1. Censys
  2. Censys Attack Surface Management
  3. Cloud Connectors
  4. Legacy Cloud Connectors

Other Articles In This Section

In this article:

Set Up AWS Account Access (Manual)

  • Updated
Tip
 Censys Rapid Setup will automatically set up all of this IAM infrastructure and generate a aws_cc_config.yml file for you!

Introduction

The cloud connector requires the AWS SecurityAudit policy to be applied to each user or role that is reading from an account.

In the configuration of the Censys ASM Cloud Connector (aws_cc_config.yml), you can provide user credentials for each account, or user credentials for a primary account that has role assumption capabilities in secondary accounts, or a mix of both.

A guide for each authentication method is provided below.

Method 1: Create a User for Each Account

If you have only one or a small number of accounts, you can create a user in each account with the SecurityAudit permission policy attached and input those credentials to the configuration file.

Step One: IAM Users

Log into the AWS account whose assets you would like to feed into the Censys ASM platform.

Navigate to IAM Provisioning.

aws-menu-iam.png

Click the Users item from the left menu.

On the Users page, click the Add User button.

iam-add-user.png

Step Two: Add User

On page one of the Add User flow, give the user a name (e.g., censys_asm_cloud_connector) and check the box next to Programmatic Access. Then, click Next.

iam-add-user-1.gif

Step Three: Assign Permissions

On page two, set the permissions of the user. Click the tile that says, "Attach existing policies directly." In the search bar, type "SecurityAudit," and check the box next to the policy that appears in the results. Then, click Next.iam-add-user-2.gif

Step Four: Tag User

On page three, add tags to the user according to your organization’s best practices. Then, click Next.

iam-add-user-3.png

Step 5: Create User and Save Credentials

On page four, review your selections. Then, click Create user.

iam-add-role-4.png

On the confirmation page, download or copy the credentials.

iam-add-user-success.png

Now that you have a user with the appropriate permissions, you are ready to add the AWS account number and user credentials to the Censys ASM Cloud Connector configuration (aws_cc_config.yml) file.

Method 2: Create a Role for Cross-Account-Based Authentication

If your organizations uses many AWS accounts and you want to centralize the Censys ASM Cloud Connector’s auditing access to those accounts, you can use cross-account authentication.

To enable cross-account authentication, you’ll need to create an IAM user in your primary account, and create a role for that user to assume in each secondary account.

Step 1: Create Role

Log into the (secondary) AWS account you would like to access via an assumed role.

Navigate to IAM Provisioning.

aws-menu-iam.png

Click the Roles item from the left menu.

On the Roles page, click the Create role button.

iam-add-role.png

Step 2: Select Entity to Assume Role

On page one, select the trusted entity that will assume the role you’re creating. Click the tile that says, "Another AWS User." In the search bar, type "SecurityAudit," and check the box next to the policy that appears in the results.

You can optionally require an external ID. The cloud connector supports the use of an external ID, but it is not required as there is no third party access.

Then, click Next.

iam-add-role-1.png
Warning
 Do not select the checkbox next to Require MFA.

Step 3: Set Role Permissions

On page two, set the permissions of the role. In the search bar, type "SecurityAudit," and check the box next to the policy that appears in the results. Then, click Next.

iam-add-role-2.gif

Step 4: Tag Role

On page three, add tags to the role according to your organization’s best practices. Then, click Next.

iam-add-role-3.png

Step 5: Name Role

On page four, give your role a name and an optional description and review your selections. Then, click Create role.

iam-add-role-4.png

On the list page, a success banner will confirm that the role has been created.

iam-add-role-success.png

Repeat steps 1-5 for each secondary account you’d like to monitor.

Important
 The name of the role MUST be exactly the same in every account.

Give a User the Ability to Assume the New Role(s)

Now that the audit role is available in your accounts, you’ll create a user in the primary AWS account which will access the other accounts by assuming the new role.

Step 6: Log In and Add (Cross-Account) User

Log into the AWS account whose user will access your other accounts.

Navigate to IAM Provisioning.

aws-menu-iam.png

Click the Users item from the left menu.

