECS - Will ingest as assets and shown under the assets view.
AWS EC2 security groups - Will be shown under the assets details for every item.
Inspector - Vulcan support Inspector findings for EC2 items only. (Vulcan is NOT supporting Inspector findings for ECR items).
The Inspector's findings will be shown under the Vulnerability view.
4. Training video
Does AWS inspector fetch vulnerabilities for all AWS services?
No. Currently, AWS inspector can fetch the vulnerability data for EC2 instances only, and not EC2 security groups, ECR and ECS.