Amazon Web Services (AWS) resources
In the AWS context, an instance is a copy of an Amazon Machine Image running as a virtual server in the AWS cloud. By initiating the dynamic discovery of AWS instances, you can scan and report these instances continually. You can discover cloud assets using service provider APIs to extract data. AWS API 6.5 is integrated with the solution. The resource scan collects data from AWS using valid credentials for authenticating to AWS API.
If your Sectona installation is located outside the AWS network, the AWS API must be able to recognize it as a trusted entity before allowing it to connect and discover AWS instances. To make this possible, you must create an IAM user in AWS with permissions that support discovery. When you create an IAM user, you will also create an access key that Sectona will use to log onto the API. Learn about IAM Users and how to create them.
If your Sectona instance can directly authenticate to AWS, port 443 must be allowed from the Sectona web access server to AWS. Alternatively, if your Sectona web access server cannot directly authenticate to AWS, please add proxy settings while configuring AWS Resource Discovery Scan. Ensure your proxy server can communicate with AWS using a 443 port.
Requirement | Description |
|---|---|
Connectivity/Ports | 443 |
Credential | When you create an IAM user, select the option to create an access key ID and secret access key. You will need these credentials when setting up the discovery connection. You will have the option to download these credentials. Be careful to store them in a safe and secure location. Refer to Configuring Credentials for more details on adding keys for authenticating to AWS APIs. |
Adding an Amazon Web Service resource scan job
To add a discovery job, go to Manage → Discovery → AWS.
Select AWS and follow the below-recommended guidelines:
Attributes | Description |
|---|---|
Job details | |
Job Title | Enter a unique title for your scan job |
Account Name | Provide a username with unique permissions to discover other resources. This user must be valid in the vault. The access key and Secret key are taken from the vault |
Schedule Type | Select a schedule type whether you would like to initiate this job once or a recurring job. If you select a recurring job, you can choose the days on which this job must be executed. For example, you want to schedule a job every second day at 5.00 p.m. from 1st January 2018 to scan your network. Include the following details: Recur every: 2 days |
Task Start | Select the date when the task begins |
Schedule Time | You can either choose the "Any" or schedule a proper time from when to start the task and when to end the task |
Network Proxy | If Sectona server cannot communicate with AWS directly, please provide valid proxy details to allow communication between Sectona server and AWS |
Action | |
Onboard assets | To start a scan manually with an option to add assets to specify profiles, click the Onboard asset as 'No.' If you wish to include assets automatically to existing groups and attributes, select option 'Yes.' |
Asset description (optional) | Added text will be included in every asset description field |
Location (optional) | Added location field will be included in every asset location. You can configure the system management location here |
Criticality level (optional) | Added critical field will be included in every asset. This is important while structuring reports and notifications |
Tags (optional) | You can associate an asset with your desired single or multiple tags like Infosec, Banking Core Server, ATM Switches, etc. Refer to section Tags for more information about adding context with tags. |
Checkout policy | The option is selected as default, as one can choose its policy by unchecking the default option and selecting the policy from the drop-down list available. |
Rotation policy | The option is selected as default as one can choose its policy by unchecking the default option and selecting the policy from the drop-down list available |
Reconciliation policy | The option is selected as default as one can choose its policy by unchecking the default option and selecting the policy from the drop-down list available. |
Config value 1 | The configuration value can be assigned here. |
Config value 2 | The configuration value can be assigned here. |
Config value 3 | The configuration value can be assigned here. |
Config value 4 | The configuration value can be assigned here. |
Exclude from Account Discovery | When ticked, the accounts of this asset will be excluded from the Discovery job. |
Owner (optional) | If you have listed owner information of all the assets, please include it here. |
Tick the Active checkbox and click the Save button to add the AWS discovery job to the system.
Click the Save + Run Now button to start the AWS discovery immediately.
