Amazon Web Services

Community Platform

runZero integrates with Amazon Web Services (AWS) to provide better visibility across your cloud environment. This integration imports data from each applicable API to add detailed information to your asset inventory:

• AWS EC2 API
• AWS RDS API
• AWS ELBv1 API
• AWS ELBv2 API
• AWS Lambda API

Syncing with AWS allows you to quickly identify the number of EC2 instances, elastic load balancers, and relational database services you have running, as well as their region, account, and more.

This integration supports the import of all running EC2 instances, RDS instances, and active application, network, gateway, or classic load balancers. It can be configured to connect to a single AWS account or to all accounts in your organization and imports data across multiple regions.

Getting started

The following AWS resource types are supported:

• EC2 instances
• Elastic load balancers
• RDS instances
• Lambda instances

To set up the AWS integration, you’ll need to:

1. Configure AWS to allow API access through runZero.
2. Add the AWS credential to runZero, which includes the access key and secret key.
3. Choose whether to configure the integration as a scan probe or connector task.
4. Activate the AWS integration to sync your data with runZero.

Requirements

Before you can set up the AWS integration:

• Make sure you have access to the AWS console.
• Make sure you are using AWS Organizations if you want to connect to multiple accounts.

Step 1: Configure AWS to allow API access through runZero

To connect to a single AWS account:

1. Log into the AWS console.
2. Go to Identity and Access Management (IAM) > Users and select the user that will provide API access to runZero.
3. Click Add permissions > Attach existing policies directly. Search for and attach the following policies based on the services you would like to sync:
   • AmazonEC2ReadOnlyAccess to sync EC2 and ELB resources
   • AmazonRDSReadOnlyAccess to sync RDS instances
   • AWSLambda_ReadOnlyAccess to sync Lambda functions
4. From the user summary screen, open the Security credentials tab and click on Create access key.
5. Save the Access key ID and Secret access key.
6. If you intend to sync with AWS regions that are not enabled by default, change the region compatibility of the global STS endpoint to be compatible with All AWS Regions. To do this, in the AWS console navigate to IAM -> Account Settings -> Security Token Service (STS). Then change the Global Endpoint to be compatible with “All AWS Regions.”

To connect to all accounts in your organization:

1. Log into the AWS console.

2. For each account in your organization, create a role and assign the AmazonEC2ReadOnlyAccess, AmazonRDSReadOnlyAccess, and AWSLambda_ReadOnlyAccess policies. You can do this one at a time for each account or use StackSets to deploy the role if you have a large number of accounts:

   Option 1: Create a role using IAM

   1. Go to Identity and Access Management (IAM) > Roles and click Create role.
   2. Choose Another AWS Account for the type of trusted entity.
   3. For Account ID, enter the ID for your organization’s management account.
   4. Click Next: Permissions.
   5. Attach the AmazonEC2ReadOnlyAccess policy if you want to sync EC2 and ELB resources.
   6. Attach the AmazonRDSReadOnlyAccess policy if you want to sync RDS instances.
   7. Attach the AWSLambda_ReadOnlyAccess policy if you want to sync Lambda functions.
   8. Click Next: Tags and add tags optionally.
   9. Click Next: Review and provide a name for the role. (The role must be named the same for all accounts)
   10. Click Create role.

   Option 2: Create and deploy a role to multiple accounts using StackSets

   1. Create an IAM account for runZero to use for AWS access, such as arn:aws:iam:::user.
   2. While logged into your organization’s management account, go to CloudFormation > StackSets and click Create StackSet.
   3. Select Template is ready and upload a file with the JSON template for the stackset provided below. Replace <accountID> with the account ID where the role was created, <userName> with the name of the user you created, and <roleName> with the name of the role. Click next.
   4. Enter a name for the StackSet. Click next.
   5. Optionally set tags. Click next.
   6. Set the deployment options. Click next.
   7. Review and create the StackSet.

3. For your organization’s management account, create an inline policy to allow the STS AssumeRole action.

   1. Go to Identity and Access Management (IAM) > Users and select the user that will provide API access to runZero.
   2. Click Add inline policy.
   3. In the JSON tab, enter the inline policy text from below, replacing <rolename> with the role name.

