# AWS

EASM is capable of performing automated security assessments of AWS cloud environments by enumerating resources, identifying vulnerabilities, and generating actionable reports for security professionals.

The EASM module automatically discovers and catalogs AWS resources across all regions, providing comprehensive visibility into your cloud environment.

• Supports a wide range of AWS services, including EC2, S3, IAM, RDS, Lambda, EKS, and many others
• Collects detailed metadata for each resource, including configurations, access policies, and relationships
• Identifies DNS configurations via Amazon Route 53

In addition to resource discovery, EASM executes a wide variety of security tests across your AWS environment, performing exhaustive configuration checks, permission audits, and exposure analyses to identify potential attack vectors and misconfigurations. It automatically prioritizes vulnerabilities based on severity and potential impact, enabling security teams to rapidly address critical issues such as publicly exposed S3 buckets and misconfigured access controls.

As your cloud environment evolves, EASM dynamically updates its asset inventory to reflect newly discovered resources, configuration changes, and deletions. When vulnerabilities are remediated, their statuses are automatically updated within the module, providing your team with timely and accurate feedback.

These and future AWS-focused EASM capabilities can be enabled by following the integration steps below.

EASM utilizes the AssumeRole API for AWS integrations. You must create an IAM role in your AWS account to grant EASM authorized access to your cloud environment.

1. Login to your AWS console and navigate to the IAM page.
2. Navigate to Access Management > Roles.
3. Click "Create Role".
4. Select "AWS Account" underneath "Trusted Entity Type".
5. Select "Another AWS Account" and provide the ID 339712971568.
6. Select "Require External ID" and provide a secure, randomly generated, password.
   • Save this, as you will need to provide it when adding the account in EASM
   • AWS stipulates the ExternalId must match the regular expression [\w+=,.@:\/-]*
7. Select "Next" to advance to the Add Permissions page.
8. Search for the AWS-managed policy named SecurityAudit and select the checkbox next to it.
   • The SecurityAudit managed policy grants read-only access to many AWS services, enabling EASM to analyze configurations and resources.
9. Select "Next" to proceed to the Name, Review, and Create page.
10. Enter the name NetSPI-IAM-ExecutionRole for the role, then review the Trusted Entities section. The trust policy should look like the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "339712971568"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "[RANDOM PASSWORD]"
                }
            }
        }
    ]
}

11. Ensure that the SecurityAudit policy appears in the permissions section, then select "Create role".
12. Use the search bar to navigate to the newly created role and take note of the ARN.

1. Log into the NetSPI Platform.
2. Expand the Assets dropdown in the navigation bar and select EASM Assets.
3. Select the Add Asset button and navigate to the Cloud tab within the sidebar window.
4. Expand the Cloud Provider dropdown and select Amazon Web Services (AWS).
5. Provide a logical name for the account as well as the ARN of the IAM role you set up andthe sts:ExternalId you provided.
6. Select Add. If the provided credentials are valid, the account will appear in the Cloud Account asset table.