AWS Connector

Cross-account access enables IAM user in one AWS account to access the AWS resources of another AWS account.

Updated over a week ago

Setting Up AWS Integration with Cross-Account Access on the Vulcan Platform

When integrating AWS with the Vulcan Platform, you have the flexibility to manage how data from multiple AWS accounts is accessed and consolidated. Depending on your organizational needs, you can choose between two options for fetching data:

Option 1: Single-Account Data Fetching

If your focus is solely on the findings from the main AWS account, a single ARN (Amazon Resource Name) setup is sufficient. This option streamlines the integration process by fetching data exclusively from the main account.

Option 2: Cross-Account Data Fetching

To include data from both your main AWS account and any linked accounts (enabling cross-account access), you must specify an ARN for each account involved. This ensures that findings across all accounts are aggregated and available through the Vulcan Platform.

The ARN(s) of the AWS account(s) are added to the connector setup page.


Prerequisites and User Permissions

The following is the role permission required for each AWS service. Make sure the required role permissions exist for the services you want to use.

Service

Role permission

EC2

DescribeInstances

DescribeSecurityGroups

Elastic LoadBalancing

DescribeTargetGroups

DescribeLoadBalancers

DescribeTargetHealth

Inspector Classic

ListFindings

ListAssessmentRuns

DescribeAssessmentRuns

DescribeFindings

ListAssessmentTemplates

PreviewAgents

ECR

ListTagsForResource

ListImages

DescribeImages

DescribeRepositories

ECS

DescribeClusters

ListContainerInstances

DescribeContainerInstances

ListClusters

Security Hub

DescribeProducts

GetFindings

GetInsightResults

ListTagsForResource

DescribeHub

GetInsights


Configure AWS Cross-Account

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the AWS icon.

  4. Start by selecting the AWS Services you want to pull data from.

    Support Limitations:
    - At least one asset type must be selected (EC2/ ECR)
    - ECR Assets can be aggregated by repo or by image. Once saved, it cannot be changed, and a new integration is required.
    - For EC2 Finding, the user can select Inspector OR Inspector via Security hub to avoid duplications.
    - At least one region must be selected
    - ARN file must include at least one ARN

    1. Once you are done with the selection, click “Download Policy”.
      The downloaded file will be used at a later stage.

  5. Generate an ARN file by following the instructions on the AWS connector setup page under AWS Configuration.
    Note: If you have more than one account (AWS account with cross-account access), you need to create an ARN per each account. Read more here.

    Note: The "External ID" can be customized. To determine your own External ID, contact Vulcan Support or your Customer Success Manager at Vulcan.

  6. Upload the account information CSV file. Then, click + Add ARN.
    If you have more than one account (AWS account with cross-account access), you need to create an ARN per each account. Read more here.

  7. Select Regions. The connector will try to pull data for each account for all selected regions. 

  8. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

  9. Configure the "Immediately remove this connector's assets when their status is:" option.

  10. Once Done, Click on Create.

  11. Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.

  12. To confirm the sync is complete, navigate to the Connectors page. Once the AWS icon shows Connected, the sync is complete.


Service Mapping

Service

Visibility on the Vulcan Platform

EC2

Assets > Hosts

EC2 security groups

Assets > Hosts > Hosts details

ECR

Assets > Code Project

ECS

Assets > Code Project

Inspector Classic

Vulnerabilities


Retrieving AWS ECR vulnerabilities

To enable the retrieval of AWS ECR vulnerabilities, set up the following configuration in the AWS connector:

  1. Make sure AWS ECR, AWS Inspector, and AWS Security Hub are selected:

  2. Follow the instruction of the AWS Connector configuration as described here.

  3. For the Security Gub Products setting, make sure Inspector is selected:

    Note: The configuration of AWS ECR vulnerabilities can be done in addition to any other AWS connector configuration.

Did this answer your question?