AWS

Cloud computing is the on-demand delivery of IT resources over the Internet with pay-as-you-go pricing. Instead of buying, owning, and maintaining physical data centers and servers, you can access technology services, such as computing power, storage, and databases, on an as-needed basis from a cloud provider like AWS.

AWS is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally.

AWS Resource Discovery

To perform auto discovery of your AWS resources for your service catalog, configure8 utilizes a an Identity and Access Management (IAM) role that delegates read-only permission for the configure8 discovery workers to read the AWS service metadata. That metadata is then recorded within your configure8 catalog for service mapping and drift detection. Each discovery worker runs in its own isolated container to ensure there is no cross pollination of resources for an organization.

For your convenience, configure8 has built an AWS CloudFormation template to assist you in creating the proper IAM role.

Connecting multiple AWS Accounts

If you have multiple AWS accounts in your organization AWS Stack Sets can provide a scalable solution to deploy our CloudFormation templates to all the accounts.

configure8 can help you to batch add the credentials to the system once you have created the IAM roles.

Creating an AWS Credential

To connect your AWS account to configure8, perform the following steps.

Start by launching the configure8 discovery AWS CloudFormation template in your account to create the delegated read-only permissions for the discovery workers.

Launch the template in the AWS Console

Once the CloudFormation template is successfully deployed. Navigate to the Outputs tab of the deployed template and copy the Value of the discoveryRoleArn. This Amazon Resource Name (ARN) is used in the following steps to configure your AWS credential in configure8.

To create an AWS credential, navigate to the Credentials page by clicking on the "lock" icon on the menu bar.

Next, select the Add Credential button.

From the Add Credential pop-up, select AWS from the list of available providers.

Next, enter a Name for the new credential so you can recognize it and paste the discoveryRoleArn value, the Amazon Resource Name (ARN), created when you deployed the AWS CloudFormation template in your AWS account.

Turn on switcher in case you would like also to fetch AWS Security Hub Findings. Learn more about it here or read this to understand how configure8 handles this integration.

In case when Security Hub is not enabled or this ARN doesn't have proper permissions from AWS side, you will be notified by next message:

Select Save to create your AWS credential in configure8. The configure8 app will automatically validate the credentials to make sure they work. If they do not, the credentials will not be saved and you will be prompted to fix them.

Activating STS

If you receive an error saying STS is not activated in this region for account: xxxxxx, your administrator needs to enable STS for that region. To activate AWS STS:

1. Sign in as a root user or an IAM user with permissions to perform IAM administration tasks.

2. Open the IAM console and in the navigation pane choose Account settings.

3. If necessary, expand Security Token Service (STS), find the Region that you want to activate, and then choose Activate or Deactivate. For Regions that must be enabled, we activate STS automatically when you enable the Region. After you enable a Region, AWS STS is always active for the Region and you cannot deactivate it. To learn how to enable a Region, see Managing AWS Regions in the AWS General Reference.

You can read more on Amazon's documentation site here.

Scheduling a discovery

configure8 can auto discover the Cloud resources within your AWS account on an ad-hoc basis or by leveraging our scheduling engine to scan for new resources on a 24/48 hour interval.

To create a discovery job for your AWS account, start by navigating to the Credentials page by navigating to the Settings (gear) icon on the left hand side navigation.

Find the credentials you would like to schedule for auto discovery, select the ellipse button to display the context menu and select the View option.

From the pop-up under the Discovery section, you can schedule an on-going auto discovery of your resources by toggling on the Auto Discovery switch if not enabled, then choosing a frequency from the Schedule dropdown and selecting Save.

From the pop-up under the Manual Discovery section, you can also run an ad-hoc discovery simply by clicking Run Now.

Update Auto Discovery Role

As configure8 continue to expand the supported AWS services, the existing cross account access role for the auto discovery engine needs updated to reflect the new requested permissions required to read your used AWS service metadata.

To update the auto discovery role created in the Create an AWS Credential section above, perform the following:

1. Sign in to the AWS Management Console and open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation

2. Select the region where you initially deployed the Auto Discovery CloudFormation template

3. In the AWS CloudFormation console, from the list of stacks, select the running stack that you want to update. If you used the default name for the template, it would be c8-discovery-job-worker

4. In the stack details pane, choose Update.

5. Select Replace current template and specify the location of the updated template in the Specify template section.

6. Choose Amazon S3 URL. Paste the URL for the template https://configure8-resources.s3.us-east-2.amazonaws.com/cloudformation/configure8-discovery-autodeploy.yaml, and then choose Next.

7. On the Specify stack details page, choose Next.

8. On the Configure stack options page, select Next.

9. Review the stack information and any changes that you submitted. Select I acknowledge that this template may create IAM resources to specify that you want to use IAM resources in the template.

