AWS Provider Setup

AWS

• StackSet Deployment
• Templates

Installation

Install the AWS CLI.

Authentication

Configure the AWS CLI.

Configure Cloud Connector IAM

We recommend deploying a StackSet, but alterative options are available.

Configuration

The Censys Cloud Connector provider setup CLI will ask a series of questions that have opt-in defaults.

censys-cc config --provider aws

Note

Permissions required during provider setup are described here.

Example AWS Provider Setup: Basic Usage

Alternative AWS Configuration Options

Manually create an IAM role and attach the either the Least Privilege policy or the Recommended set of policies.

Supported Provider Configurations

The Censys Cloud Connector officially supports the following IAM configurations:

• IAM User in Parent, Assume Role in Children

• IAM User in Parent, IAM Users in each children

• ECS Role in Parent, Assume Role in Children

IAM User in Parent, Assume Role in Children

This is the recommended configuration if you are running the connector outside of ECS.

- provider: AWS
  account_number: '111111111111'
  access_key: example-access-key-1
  secret_key: example-secret-key-1
  regions:
  - us-east-1
  accounts:
  - account_number: '111111111112'
    role_name: example-role-2
  - account_number: '111111111113'
    role_name: example-role-3

IAM User in Parent, IAM Users in each children

- provider: AWS
  account_number: '111111111111'
  access_key: example-access-key-1
  secret_key: example-secret-key-1
  regions:
  - test-region
  accounts:
  - account_number: '111111111112'
    access_key: example-access-key-2
    secret_key: example-secret-key-2

ECS Role in Parent, Assume Role in Children

This configuration can be used in conjunction with the AWS ECS deployment.

- provider: AWS
  account_number: '111111111111'
  role_name: example-role-1
  role_session_name: censys-cloud-connector
  regions:
  - test-region
  accounts:
  - account_number: '111111111112'
    role_name: example-role-2
    role_session_name: censys-cloud-connector

Provider Setup Permissions Overview

The permissions used are dependant on options chosen during setup.

Service	Action	Reason
STS	GetCallerIdentity	Used to find the primary account number
Organizations	ListAccounts	Allows finding accounts within an organization
CloudFormation	ListStackInstances	Allows finding accounts using a specific StackSet instance

Find Accounts Feature

Add assets from all of your AWS accounts for the most up-to-date view of your cloud attack surface.

Find Accounts by StackSet (recommended)

Censys provides a CloudFormation StackSet template available to create the CensysCloudConnectorRole. It also serves as a way to list your organization’s account numbers with the CloudFormation Stack Instance API.

Example 1

Find Accounts by Organizations

Provider setup will use the Organizations List Accounts feature to find a list of accounts. You will then have the option to choose which accounts are saved into providers.yml.

Example 2

Asset Deny List

In certain situations it is desirable not to have assets sent to Censys. This can be accomplished by utilizing the cloud provider’s tagging feature. At this time, only AWS ENI and EC2 tags are supported.

Usage:

• AWS supports ignore_tags at the provider and account levels in providers.yml.

• Tags named censys-cloud-connector-ignore are ignored.