On the Users page, click the Add User button.

iam-add-user.png

Step 7: Set Cross-Account User Details

On page one of the Add User flow, give the user a name (e.g., censys_asm_cloud_connector) and check the box next to Programmatic Access. Then, click Next.

iam-add-user-1.gif

Step 8: Set Cross-Account User Permissions

On page two, set the permissions of the user. Click the tile that says, "Attach existing policies directly."

Then, click the grey button directly below the tiles called Create policy.

iam-add-cross-account-user-2.gif

Step 9: Create Policy for Cross-Account Role Assumption

On the Create policy page that opens in a new tab, expand the "Service" options, then search for and select "STS."

iam-create-policy-1.gif

In the "Actions" section, expand "Write" and select the check box next to Assume Role.

iam-create-policy-2.gif

In the "Resources" section, leave the "Specific" radio button selected and click the Add ARN linked text in the "role" subsection.

iam-create-policy-3.png

In the modal that pops up, change the "Account" selection to any by typing an asterisk () in the text input or by selecting the check box next to *Any.

Copy the name of the role you created in your other AWS accounts (Step 5: Name Role of the Role Creation process) into the text input for Role name with path.

Then, click Add.

iam-create-policy-4.png

Then, click Review Policy.

On the Review page, give your policy a name (e.g., assume_censys_asm_role) and optional description.

iam-create-policy-5.png

Then, click Create policy.

On the policies list page, a success banner will confirm that the policy has been created.

iam-create-policy-success.png

Close this tab and return to the Add User page.

Step 10: Attach New Policy to User

Back on page two, with the "Attach existing policies directly" tile selected, type the name of your newly created policy, and check the box next to it in the results list.

Then, click Next.

iam-add-cross-account-user-3.gif

Step 11: Add Tags to User

On page three, add tags to the user according to your organization’s best practices. Then, click Next.

iam-add-user-3.png

Step 12: Create User and Save Credentials

On page four, review your selections. Then, click Create user.

iam-add-cross-account-user-4.png

On the confirmation page, download or copy the credentials.

iam-add-user-success.png

Now that you have a cross-account user with the appropriate permissions, you are ready to add the AWS account numbers and user credentials to the Config file (aws_cc_config.yml).

Create Config File

Copy the file named aws_cc_config.yml.example and rename as aws_cc_config.yml. Open aws_config.yml with an editor and replace the example values with values corresponding to your AWS accounts.

Example YAML for Accounts Accessed via a User

For each account number that Censys will access directly via a user, the access key and secret will need to be provided, along with a list of the regions where your services are running.

accounts:
 - account_number: 444XXXXXXXXX
   aws_access_key: AKIAU3JWEKXXXXXXXXXX
   aws_secret_access_key: XXXXXXXXXXXXXXXXXXXXXXXXXXXX
   regions:
    - us-west-1

Example YAML for Accounts Accessed via a Role

If one account will access other accounts via an assumed role, the access key and secret for the primary account will need to be provided, along with the name of the role to assume in other accounts. For the other accounts, only the account number and regions where your services are running are needed.

primary_aws_access_id: AKIAU3JWEKXXXXXXXXXX
primary_aws_access_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXX
role_to_assume: role_name

accounts:
 - account_number: 444XXXXXXXXX
   regions:
   - us-west-1

Other Optional Fields You Can Specify for Each Account

  • session_duration: The number of seconds the cloud connector is given in each account to connect to your services and collect public-facing identifiers. The default is 3600.

  • role_session_name: The session name that will show up in Cloudtrail logs. The default is censys_cloud_connector.

  • external_id: An additional ID that the user in the primary account can supply when accessing roles in secondary accounts. This field is necessary if you chose to require it during role set-up and must match the string you specified.

Note
 The cloud connector is much more efficient if you define the regions where your services are running; however, the script will still work if you leave the regions list empty or remove it.

After listing each account and the required information, save changes and close the file.

Now you’re ready for Set Up the Censys ASM Cloud Connector for AWS!

Related articles

Comments

0 comments

Article is closed for comments.