10. When you are satisfied with your changes, choose Update stack. CloudFormation displays the stack details page for your stack, with the Events pane selected. Your stack now has a status of UPDATE_IN_PROGRESS. After CloudFormation has successfully finished updating the stack, it sets the stack status to UPDATE_COMPLETE.

    If the stack update fails, CloudFormation; automatically rolls back changes, and sets the stack status to UPDATE_ROLLBACK_COMPLETE.

Resource Permissions

The configure8 CloudFormation template provisions a discovery role with read-only permissions to the following services:

• AWS Certificate Manager

• AWS App Mesh

• AWS AppSync

• Amazon Athena

• Auto Scaling

• AWS CloudFormation

• Amazon CloudFront

• Amazon CloudWatch

• Amazon DynamoDB

• Amazon EC2

• Amazon ECS

• Amazon EKS

• Amazon EMR

• Amazon ElasticCache

• Amazon OpenSearch Service

• Amazon Kinesis

• Amazon S3

• Amazon S3 Glacier

• AWS Health

• Amazon MSK

• AWS Lambda

• Amazon MQ

• Amazon QLDB

• Amazon RDS

• Amazon Redshift

• Amazon Route53

• Amazon SageMaker

• Savings Plan

• AWS Security Hub

• Amazon SES

• Amazon SQS

• Amazon SNS

• Amazon Timestream

• AWS Trusted Advisor

• IAM Account Aliases

Kubernetes (EKS)

configure8 now supports deep discovery of EKS Pods and Containers. EKS Kubernetes resources are not a part of regular AWS Resources and require their own authentication.

To connect each cluster and discover pods, configure8 needs to extend the clusters configuration by adding the configure8 discovery role arn:aws:iam::{accountId}:role/c8-discovery-role to the Kubernetes ConfigMap for each of your clusters (be sure to substitute your account id in for {accountID}!).

To connect your EKS Clusters to configure8, each cluster admin should perform the following steps:

Execute the following command:

$ kubectl edit -n kube-system configmaps aws-auth

Add the following lines to the mapRoles section:

- groups:
  - c8-read-only-access-group
  rolearn: arn:aws:iam::{accountId}:role/c8-discovery-role
  username: system:node:{{SessionName}}

In order to get read-only access on a Kubernetes cluster in AWS, configure8 needs to use the following k8s RBAC configuration file c8-read-access.yaml.

Apply this configuration with the following command:

$ kubectl apply -f c8-read-access.yaml

Configure8 uses a direct connection to your k8 cluster, so your cluster needs to be reachable by configure8’s servers. The minimum required cluster configurations are:

endpointPublicAccess :true
publicAccessCidrs
- 3.134.237.30/32
- 18.190.3.63/32
- 3.131.181.75/32
- 3.210.168.212/32
- 50.19.64.133/32
- 52.2.58.185/32

AWS Cost Data Configuration

To configure AWS cost data to be ingested to configure8, follow this steps:

General AWS services costs

1. Create a cloud formation stack with the following content (here) within the us-east-1 region. It will create resources with AWS::CUR::ReportDefinition and an S3 bucket in your account.

Kubernetes cluster costs

1. To bring in costs from Kubernetes, you should apply the following configuration to your EKS cluster (here)

2. Additionally, if you don't already have opencost installed, you will need to install it (it will include Prometheus) to the EKS cluster. The instructions can be found here: https://www.opencost.io/docs/install.

Once these tasks are completed, the data will start to appear in your resource catalog, typically in 12-24 hours. Read more about our to use our Collaborative Cost Management approach.

Configuring AWS Security Hub plugin for your Services

Adding a AWS Security Hub plug-in to your service overview page. To add a AWS security Hub plug-in to your service, start by selecting a service from your catalog Services listing.

1. On the service detail page, you'll find an "Add Plugin" button. Click on it to proceed.

In the Plugins dialog that appears, you'll see a list of available plugins. Locate the "AWS Security Hub" plugin and click the "Add" button next to it.

After adding the plugin, you'll be prompted to provide a title for the selected plugin. You can either modify the title as needed or use the default one.

• The AWS Security Hub plugin doesn't require specific credentials. It leverages all AWS credentials that have Security Hub discovery enabled and resources related to the selected service. To view the list of related resources, go to the Service -> Environments tab. There, you will find a list of environments and their associated resources.

• Based on the findings from all resources related to this specific service, the plugin will display statistics of findings.

1. The plugin presents statistics for all resources related to the service, grouped by severity. You can also apply filters based on the types of findings.

2. To view the details of specific severity findings, simply click on the desired severity level. This action will open the global AWS Security Hub: Findings page with a predefined filter, allowing you to explore the findings related to the selected severity.

By following these steps, you can easily configure the AWS Security Hub plugin for your service, gain insights into the security posture of your resources, and efficiently manage potential security issues.