AWS Provider Setup#
Installation#
Install the AWS CLI.
Authentication#
Configure the AWS CLI.
Configure Cloud Connector IAM#
We recommend deploying a StackSet, but alterative options are available.
Configuration#
The Censys Cloud Connector provider setup CLI will ask a series of questions that have opt-in defaults.
censys-cc config --provider aws
Note
Permissions required during provider setup are described here.
Example AWS Provider Setup: Basic Usage#
Alternative AWS Configuration Options#
Manually create an IAM role and attach the either the Least Privilege policy or the Recommended set of policies.
Supported Provider Configurations#
The Censys Cloud Connector officially supports the following IAM configurations:
IAM User in Parent, Assume Role in Children#
This is the recommended configuration if you are running the connector outside of ECS.
- provider: AWS
account_number: '111111111111'
access_key: example-access-key-1
secret_key: example-secret-key-1
regions:
- us-east-1
accounts:
- account_number: '111111111112'
role_name: example-role-2
- account_number: '111111111113'
role_name: example-role-3
IAM User in Parent, IAM Users in each children#
- provider: AWS
account_number: '111111111111'
access_key: example-access-key-1
secret_key: example-secret-key-1
regions:
- test-region
accounts:
- account_number: '111111111112'
access_key: example-access-key-2
secret_key: example-secret-key-2
ECS Role in Parent, Assume Role in Children#
This configuration can be used in conjunction with the AWS ECS deployment.
- provider: AWS
account_number: '111111111111'
role_name: example-role-1
role_session_name: censys-cloud-connector
regions:
- test-region
accounts:
- account_number: '111111111112'
role_name: example-role-2
role_session_name: censys-cloud-connector
Provider Setup Permissions Overview#
The permissions used are dependant on options chosen during setup.
Service |
Action |
Reason |
---|---|---|
STS |
|
Used to find the primary account number |
Organizations |
|
Allows finding accounts within an organization |
CloudFormation |
|
Allows finding accounts using a specific StackSet instance |
Find Accounts Feature#
Add assets from all of your AWS accounts for the most up-to-date view of your cloud attack surface.
Find Accounts by StackSet (recommended)#
Censys provides a CloudFormation
StackSet template
available to create the CensysCloudConnectorRole
. It also serves as a way to
list your organization’s account numbers with the CloudFormation Stack Instance
API.
Example 1#
Find Accounts by Organizations#
Provider setup will use the Organizations List Accounts
feature to find a list of accounts. You will then have the option to choose which
accounts are saved into providers.yml
.
Example 2#
Asset Deny List#
In certain situations it is desirable not to have assets sent to Censys. This can be accomplished by utilizing the cloud provider’s tagging feature. At this time, only AWS ENI and EC2 tags are supported.
Usage:
AWS supports
ignore_tags
at the provider and account levels in providers.yml.Tags named
censys-cloud-connector-ignore
are ignored.