Set Up AWS Account Access (Manual)
Tip
|
Censys Rapid Setup will automatically set up all of this IAM infrastructure and generate a aws_cc_config.yml file for you! |
Introduction
The cloud connector requires the AWS SecurityAudit
policy to be applied to each user or role that is reading from an account.
In the configuration of the Censys ASM Cloud Connector (aws_cc_config.yml
), you can provide user credentials for each account, or user credentials for a primary account that has role assumption capabilities in secondary accounts, or a mix of both.
A guide for each authentication method is provided below.
Method 1: Create a User for Each Account
If you have only one or a small number of accounts, you can create a user in each account with the SecurityAudit
permission policy attached and input those credentials to the configuration file.
Step One: IAM Users
Log into the AWS account whose assets you would like to feed into the Censys ASM platform.
Navigate to IAM Provisioning.

Click the Users item from the left menu.
On the Users page, click the Add User button.
Step Two: Add User
On page one of the Add User flow, give the user a name (e.g., censys_asm_cloud_connector
) and check the box next to Programmatic Access. Then, click Next.

Step Three: Assign Permissions
On page two, set the permissions of the user. Click the tile that says, "Attach existing policies directly." In the search bar, type "SecurityAudit," and check the box next to the policy that appears in the results. Then, click Next.
Step Four: Tag User
On page three, add tags to the user according to your organization’s best practices. Then, click Next.

Step 5: Create User and Save Credentials
On page four, review your selections. Then, click Create user.

On the confirmation page, download or copy the credentials.

Now that you have a user with the appropriate permissions, you are ready to add the AWS account number and user credentials to the Censys ASM Cloud Connector configuration (aws_cc_config.yml
) file.
Method 2: Create a Role for Cross-Account-Based Authentication
If your organizations uses many AWS accounts and you want to centralize the Censys ASM Cloud Connector’s auditing access to those accounts, you can use cross-account authentication.
To enable cross-account authentication, you’ll need to create an IAM user in your primary account, and create a role for that user to assume in each secondary account.
Step 1: Create Role
Log into the (secondary) AWS account you would like to access via an assumed role.
Navigate to IAM Provisioning.

Click the Roles item from the left menu.
On the Roles page, click the Create role button.

Step 2: Select Entity to Assume Role
On page one, select the trusted entity that will assume the role you’re creating. Click the tile that says, "Another AWS User." In the search bar, type "SecurityAudit," and check the box next to the policy that appears in the results.
You can optionally require an external ID. The cloud connector supports the use of an external ID, but it is not required as there is no third party access.
Then, click Next.

Warning
|
Do not select the checkbox next to Require MFA. |
Step 3: Set Role Permissions
On page two, set the permissions of the role. In the search bar, type "SecurityAudit," and check the box next to the policy that appears in the results. Then, click Next.

Step 4: Tag Role
On page three, add tags to the role according to your organization’s best practices. Then, click Next.

Step 5: Name Role
On page four, give your role a name and an optional description and review your selections. Then, click Create role.

On the list page, a success banner will confirm that the role has been created.

Repeat steps 1-5 for each secondary account you’d like to monitor.
Important
|
The name of the role MUST be exactly the same in every account. |
Give a User the Ability to Assume the New Role(s)
Now that the audit role is available in your accounts, you’ll create a user in the primary AWS account which will access the other accounts by assuming the new role.
Step 6: Log In and Add (Cross-Account) User
Log into the AWS account whose user will access your other accounts.
Navigate to IAM Provisioning.

Click the Users item from the left menu.
On the Users page, click the Add User button.

Step 7: Set Cross-Account User Details
On page one of the Add User flow, give the user a name (e.g., censys_asm_cloud_connector
) and check the box next to Programmatic Access. Then, click Next.

Step 8: Set Cross-Account User Permissions
On page two, set the permissions of the user. Click the tile that says, "Attach existing policies directly."
Then, click the grey button directly below the tiles called Create policy.
Step 9: Create Policy for Cross-Account Role Assumption
On the Create policy page that opens in a new tab, expand the "Service" options, then search for and select "STS."

In the "Actions" section, expand "Write" and select the check box next to Assume Role.

In the "Resources" section, leave the "Specific" radio button selected and click the Add ARN linked text in the "role" subsection.

In the modal that pops up, change the "Account" selection to any by typing an asterisk () in the text input or by selecting the check box next to *Any.
Copy the name of the role you created in your other AWS accounts (Step 5: Name Role of the Role Creation process) into the text input for Role name with path.
Then, click Add.

Then, click Review Policy.
On the Review page, give your policy a name (e.g., assume_censys_asm_role
) and optional description.

Then, click Create policy.
On the policies list page, a success banner will confirm that the policy has been created.

Close this tab and return to the Add User page.
Step 10: Attach New Policy to User
Back on page two, with the "Attach existing policies directly" tile selected, type the name of your newly created policy, and check the box next to it in the results list.
Then, click Next.

Step 11: Add Tags to User
On page three, add tags to the user according to your organization’s best practices. Then, click Next.

Step 12: Create User and Save Credentials
On page four, review your selections. Then, click Create user.

On the confirmation page, download or copy the credentials.

Now that you have a cross-account user with the appropriate permissions, you are ready to add the AWS account numbers and user credentials to the Config file (aws_cc_config.yml
).
Create Config File
Copy the file named aws_cc_config.yml.example
and rename as aws_cc_config.yml
. Open aws_config.yml
with an editor and replace the example values with values corresponding to your AWS accounts.
Example YAML for Accounts Accessed via a User
For each account number that Censys will access directly via a user, the access key and secret will need to be provided, along with a list of the regions where your services are running.
accounts: - account_number: 444XXXXXXXXX aws_access_key: AKIAU3JWEKXXXXXXXXXX aws_secret_access_key: XXXXXXXXXXXXXXXXXXXXXXXXXXXX regions: - us-west-1
Example YAML for Accounts Accessed via a Role
If one account will access other accounts via an assumed role, the access key and secret for the primary account will need to be provided, along with the name of the role to assume in other accounts. For the other accounts, only the account number and regions where your services are running are needed.
primary_aws_access_id: AKIAU3JWEKXXXXXXXXXX primary_aws_access_secret_id: XXXXXXXXXXXXXXXXXXXXXXXXX role_to_assume: role_name accounts: - account_number: 444XXXXXXXXX regions: - us-west-1
Other Optional Fields You Can Specify for Each Account
-
session_duration
: The number of seconds the cloud connector is given in each account to connect to your services and collect public-facing identifiers. The default is 3600. -
role_session_name
: The session name that will show up in Cloudtrail logs. The default is censys_cloud_connector. -
external_id
: An additional ID that the user in the primary account can supply when accessing roles in secondary accounts. This field is necessary if you chose to require it during role set-up and must match the string you specified.
Note
|
The cloud connector is much more efficient if you define the regions where your services are running; however, the script will still work if you leave the regions list empty or remove it. |
After listing each account and the required information, save changes and close the file.
Now you’re ready for Set Up the Censys ASM Cloud Connector for AWS!
Comments
0 comments
Article is closed for comments.