Set up an AWS integration | Fluid Attacks Help

Set up an AWS integration

This page provides a comprehensive guide to setting up the necessary AWS resources for security testing with Fluid Attacks' cloud security posture management (CSPM) module and adding new credentials to clone your repository.

AWS setup on Fluid Attacks' platform

To begin, navigate to your group's Scope section on Fluid Attacks' platform to add a CSPM environment. (If you need a refresher on how to reach this point, refer to Find the option for cloud integrations.)

Upon selecting AWS in Cloud name, you encounter two key elements:

  1. Your unique external ID is displayed. This identifier is crucial for setting up the IAM role, so keep it handy.
  2. You are prompted to provide the Amazon Resource Name (ARN) of the AWS IAM role that Fluid Attacks' scanner will use to access and check your cloud resources.

Set up CSPM for AWS environment on the Fluid Attacks platform

Follow the steps presented further in this document and then go back to the platform to fill out the remaining fields.

Create an IAM role

To enable the Fluid Attacks scanner to access your AWS resources, you need to set up an IAM role. Once this role is created, its ARN is all you need to start using CSPM.

Before you begin:
  1. Obtain the external ID generated for your organization by Fluid Attacks. (Refer to the previous section for instructions).
  2. Ensure you have an AWS user account with the necessary permissions to create IAM roles and attach policies to them.

Advice on multiple AWS accounts
If your organization has multiple AWS accounts, you can create this role in each account and provide the corresponding ARN when adding credentials or environments.

There are two ways to set up the role:

Manual configuration from AWS management console

Here is how you create the IAM role on the AWS user interface:

  1. Log in to the AWS Management Console and use the search bar to find the IAM service.

    2. Find IAM service in AWS Management Console

  2. In the IAM dashboard, select Roles from the left sidebar menu.

    3. Find Roles in the IAM dashboard

  3. Click the Create role button.

    4. Create role in IAM

  4. In the Trusted entity type section, select Custom trust policy.

    5. Create Custom trust policy for Fluid Attacks in IAM

  5. In the code editor below Custom trust policy, paste the following policy, replacing <YOUR-EXTERNAL-ID> with the external ID provided by Fluid Attacks.

    6. {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "FluidAttacksAccess",
          "Effect": "Allow",
          "Principal": {
            "AWS": "*"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "ArnEquals": {
              "aws:PrincipalArn": "arn:aws:iam::205810638802:role/prod_integrates"
            },
            "StringEquals": {
              "sts:ExternalId": "<YOUR-EXTERNAL-ID>"
            }
          }
        }
      ]
    }

    Here is an explanation of this trust policy:

    • The Principal field is set as *, allowing any AWS account to assume this role. However, the policy further restricts this to ensure security.
    • The sts:AssumeRole action allows other entities to assume this role.
    • The aws:PrincipalArn condition ensures that, although the principal is open to anyone, the role can only be assumed by Fluid Attacks' production role.
    • Finally, the sts:ExternalId is a shared secret between Fluid Attacks and you and is used to verify that the request to assume the role comes from Fluid Attacks.
  6. After clicking Next, choose the permissions for the role. The ReadOnlyAccess permission (recommended) grants read-only access to all AWS resources.

    7. Select IAM role permissions for Fluid Attacks


    For more granular control, create a custom policy with read-only permissions for specific resources. Here is the list of actions used by the CSPM module to run the checks over your AWS infrastructure:
     

    apigateway:GET(GetMethod)
    apigateway:GET(GetResources)
    apigateway:GET(GetRestApis)
    autoscaling:DescribeAutoScalingInstances
    cloudfront:GetDistribution
    cloudfront:GetDistributionConfig
    cloudfront:ListDistributions
    cloudtrail:DescribeTrails
    cloudtrail:GetTrailStatus
    cloudtrail:ListTrails
    cognito-idp:GetUserPoolMfaConfig
    dynamodb:DescribeContinuousBackups
    dynamodb:DescribeTable
    dynamodb:ListTables
    ec2:DescribeFlowLogs
    ec2:DescribeImages
    ec2:DescribeInstanceAttribute
    ec2:DescribeInstances
    ec2:DescribeKeyPairs
    ec2:DescribeLaunchTemplateVersions
    ec2:DescribeNetworkAcls
    ec2:DescribeNetworkInterfaces
    ec2:DescribeRegions
    ec2:DescribeSecurityGroups
    ec2:DescribeSnapshots
    ec2:DescribeVolumes
    ec2:DescribeVpcEndpoints
    ec2:DescribeVpcs
    eks:DescribeCluster
    eks:ListClusters
    elasticache:DescribeCacheClusters
    elasticloadbalancing:DescribeListeners
    elasticloadbalancing:DescribeLoadBalancerAttributes
    elasticloadbalancing:DescribeLoadBalancers
    elasticloadbalancing:DescribeSSLPolicies
    elasticloadbalancing:DescribeTags
    iam:GenerateCredentialReport
    iam:GetAccountPasswordPolicy
    iam:GetAccountSummary
    iam:GetCredentialReport
    iam:GetInstanceProfile
    iam:GetLoginProfile
    iam:GetPolicy
    iam:GetPolicyVersion
    iam:GetRolePolicy
    iam:GetUser
    iam:ListAccessKeys
    iam:ListAttachedRolePolicies
    iam:ListAttachedUserPolicies
    iam:ListGroupPolicies
    iam:ListGroups
    iam:ListMFADevices
    iam:ListRolePolicies
    iam:ListRoles
    iam:ListSSHPublicKeys
    iam:ListUserPolicies
    iam:ListUsers
    kms:DescribeKey
    kms:GetKeyPolicy
    kms:GetKeyRotationStatus
    kms:ListAliases
    kms:ListKeyPolicies
    kms:ListKeys
    rds:DescribeDBClusters
    rds:DescribeDBInstances
    rds:DescribeDBSnapshotAttributes
    rds:DescribeDBSnapshots
    redshift:DescribeClusterParameters
    redshift:DescribeLoggingStatus
    s3:GetBucketAcl
    s3:GetBucketLogging
    s3:GetBucketPolicy
    s3:GetBucketVersioning
    s3:GetBucketPublicAccessBlock
    s3:ListAllMyBuckets
    secretsmanager:DescribeSecret
    secretsmanager:ListSecrets
    sns:GetTopicAttributes
    sns:ListTopics
    sqs:GetQueueAttributes
    sqs:ListQueues
    sts:GetCallerIdentity

