#
AWS
EASM supports AWS integrations to expand the functionality of various EASM capabilities. EASM can identify a range of exposures and cloud security vulnerabilities including:
- Public domain and IP address exposures across multiple AWS services
- S3 buckets with excessively permissive Access Control Lists (ACL)
- S3 buckets with excessively permissive policies
These and future AWS-focused EASM capabilities can be enabled by following the integration steps below.
#
IAM Role
EASM integrates into AWS by using the AssumeRole API. To enable that, you must create an IAM role in your account, that grants NetSPI's EASM AWS account permissions to assume that role.
#
Role Creation
Login to your AWS console and navigate to the IAM page.
Navigate to Access Management > Roles.
Click "Create Role".
Select "AWS Account" underneath "Trusted Entity Type".
Select "Another AWS Account" and provide the ID
339712971568.Select "Require External ID" and provide a secure, randomly generated, password.
- Save this, as you will need to provide it when adding the account in EASM
- AWS stipulates the ExternalId must match the regular expression
[\w+=,.@:\/-]*
Select "Next" to advance to the Add Permissions page.
Open a new tab in IAM and go to the "Policies" page. Select "Create Policy".
In the newly opened browser window, paste the following JSON template. Note, some of the permissions in this template reflect future resources EASM plans on tracking but may not currently be available in EASM.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:DescribeAddresses", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcPeeringConnections", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices", "appsync:ListDomainNames", "appsync:ListGraphqlApis", "cloudfront:ListDistributions", "eks:ListClusters", "elasticbeanstalk:DescribeEnvironments", "elasticloadbalancing:DescribeLoadBalancers", "es:ListDomainNames", "kafka:DescribeCluster", "kafka:ListClusters", "lightsail:GetInstances", "lightsail:GetLoadBalancers", "organizations:ListAccounts", "rds:DescribeDBClusterEndpoints", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds:DescribeDBProxies", "rds:DescribeDBProxyEndpoints", "redshift:DescribeClusters", "route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:ListTagsForResource", "route53domains:ListDomains", "route53domains:GetDomainDetail", "s3:ListAllMyBuckets", "s3:GetBucketPolicy", "s3:GetBucketAcl" ], "Resource": "*" } ] }Select "Next", then provide a name for the policy. Select "Create Policy".
Return to the role creation window, refresh the list of policies, and select the checkbox for newly created policy. Select "Next".
Enter a name for the role, then review the Trusted Entities section. The trust policy should look like
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::339712971568:root"
},
"Condition": {
"StringEquals": {
"sts:ExternalId": "[RANDOM_PASSWORD]"
}
}
}
]
}- Ensure that the newly created policy appears in the permissions section, then select "Create Role". Note the role ARN.
#
Add account to EASM
- Log into the NetSPI Platform.
- Select or hover EASM in the left navigation and select Assets to display the Assets page.
- Select Cloud Account from the Assets list on the left side of the page and then select the Add Cloud Account button.
- Provide a logical name for the account, as well as the ARN of the IAM role that you set up, and
the
sts:ExternalIdyou provided. - Select Add.