# AWS ## Overview EASM is capable of performing automated security assessments of AWS cloud environments by enumerating resources, identifying vulnerabilities, and generating actionable reports for security professionals. ### AWS resource discovery The EASM module automatically discovers and catalogs AWS resources across all regions, providing comprehensive visibility into your cloud environment. - Supports a wide range of AWS services, including EC2, S3, IAM, RDS, Lambda, EKS, and many others - Collects detailed metadata for each resource, including configurations, access policies, and relationships - Identifies DNS configurations via Amazon Route 53 ### Vulnerability detection and risk assessment In addition to resource discovery, EASM executes a wide variety of security tests across your AWS environment, performing exhaustive configuration checks, permission audits, and exposure analyses to identify potential attack vectors and misconfigurations. It automatically prioritizes vulnerabilities based on severity and potential impact, enabling security teams to rapidly address critical issues such as publicly exposed S3 buckets and misconfigured access controls. ### Automatic remediation As your cloud environment evolves, EASM dynamically updates its asset inventory to reflect newly discovered resources, configuration changes, and deletions. When vulnerabilities are remediated, their statuses are automatically updated within the module, providing your team with timely and accurate feedback. These and future AWS-focused EASM capabilities can be enabled by following the integration steps below. ## IAM Role EASM utilizes the [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API for AWS integrations. You must create an IAM role in your AWS account to grant EASM authorized access to your cloud environment. ### Role Creation 1. Login to your AWS console and navigate to the IAM page. 2. Navigate to Access Management > Roles. 3. Click "Create Role". 4. Select "AWS Account" underneath "Trusted Entity Type". 5. Select "Another AWS Account" and provide the ID `339712971568`. 6. Select "Require External ID" and provide a secure, randomly generated, password. - Save this, as you will need to provide it when adding the account in EASM - AWS stipulates the ExternalId must match the regular expression `[\w+=,.@:\/-]*` 7. Select "Next" to advance to the Add Permissions page. 8. Search for the AWS-managed policy named `SecurityAudit` and select the checkbox next to it. - The `SecurityAudit` managed policy grants read-only access to many AWS services, enabling EASM to analyze configurations and resources. 9. Select "Next" to proceed to the Name, Review, and Create page. 10. Enter the name `NetSPI-IAM-ExecutionRole` for the role, then review the Trusted Entities section. The trust policy should look like the following: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "339712971568" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "[RANDOM PASSWORD]" } } } ] } ``` 11. Ensure that the `SecurityAudit` policy appears in the permissions section, then select "Create role". 12. Use the search bar to navigate to the newly created role and take note of the ARN. ```json "AWS": [ "arn:aws:iam::339712971568:role/prod01-cloud-lambda", "arn:aws:iam::339712971568:role/prod01-ecsTask" ] ``` -->