In the AWS context, an instance is a copy of an Amazon Machine Image running as a virtual server in the AWS cloud. By initiating the dynamic discovery of AWS instances, you can scan and report these instances continually. You can discover cloud assets using service provider APIs to extract data. AWS API 6.5 is integrated with the solution. The resource scan collects data from AWS using valid credentials for authenticating to AWS API.

If your Sectona installation is located outside the AWS network, the AWS API must be able to recognize it as a trusted entity before allowing it to connect and discover AWS instances. To make this possible, you will need to create an IAM user in AWS with permissions that support discovery. When you create an IAM user, you will also create an access key that Sectona will use to log onto the API. Learn about IAM Users and how to create them.

If your Sectona instance can directly authenticate to AWS, port 443 must be allowed from the Sectona web access server to AWS. Alternatively, if your Sectona web access server cannot directly authenticate to AWS, please add proxy settings while configuring AWS Resource Discovery Scan. Ensure your proxy server can communicate with AWS using a 443 port. 

Requirement

Description

Connectivity/Ports
(Sectona → AWS Console)

443

Credential

When you create an IAM user, make sure to select the option to create an access key ID and secret access key. You will need these credentials when setting up the discovery connection. You will have the option to download these credentials. Be careful to store them in a safe and secure location. Refer to Configuring Credentials for more details on adding keys for authenticating to AWS APIs.

Adding an Amazon Web Service resource scan job

To add a new discovery job, go to Manage → Asset Discovery.

Select AWS in +New Asset Discovery Job and follow below-recommended guidelines:

Attributes 

Description

Job details


Job Title

Enter a unique title for your scan job

Account Name

Provide a username who has unique permissions to discover other resources. This user must be a valid user in the vault. The access key and Secret key is taken from the vault

Schedule Type

Select a schedule type whether you would like to initiate this job once or a recurring job. If you select a recurring job, you can choose days this job must be executed on.

For example, you want to schedule a job every second day at 5.00 p.m. from 1st January 2018 to scan your network. Include the following details:

Recur every: 2 days
Task Start: 01 Jan 2018
Schedule Start Time: 4:30 pm to 5:15 pm

Task Start

Select the date when the task begins

Schedule Time

You can either choose the "Any" or schedule a proper time from when to start the task and when to end the task

Network Proxy

If Sectona server cannot communicate with AWS directly, please provide valid proxy details to allow communication between Sectona server and AWS

Action


Onboard assets

To start a scan manually with an option to add assets to specify profiles, click the Onboard asset as 'No'. 

If you wish to include assets automatically to existing group and attributes, select option 'Yes'.

Asset description (optional)

Added text will be included in every asset description field

Location (optional)

Added location field will be included in every asset location. You can configure system management location here

Criticality level (optional)

Added critical field will be included in every asset. This is important while structuring reports and notifications

Tags (optional)

You can associate an asset with your desired single or multiple tags like Infosec, Banking Core Server, ATM Switches, etc.

Refer to section Tags for more information about adding context with tags.

Checkout policy

The option is selected as default as one can choose its policy by unchecking the default option and selecting the policy from the drop-down list available.

Rotation policy

The option is selected as default as one can choose its policy by unchecking the default option and selecting the policy from the drop-down list available

Reconciliation policy

The option is selected as default as one can choose its policy by unchecking the default option and selecting the policy from the drop-down list available.

Config value 1

The configuration value can be assigned here.

Config value 2

The configuration value can be assigned here.

Config value 3

The configuration value can be assigned here.

Config value 4

The configuration value can be assigned here.

Exclude from Account Discovery

When ticked, the accounts of this asset will be excluded from the Discovery job.

Owner (optional)

If you have listed owner information of all the assets, please include here

Tick the Active checkbox and click on the Save button to add the AWS discovery job in the system.

Click on Save + Run Now button to start the AWS discovery immediately.