Overview


About cross-account access

Cross-account access enables IAM users using one AWS account to access the AWS resources of another AWS account.
If you have several AWS accounts in your organization, it is recommended to use cross-account, instead of configuring several AWS connectors within Vulcan.


Role permissions required

The following is the role permission required for each AWS service. Make sure the required role permissions exist for the services you want to use.

Service

Role permission

EC2

DescribeInstances

DescribeSecurityGroups

Elastic LoadBalancing

DescribeTargetGroups

DescribeLoadBalancers

DescribeTargetHealth

Inspector Classic

Inspector V2

ListFindings

ListAssessmentRuns

DescribeAssessmentRuns

DescribeFindings

ListAssessmentTemplates

PreviewAgents

ECR

ListTagsForResource

ListImages

DescribeImages

DescribeRepositories

ECS

DescribeClusters

ListContainerInstances

DescribeContainerInstances

ListClusters

Security Hub

DescribeProducts

GetFindings

GetInsightResults

ListTagsForResource

DescribeHub

GetInsights


Configure AWS Cross-Account

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the Orca icon.

  4. Set up the connector as follows:

    1. Select the AWS Services you want to pull data from.

      About enabling Inspector Classic ("AWS Inspector") and/or Inspector V2:
      - To enable Inspector Classic, check the "AWS Inspector"/"AWS Inspector Classic" option.

      - To enable Inspector V2, check the AWS Security Hub Service.

    2. Once you are done with the selection, click “Download Policy”. The downloaded file will be used at a later stage.

  5. Generate an ARN file by following the instructions on the AWS connector setup page under AWS Configuration. Note that this step needs to re-occur in each AWS account you want to enable access to.

  6. Upload the ARN file containing the account information in a CSV file.

  7. Select Regions - For each account, the connector will try to pull data for all selected regions. 

  8. Security Hub Products - Choose the products you want to display on the Vulcan Platform. You can change the configurations at any time. This is also where you can enable the Inspector V2 service.

  9. Click "Create".


Service Mapping

Service

Visibility in the Vulcan Platform

EC2

Assets > Hosts

EC2 security groups

Assets > Hosts > Hosts details

ECR

Assets > Code Project

ECS

Assets > Code Project

Inspector Classic

Vulnerabilities

Inspector V2

Vulnerabilities


Support notes

Vulcan supports Inspector findings for EC2 items only (Inspector findings for ECR items are not supported).

Did this answer your question?