How to Configure an AWS Data Source

This article provides detailed steps to set up an AWS data source for discovery.

Prerequisites

1. To grant Hydden API access, create a user account in AWS IAM for your region, for example, https://us-east-1.console.aws.amazon.com/iam/home?region=us-east-1#/users. Name the user account HyddenAPIAccess or similar.

2. Create an Access Key and select OTHER, press Next.

3. Enter a description, for example Hydden Collector API Access.

4. Select the create key button.

5. Copy and save the Access Key (Hydden Client ID) and Secret Access Key (Hydden Client Secret) in your vault to be used later during the data source setup when configuring the collector credentials, for example:

   • ClientID: CLIE3TXK37JNBTNIDVJ
   • Client Secret: cCLIEFDMW5cRVW/onkIajrBiMyI/IX5u8J3JAbqIDo15

6. On AWS IAM, go to the Permissions tab for the user, and assign a POLICY that provides permissions to the Hydden collector (The following policy provides full list and read rights over IAM objects)

   {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetPolicyVersion",
                "iam:GetAccountPasswordPolicy",
                "iam:ListRoleTags",
                "iam:GetMFADevice",
                "iam:ListServerCertificates",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:ListServiceSpecificCredentials",
                "iam:ListSigningCertificates",
                "iam:ListVirtualMFADevices",
                "iam:ListSSHPublicKeys",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy",
                "iam:GetAccountEmailAddress",
                "iam:ListAttachedRolePolicies",
                "iam:ListOpenIDConnectProviderTags",
                "iam:ListSAMLProviderTags",
                "iam:ListRolePolicies",
                "iam:GetAccountAuthorizationDetails",
                "iam:GetCredentialReport",
                "iam:ListPolicies",
                "iam:GetServerCertificate",
                "iam:GetRole",
                "iam:ListSAMLProviders",
                "iam:GetPolicy",
                "iam:GetAccessKeyLastUsed",
                "iam:ListEntitiesForPolicy",
                "iam:GetUserPolicy",
                "iam:ListGroupsForUser",
                "iam:GetAccountName",
                "iam:GetGroupPolicy",
                "iam:GetOpenIDConnectProvider",
                "iam:ListSTSRegionalEndpointsStatus",
                "iam:GetRolePolicy",
                "iam:GetAccountSummary",
                "iam:GenerateCredentialReport",
                "iam:GetServiceLastAccessedDetailsWithEntities",
                "iam:ListPoliciesGrantingServiceAccess",
                "iam:ListInstanceProfileTags",
                "iam:ListMFADevices",
                "iam:GetServiceLastAccessedDetails",
                "iam:GetGroup",
                "iam:GetContextKeysForPrincipalPolicy",
                "iam:GetOrganizationsAccessReport",
                "iam:GetServiceLinkedRoleDeletionStatus",
                "iam:ListInstanceProfilesForRole",
                "iam:GenerateOrganizationsAccessReport",
                "iam:GetCloudFrontPublicKey",
                "iam:ListAttachedUserPolicies",
                "iam:ListAttachedGroupPolicies",
                "iam:ListPolicyTags",
                "iam:GetSAMLProvider",
                "iam:ListAccessKeys",
                "iam:GetInstanceProfile",
                "iam:ListGroupPolicies",
                "iam:ListCloudFrontPublicKeys",
                "iam:GetSSHPublicKey",
                "iam:ListRoles",
                "iam:ListUserPolicies",
                "iam:ListInstanceProfiles",
                "iam:GetContextKeysForCustomPolicy",
                "iam:ListPolicyVersions",
                "iam:ListOpenIDConnectProviders",
                "iam:ListServerCertificateTags",
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:GetUser",
                "iam:ListGroups",
                "iam:ListMFADeviceTags",
                "iam:GetLoginProfile",
                "iam:ListUserTags"
            ],
            "Resource": "*"
        }
    ]
   }

AWS Collector

AWS credentials are required to configure an AWS Data Source.

1. To access the data sources page, navigate to Configuration > Discover and select Data Sources.

   

2. To add a new data source, click + Add Data Source.

3. Set the Data Source field to AWS.

4. For Name enter an easy-to-identify name, especially if several data sources for the same service are to be created.

5. For an AWS Data Source specify:

   1. Regions: Specify the region(s) from your AWS you would like to collect from, for example, us-east1 and/or eu-west1. The list of regions should cover all the places you have deployed to using AWS and can be viewed on the AWS configuration website.
   2. Presets - same as all the other collectors
   3. Schedule - same as all the other collectors

6. Add the Cloud Credential for your AWS instance:

   1. For Name enter an easy-to-identify name.
   2. Enter the Access Key (Hydden Client ID) and Secret Access Key (Hydden Client Secret) as previously saved to your vault.
   3. Click Add.

7. Under Site specify the site matching your client registration site.

8. Under the Select Account Mapping Rule Set drop-down, select from the following options:

   • Default Rules Only
   • Add All Rules
   • Add All Default Rules
   • Add All Custom Rules
   • Manual Selection: Rules need to be selected from a drop-down menu.

   Any rules added, can be removed by clicking on the x on the rule name label.

   NOTE: Rules need to be set to enabled on the rule add/edit modal to work in your tenant, refer to Account Mapping.

9. To enable account mapping or identity creation, select the Enable Automatic Account Mapping and Enable Automatic Identity Creation checkboxes respectively. Both options can be enabled at the same time.

10. In the Automatic Mapping Rules (Match Account to Identity using) field, rules are either automatically populated based on your selection under the Automatic Account Mapping Rules step or you have to manually add rules from the drop-down menu. Any rules added, can be removed by clicking on the x on the rule name label.

11. From the Automatic Identity Creation Rules (Create New Identity when) drop-down, select which rules you want to use in your environment. Custom rules are listed first. Any rules added, can be removed by clicking on the x on the rule name label.

12. Click Add to save the data source. You have an option to manually run the data collection via the Run Now button.

At this point, you can run a collection from the Data Sources page and shortly after, you will see your AWS users listed on the Identity Posture dashboard, in Global Search and the Search Library.