AWS Connector

Cross-account access enables IAM user in one AWS account to access the AWS resources of another AWS account.

Updated over a week ago

About cross-account access

Cross-account access enables IAM users using one AWS account to access the AWS resources of another AWS account.
If you have several AWS accounts in your organization, it is recommended to use cross-account, instead of configuring several AWS connectors within Vulcan.


Prerequisites and User Permissions

The following is the role permission required for each AWS service. Make sure the required role permissions exist for the services you want to use.

Service

Role permission

EC2

DescribeInstances

DescribeSecurityGroups

Elastic LoadBalancing

DescribeTargetGroups

DescribeLoadBalancers

DescribeTargetHealth

Inspector Classic

Inspector V2

ListFindings

ListAssessmentRuns

DescribeAssessmentRuns

DescribeFindings

ListAssessmentTemplates

PreviewAgents

ECR

ListTagsForResource

ListImages

DescribeImages

DescribeRepositories

ECS

DescribeClusters

ListContainerInstances

DescribeContainerInstances

ListClusters

Security Hub

DescribeProducts

GetFindings

GetInsightResults

ListTagsForResource

DescribeHub

GetInsights


Configure AWS Cross-Account

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the AWS icon.

  4. Set up the connector as follows:

    1. Select the AWS Services you want to pull data from.

      - To enable AWS ECR vulnerability retrieval, select AWS ECR, AWS Inspector, and AWS Security Hub. See the rest of the instructions here.
      - To enable Inspector, select Inspector and AWS Security Hub.

    2. Once you are done with the selection, click “Download Policy”. The downloaded file will be used at a later stage.

  5. Generate an ARN file by following the instructions on the AWS connector setup page under AWS Configuration. Note that this step needs to re-occur in each AWS account you want to enable access to.

    Note: The "External ID" can be customized. To determine your own External ID, contact Vulcan Support or your Customer Success Manager at Vulcan.

  6. Upload the ARN file containing the account information in a CSV file.

  7. Select Regions - For each account, the connector will try to pull data for all selected regions. 

  8. Security Hub Products - Choose the products you want to display on the Vulcan Platform. You can change the configurations at any time. This is also where you can enable the retrieval of AWS ECR vulnerabilities.

  9. Click Create.


Service Mapping

Service

Visibility on the Vulcan Platform

EC2

Assets > Hosts

EC2 security groups

Assets > Hosts > Hosts details

ECR

Assets > Code Project

ECS

Assets > Code Project

Inspector Classic

Vulnerabilities

Inspector V2

Vulnerabilities


Retrieving AWS ECR vulnerabilities

To enable the retrieval of AWS ECR vulnerabilities, set up the following configuration in the AWS connector:

  1. Make sure AWS ECR, AWS Inspector, and AWS Security Hub are selected:

  2. Follow the instruction of the AWS Connector configuration as described here.

  3. For the Security Gub Products setting, make sure Inspector is selected:

    Note: The configuration of AWS ECR vulnerabilities can be done in addition to any other AWS connector configuration.

Did this answer your question?