#AWS

The NetSPI Platform's CAASM module has a broad integration with Amazon Web Services (AWS).

#Supported asset types

The AWS integration provides the NetSPI Platform visibility into the following asset types:

Networks
Systems
IPV4 addresses
Cloud resources: IAM User, IAM Role, Cloud Account, S3, Lambda, RDS, ALB, NLB, WAF

#Endpoints used

The following endpoints are used in this AWS integration.

#EC2 (Elastic Compute Cloud)


describe_regions
describe_subnets
describe_images
describe_instances
describe_iam_instance_profile_associations

#ECS (Elastic Container Service)


list_clusters
describe_clusters
list_services
describe_services
list_task_definitions
describe_task_definition

#ELB (Elastic Load Balancer)

describe_load_balancers

#IAM (Identity and Access Management)


list_users
list_roles
list_groups
list_policies
list_mfa_devices
list_user_policies
list_role_policies
list_groups_for_user
list_attached_user_policies
list_attached_role_policies
get_role_policy
get_user_policy
get_group_policy
get_policy_version
get_instance_profile

#Lambda

list_functions

#RDS (Relational Database Service)

describe_db_instances

#S3 (Simple Storage Service)

list_bucketshead_bucket

#Security Hub

list_finding_aggregatorsget_finding_aggregatorget_findings

#WAF (Web Application Firewall)

list_web_acls

#Workspaces

describe_workspace_bundles

#Supported AWS services

This AWS integration supports the following AWS services.

Requirements

At least one of these products must be properly licensed in order for the integration to work.

EC2
S3
VPC
IAM
Lambda
RDS
WAF
ELB
ECS
Workspaces
Security Hub

Similar to the other NetSPI Platform integrations, the AWS integration is read-only and does not perform actions to configure systems or otherwise change anything about your AWS environment.

#Required permissions

This integration requires:

An AWS trust relationship between the NetSPI Platform and your AWS environment
A new role in your AWS environment

See Step one: AWS policy configuration, item 3, below, for the full list of permissions that this integration requires.

#Configuration steps

Use the section below for configuring AWS to integrate with the NetSPI Platform.

#AWS system configuration

The AWS system configuration consist of two steps: AWS policy configuration and AWS role configuration.

#Step one: AWS policy configuration

Navigate to https://console.aws.amazon.com/iam and log in as an administrative user.
In the navigation pane, navigate to Access Management -> Policies and select the Create Policy button in the upper right.

Copy the following policy into the JSON tab and select the Next: Tags button at the bottom of the page.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:Get*",
                "iam:List*",
                 "iam:GenerateCredentialReport",
                 "ecs:Describe*",
                "eks:Describe*",
                "eks:List*",
                "ecs:List*",
                "ec2:Get*",
                "es:List*",
                "elasticloadbalancing:Describe*",
                "ssm:Get*",
                "ssm:List*",
                "ssm:Describe*",
                "rds:List*",
                "rds:Describe*",
                "s3:List*",
                "s3:Get*",
                "cloudtrail:Get*",
                "cloudtrail:List*",
                "cloudtrail:Describe*",
                "cloudfront:List*",
                "cloudfront:Get*",
                "Workspaces:Describe*",
                "Workspaces:List*",
                "Lambda:Get*",
                "Lambda:List*",
                "apigateway:Get*",
                "route53:Get*",
                "route53:List*",
                "organizations:Describe*",
                "organizations:List*",
                "securityhub:Get*",
                "securityhub:List*",
                "securityhub:Describe*",
                "waf:GetWebACL",
                "waf:ListWebACLs",
                "waf-regional:GetWebACL",
                "waf-regional:GetWebACLForResource",
                "waf-regional:ListWebACLs",
                "wafv2:GetWebACL*",
                "wafv2:GetWebACLForResource",
                "wafv2:ListWebACLs"
            ],
            "Resource": "*"
        }
    ]
}

Adding a tag is optional and may be skipped if desired. Select the Next: Review button at the bottom of the page.
Name the policy netspi-read-access (or a similar, easily identifiable name) and select the Create policy button at the bottom of the page.

#Step two: AWS role configuration

In the IAM navigation pane, select Access management -> Roles and select the Create role button in the upper right.
Select the radio button associated with the AWS account entity type.
Select the Another AWS account radio button and paste the NetSPI Platform AWS account ID to create the trust relationship: 899138803732
Under options, select the Require external ID checkbox and specify a random value for the external ID.
Note
Please ensure you make a note of the random external ID you generate for step 4 above, as you will need this value when configuring the AWS integration in the NetSPI Platform.
Select the Next button and choose the custom policy you created in the Step one: AWS policy configuration instructions above.
Select the Next button and name the role "NetspiReadOnly". When finished, select the Create role button in the lower right.
Navigate back to the list of IAM roles, locate the "NetspiReadOnly" role you just created above, and select it.
On the role summary page, copy the role ARN by selecting the copy icon as illustrated above.

#NetSPI Platform CAASM configuration

Use the steps below to configure the AWS Integration in the NetSPI Platform.

Log into the NetSPI Platform as a Client Admin user.
Navigate to Settings -> CAASM Integrations to display the Integrations page.
Select the Integration Library tab -> Integration Categories / Cloud -> AWS.
This brings the AWS integration card into focus.
Note
You can also locate the integration card by:
- Scrolling down the page on the Integration Library tab
- Filter the integration options displayed by selecting any of the other left navigation choices besides Integration Categories, e.g., by Modules or Integration Scopes (cloud or on premise)
- Enter the integration name in the Search integration bar
Select the Add button on the AWS card to display the AWS integration configuration page.
Select and enter values for the following fields.
1. Select the integration type from the Integration drop-down list. In this case, AWS, which is already selected by default.
2. Select the integration scope from the Scope drop-down list. The AWS integration can only run on a cloud scope, which was configured by NetSPI and Cloud displays as the default value.
3. Enter an integration name and description in the Integration Name and Description fields.
4. Select the Enabled slider button to display as either on (blue) or off (light gray).
5. Paste the ARN copied from Step 8 of the Step two: AWS role configuration above into the Role ID field.
6. Enter or copy/paste the random External ID generated in Step 4 of the Step two: AWS role configuration above to the External ID field.
7. If additional ARN's need to be added, select the Add button to display additional Role ID and External ID fields.
Select Create to create the integration. The new integration now displays on the Applied Integrations tab with its statuses: current and last run, last run time, and status (enabled/disabled).
AWS Docs Ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html