1. Censys
  2. Censys Attack Surface Management
  3. Cloud Connectors
  4. Legacy Cloud Connectors

Other Articles In This Section

In this article:

AWS Cloud Connector - Cross-Account Rapid Deployment

  • Updated

Time Required: 30m

 

Add assets from all of your AWS accounts for the most up-to-date view of your cloud attack surface.

Ready to get started? Here’s what you need:

  • Your Censys ASM API key, located on the Integrations page of the app.

  • Sufficient privileges in your Primary AWS account to run a CloudFormation StackSet across all of your AWS accounts (e.g., admin).

  • Sufficient privileges in your Primary AWS account to run a CloudFormation StackSet to create roles, policies, and ECS services (e.g., admin).

Getting Started

Log in to your Primary AWS account and navigate to Cloud Formation.

1: Create a Role via CloudFormation StackSets

Use the Censys-provided template to create a role in all of your accounts for cross-account access.

  1. From the CloudFormation landing page, click StackSets.
  2. Click the Create StackSet button.
  3. In the Prerequisite section, select the "Template is ready" option.
  4. In the Specify template section, select "Amazon S3 URL" and paste this URL into the box:
https://censys-cloud-connector.s3.us-east-2.amazonaws.com/CensysRoleDeploy.json

Click Next.

mceclip1.png

1a: Specify StackSet details

On the second page:

  1. Give the StackSet a name, which can include uppercase and lowercase letters, numbers, and dashes.
  2. In the Parameters section, paste in your Primary AWS Account ID.

Click Next.

mceclip0.png

1b: Configure StackSet options

On the third page, nothing needs to be specified, as this stack will use all of the default options.

You can optionally tag this stack with tags according to your organization’s best practices.
Click Next.

mceclip2.png

 

1c: StackSet deployment options

On the fourth page, you'll specify the StackSet deployment options. Censys suggests deploying the StackSet to your organization to ensure that all AWS Accounts are accounted for.

  1. In the Deployment targets section, keep the default option of "Deploy to organization," or specify only certain organizational units.
  2. In the Specify regions section, add your preferred region.
    click Next.

mceclip3.png

mceclip5.png

1d: Review & Submit

On the review page, check all of the settings and confirm that you are aware that this stack will create a role with a custom name in order to run properly by checking the box next to the acknowledgment statement.

mceclip6.png

When this StackSet completes successfully, you'll have the required cross-account role set up to allow the Cloud Connector to read from all of your AWS accounts.

2: Create the Cloud Connector via CloudFormation Stack

The second step of operationalizing the Cloud Connector is to create the Fargate infrastructure.  Use the Censys-provided template to create the Fargate container and supporting infrastructure.

  1. From the CloudFormation landing page, click Stack.
  2. Click the Create stack button and choose the With new resources (standard) option.
  3. In the Prerequisite section, select the "Template is ready" option.
  4. In the Specify template section, select "Amazon S3 URL," then paste the URL into the box:
https://censys-cloud-connector.s3.us-east-2.amazonaws.com/CensysFargateDeploy.json

Click Next.

mceclip7.png

2a: Specify stack details

On the second page:

  1. Give the stack a name, which can include uppercase and lowercase letters, numbers, and dashes.
  2. In the Parameters section:
  • Paste in your Censys API key from the Integrations page of the Censys ASM app.
  • Set the number of hours the Cloud Connector should wait between runs by selecting a number from the dropdown menu under the "ExecutionFrequency" parameter.
  • Select your preferred Logging Level.
  • Enter the name you chose for your StackSet in step 1a.

Click Next.

mceclip8.png

2b: Configure stack options

On the third page, nothing needs to be specified, as this stack will use all of the default options.

You can optionally tag this stack with tags according to your organization’s best practices.

Click Next.

mceclip9.pngmceclip10.png

2c: Review & Create

On the review page, check all of the settings and confirm that you are aware that this stack will create a role with a custom name in order to run properly by checking the box next to the acknowledgment statement.

mceclip12.png

Then, click Create stack.

If this step fails, the template will roll back any changes to your account. Please screenshot or copy any errors and pass them along to support@censys.io.

Confirm Results in ASM App

Visit the Seeds page in the app to confirm you’re seeing seeds with labels that begin with AWS: [service-name] - XXXXX.

Note: It may take up to the value specified for "ExecutionFrequency" in step 2a for the Cloud Connector to run for the first time.

 

mceclip13.png

Please contact support@censys.io for questions, feature requests, or support.

Related articles

Comments

0 comments

Article is closed for comments.