How to Configure an AWS Data Source

This article provides detailed steps to set up an AWS data source for discovery.

Prerequisites

1. To grant Hydden API access, create a user account in AWS IAM for your region, for example, https://us-east-1.console.aws.amazon.com/iam/home?region=us-east-1#/users. Name the user account HyddenAPIAccess or similar.

2. Create an Access Key and select OTHER, press Next.

3. Enter a description, for example Hydden Collector API Access.

4. Select the create key button.

5. Copy and save the Access Key (Hydden Client ID) and Secret Access Key (Hydden Client Secret) in your vault to be used later during the data source setup when configuring the collector credentials, for example:

   • ClientID: CLIE3TXK37JNBTNIDVJ
   • Client Secret: cCLIEFDMW5cRVW/onkIajrBiMyI/IX5u8J3JAbqIDo15

6. On AWS IAM, go to the Permissions tab for the user, and assign a POLICY that provides permissions to the Hydden collector (The following policy provides full list and read rights over IAM objects)

   {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetPolicyVersion",
                "iam:GetAccountPasswordPolicy",
                "iam:ListRoleTags",
                "iam:GetMFADevice",
                "iam:ListServerCertificates",
                "iam:GenerateServiceLastAccessedDetails",
                "iam:ListServiceSpecificCredentials",
                "iam:ListSigningCertificates",
                "iam:ListVirtualMFADevices",
                "iam:ListSSHPublicKeys",
                "iam:SimulateCustomPolicy",
                "iam:SimulatePrincipalPolicy",
                "iam:GetAccountEmailAddress",
                "iam:ListAttachedRolePolicies",
                "iam:ListOpenIDConnectProviderTags",
                "iam:ListSAMLProviderTags",
                "iam:ListRolePolicies",
                "iam:GetAccountAuthorizationDetails",
                "iam:GetCredentialReport",
                "iam:ListPolicies",
                "iam:GetServerCertificate",
                "iam:GetRole",
                "iam:ListSAMLProviders",
                "iam:GetPolicy",
                "iam:GetAccessKeyLastUsed",
                "iam:ListEntitiesForPolicy",
                "iam:GetUserPolicy",
                "iam:ListGroupsForUser",
                "iam:GetAccountName",
                "iam:GetGroupPolicy",
                "iam:GetOpenIDConnectProvider",
                "iam:ListSTSRegionalEndpointsStatus",
                "iam:GetRolePolicy",
                "iam:GetAccountSummary",
                "iam:GenerateCredentialReport",
                "iam:GetServiceLastAccessedDetailsWithEntities",
                "iam:ListPoliciesGrantingServiceAccess",
                "iam:ListInstanceProfileTags",
                "iam:ListMFADevices",
                "iam:GetServiceLastAccessedDetails",
                "iam:GetGroup",
                "iam:GetContextKeysForPrincipalPolicy",
                "iam:GetOrganizationsAccessReport",
                "iam:GetServiceLinkedRoleDeletionStatus",
                "iam:ListInstanceProfilesForRole",
                "iam:GenerateOrganizationsAccessReport",
                "iam:GetCloudFrontPublicKey",
                "iam:ListAttachedUserPolicies",
                "iam:ListAttachedGroupPolicies",
                "iam:ListPolicyTags",
                "iam:GetSAMLProvider",
                "iam:ListAccessKeys",
                "iam:GetInstanceProfile",
                "iam:ListGroupPolicies",
                "iam:ListCloudFrontPublicKeys",
                "iam:GetSSHPublicKey",
                "iam:ListRoles",
                "iam:ListUserPolicies",
                "iam:ListInstanceProfiles",
                "iam:GetContextKeysForCustomPolicy",
                "iam:ListPolicyVersions",
                "iam:ListOpenIDConnectProviders",
                "iam:ListServerCertificateTags",
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:GetUser",
                "iam:ListGroups",
                "iam:ListMFADeviceTags",
                "iam:GetLoginProfile",
                "iam:ListUserTags"
            ],
            "Resource": "*"
        }
    ]
   }

AWS Collector

AWS credentials are required to configure an AWS Data Source.

1. To access the data sources page, navigate to Configuration > Discover and select Data Sources.

   

2. To add a new data source, click + Add Data Source.

3. Set the Data Source field to AWS.

4. For Name enter an easy-to-identify name, especially if several data sources for the same service are to be created.

5. For an AWS Data Source specify:

   1. Regions: Specify the region(s) from your AWS you would like to collect from, for example, us-east1 and/or eu-west1. The list of regions should cover all the places you have deployed to using AWS and can be viewed on the AWS configuration website.
   2. Presets - same as all the other collectors
   3. Schedule - same as all the other collectors

6. Add the Cloud Credential for your AWS instance:

   1. For Name enter an easy-to-identify name.
   2. Enter the Access Key (Hydden Client ID) and Secret Access Key (Hydden Client Secret) as previously saved to your vault.
   3. Click Add.

7. Under Site specify the site matching your client registration site.

8. For Identity Mode, select Account.

9. On the Add Data Source modal, click Add to save the newly created data source.

At this point, you can run a collection from the Data Sources page and shortly after, you will see your AWS users listed on the Identity Posture dashboard, in Global Search and the Search Library.