Overview
About cross-account access
Cross-account access enables IAM users using one AWS account to access the AWS resources of another AWS account.
If you have several AWS accounts in your organization, it is recommended to use cross-account, instead of configuring several AWS connectors within Vulcan.
Role permissions required
The following is the role permission required for each AWS service. Make sure the required role permissions exist for the services you want to use.
Service | Role permission |
EC2 | DescribeInstances DescribeSecurityGroups |
Elastic LoadBalancing | DescribeTargetGroups DescribeLoadBalancers DescribeTargetHealth |
Inspector Classic Inspector V2 | ListFindings ListAssessmentRuns DescribeAssessmentRuns DescribeFindings ListAssessmentTemplates PreviewAgents |
ECR | ListTagsForResource ListImages DescribeImages DescribeRepositories |
ECS | DescribeClusters ListContainerInstances DescribeContainerInstances ListClusters |
Security Hub | DescribeProducts GetFindings GetInsightResults ListTagsForResource DescribeHub GetInsights |
Configure AWS Cross-Account
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Orca icon.
Set up the connector as follows:
Select the AWS Services you want to pull data from.
About enabling Inspector Classic ("AWS Inspector") and/or Inspector V2:
- To enable Inspector Classic, check the "AWS Inspector"/"AWS Inspector Classic" option.- To enable Inspector V2, check the AWS Security Hub Service.
Once you are done with the selection, click “Download Policy”. The downloaded file will be used at a later stage.
Generate an ARN file by following the instructions on the AWS connector setup page under AWS Configuration. Note that this step needs to re-occur in each AWS account you want to enable access to.
Upload the ARN file containing the account information in a CSV file.
Select Regions - For each account, the connector will try to pull data for all selected regions.
Security Hub Products - Choose the products you want to display on the Vulcan Platform. You can change the configurations at any time. This is also where you can enable the Inspector V2 service.
Click "Create".
Service Mapping
Service | Visibility in the Vulcan Platform |
EC2 | Assets > Hosts |
EC2 security groups | Assets > Hosts > Hosts details |
ECR | Assets > Code Project |
ECS | Assets > Code Project |
Inspector Classic | Vulnerabilities |
Inspector V2 | Vulnerabilities |
Support notes
Vulcan supports Inspector findings for EC2 items only (Inspector findings for ECR items are not supported).