    If you are cloning a CodeCommit repository, include the corresponding permission. Here is an example of a user-managed policy for CodeCommit repository access following the principle of least privilege:

     
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "LeastPrivilegeCodeCommit",
          "Effect": "Allow",
          "Action": ["codecommit:Get*", "codecommit:GitPull"],
          "Resource": ["<REPO'S ARN>"]
        }
      ]
    }

    Note on permissions for CodeCommit reposNote: For each resource, create similar statements. Using the read-only AWS managed policies for each resource is recommended.
  7. In the summary, name the role (e.g., "CSPM") and add an optional description.

    8. Name the IAM role for Fluid Attacks

  8. Once the setup is complete, locate the new role in the list of IAM roles.

    9. Find IAM role for Fluid Attacks CSPM

  9. Click on the role to view its details, including the ARN, which you need to provide on the Fluid Attacks platform.

    10. Get AWS role ARN for Fluid Attacks CSPM


Use AWS CloudFormation templates

This section outlines how to deploy the necessary resources for the Fluid Attacks CSPM module using AWS CloudFormation.

  1. Create a new file with a .yaml extension (e.g., cspm-role.yaml), paste the following snippet into it.

    2. Resources:
      CSPMRole:
        Type: AWS::IAM::Role
        Properties:
          AssumeRolePolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "sts:AssumeRole"
                Principal:
                  AWS:
                    - "*"
                Condition:
                  ArnEquals:
                    aws:PrincipalArn: "arn:aws:iam::205810638802:role/prod_integrates"
                  StringEquals:
                    sts:ExternalId: "<YOUR-EXTERNAL-ID>"
          Description: Role to enable Fluid Attacks CSPM module
          ManagedPolicyArns:
            - arn:aws:iam::aws:policy/ReadOnlyAccess
          RoleName: CSPM

  2. Replace <YOUR-EXTERNAL-ID> in the code snippet with the actual external ID provided by Fluid Attacks, then save the file.

  3. Deploy this template using either the AWS CLI or the AWS Management Console.

Using the AWS CLI

To be able to deploy the template using the CLI, you first need to install the AWS CLI and then configure the security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) to authenticate as a user with permissions to read and write CloudFormation and IAM resources. Please refer to the official documentation to see the configuration specifications.

Once that setup is done, do the following:

  1. Execute the following command:

    2. aws cloudformation deploy --template-file <path/to/template> --stack-name <stack-name> --capabilities CAPABILITY_NAMED_IAM

  2. Once all the resources are deployed you need to retrieve the ARN of the role. You can do so with the following command:

    3. aws iam get-role --role-name "CSPM"

You then receive a JSON response with details about the role, including the ARN.


Using the AWS management console

To deploy the template using the AWS Management Console:

  1. Log into a user account authorized to perform read and write operations for CloudFormation and IAM resources.

  2. Use the search bar to locate and access the CloudFormation service.

    3. Find AWS CloudFormation for Fluid Attacks CSPM

  3. In the CloudFormation dashboard, select Stacks from the left sidebar menu, then click Create stack and select With new resources (standard).

    4. Create stack on CloudFormation for Fluid Attacks CSPM

  4. You begin with the Create stack step. Under Prerequisite - Prepare template, select Template is ready. Under Specify template, select Upload a template file and choose the YAML file you created.

    5. Upload CloudFormation template for Fluid Attacks CSPM

  5. In the Specify stack details step, you are prompted to set the name of the stack to create (e.g., "CSPM").

    6. Name CloudFormation stack for Fluid Attacks CSPM

  6. In the Configure stack options step, you do not need to make any changes.

  7. In the Review step, scroll down to Capabilities and mark the checkbox to give CloudFormation the required permissions to create IAM resources.

    8. Set CloudFormation stack capabilities for Fluid Attacks CSPM

  8. After successful deployment, access the stack from the CloudFormation dashboard and navigate to the Resources tab.

    9. See CloudFormation stack resources for Fluid Attacks CSPM

  9. Click on the physical ID to access the IAM dashboard.

    10. Open stack on AWS IAM for Fluid Attacks CSPM

  10. In IAM, obtain the role's ARN.

    11. View IAM role ARN created on CloudFormation for Fluid Attacks CSPM


Troubleshooting

If you encounter issues while adding your AWS environment to the Fluid Attacks platform, verify the following:

  • The role you created has the required permission ReadOnlyAccess or a custom policy with equivalent permissions.
  • You specified the external ID assigned to your repository in the role's trust policy.

Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.