About cross-account access
Cross-account access enables IAM users using one AWS account to access the AWS resources of another AWS account.
If you have several AWS accounts in your organization, it is recommended to use cross-account, instead of configuring several AWS connectors within Vulcan.
Prerequisites and User Permissions
The following is the role permission required for each AWS service. Make sure the required role permissions exist for the services you want to use.
Service | Role permission |
EC2 | DescribeInstances DescribeSecurityGroups |
Elastic LoadBalancing | DescribeTargetGroups DescribeLoadBalancers DescribeTargetHealth |
Inspector Classic Inspector V2 | ListFindings ListAssessmentRuns DescribeAssessmentRuns DescribeFindings ListAssessmentTemplates PreviewAgents |
ECR | ListTagsForResource ListImages DescribeImages DescribeRepositories |
ECS | DescribeClusters ListContainerInstances DescribeContainerInstances ListClusters |
Security Hub | DescribeProducts GetFindings GetInsightResults ListTagsForResource DescribeHub GetInsights |
Configure AWS Cross-Account
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the AWS icon.
Set up the connector as follows:
Select the AWS Services you want to pull data from.
- To enable AWS ECR vulnerability retrieval, select AWS ECR, AWS Inspector, and AWS Security Hub. See the rest of the instructions here.
- To enable Inspector, select Inspector and AWS Security Hub.Once you are done with the selection, click “Download Policy”. The downloaded file will be used at a later stage.
Generate an ARN file by following the instructions on the AWS connector setup page under AWS Configuration. Note that this step needs to re-occur in each AWS account you want to enable access to.
Note: The "External ID" can be customized. To determine your own External ID, contact Vulcan Support or your Customer Success Manager at Vulcan.
Upload the ARN file containing the account information in a CSV file.
Select Regions - For each account, the connector will try to pull data for all selected regions.
Security Hub Products - Choose the products you want to display on the Vulcan Platform. You can change the configurations at any time. This is also where you can enable the retrieval of AWS ECR vulnerabilities.
Click Create.
Service Mapping
Service | Visibility on the Vulcan Platform |
EC2 | Assets > Hosts |
EC2 security groups | Assets > Hosts > Hosts details |
ECR | Assets > Code Project |
ECS | Assets > Code Project |
Inspector Classic | Vulnerabilities |
Inspector V2 | Vulnerabilities |
Retrieving AWS ECR vulnerabilities
To enable the retrieval of AWS ECR vulnerabilities, set up the following configuration in the AWS connector:
Make sure AWS ECR, AWS Inspector, and AWS Security Hub are selected:
Follow the instruction of the AWS Connector configuration as described here.
For the Security Gub Products setting, make sure Inspector is selected:
Note: The configuration of AWS ECR vulnerabilities can be done in addition to any other AWS connector configuration.