4. If you intend to sync with AWS regions that are not enabled by default, change the region compatibility of the global STS endpoint in the management account to be compatible with All AWS Regions. To do this, in the AWS console for the management account navigate to IAM -> Account Settings -> Security Token Service (STS). Then change the Global Endpoint to be compatible with “All AWS Regions.”

5. From the user summary screen, open the Security credentials tab and click on Create access key.

6. Save the Access key ID and Secret access key.

7. From the user summary screen, open the Permissions tab and click Add permissions. Attach the AWSOrganizationsReadOnlyAccess policy.

8. (Optional) Attach the AmazonEC2ReadOnlyAccess policy to your organization’s management account if it has EC2 or ELB instances you would like to sync.

9. (Optional) Attach the AmazonRDSReadOnlyAccess policy to your organization’s management account if it has RDS instances you would like to sync.

10. (Optional) Attach the AWSLambda_ReadOnlyAccess policy to your organization’s management account if it has Lambda functions you would like to sync.

StackSet template

{
  "Resources": {
    "IAMrunZeroRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::<accountID>:user/<userName>"
              }
            }
          ],
          "Version": "2012-10-17"
        },
        "ManagedPolicyArns": [
          {
            "Fn::Join": [
              "",
              [
                "arn:",
                {
                  "Ref": "AWS::Partition"
                },
                ":iam::aws:policy/AmazonEC2ReadOnlyAccess"
              ]
            ]
          },
          {
            "Fn::Join": [
              "",
              [
                "arn:",
                {
                  "Ref": "AWS::Partition"
                },
                ":iam::aws:policy/AmazonRDSReadOnlyAccess"
              ]
            ]
          },
          {
            "Fn::Join": [
              "",
              [
                "arn:",
                {
                  "Ref": "AWS::Partition"
                },
                ":iam::aws:policy/AWSLambda_ReadOnlyAccess"
              ]
            ]
          }
        ],
        "RoleName": "<roleName>"
      }
    }
  }
}

Inline policy template

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::*:role/<rolename>"
    }
  ]
}

Step 2: Add the AWS credential to runZero

1. Go to the Credentials page in runZero and click Add Credential.
2. Provide a name for the credential, like AWS EC2.
3. Choose AWS Access & Secret from the list of credential types.
4. Provide the following information:
   • AWS access key - Access key ID obtained from User > Security credentials > Create access key.
   • AWS secret access key - Secret access key obtained from User > Security credentials > Create access key.
   • AWS role - Assumed role used to connect to other accounts in your organization. It should be named the same across accounts.
   • Select the region(s) that you want to sync.
5. If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per organization basis.
6. Save the credential. You’re now ready to set up and activate the connection to bring in data from AWS.

Step 3: Choose how to configure the AWS integration

The AWS integration can be configured as either a scan probe or a connector task. Scan probes gather data from integrations during scan tasks. Connector tasks run independently from either the cloud or one of your Explorers, only performing the integration sync.

Step 4: Set up and activate the AWS integration to sync data

After you add your AWS credential, you’ll need to set up a connector task or scan probe to sync your data.

Step 4a: Configure the AWS integration as a connector task

A connection requires you to set a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where any new AWS-only assets are created.

1. Activate a connection to AWS. You can access all available third-party connections from the integrations page, your inventory, or the tasks page.
2. Choose the credential you added earlier. If you don’t see the credential listed, make sure the credential has access to the organization you are currently in.
3. Enter a name for the task, like AWS sync.
4. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set.
5. Under Task configuration:
   • Choose the site you want to add your assets to. All newly discovered assets will be stored in this site. You can also choose to Automatically create a new site per VPC or Automatically create a new site per account, and runZero will take care of creating the sites for newly discovered assets or accounts.
   • Choose whether to automatically delete stale AWS assets. If you check this option, runZero will automatically delete AWS assets previously seen in AWS that were not found in the most recent sync.
   • Choose whether to include AWS assets that are not currently running. If you check this option, runZero will import AWS asset data for assets that are not in a running state.
6. Under Service options, select the services you would like to sync data from. You must choose at least one.
7. If you want to exclude assets that have not been scanned by runZero from your integration import, switch the Exclude unknown assets toggle to Yes. By default, the integration will include assets that have not been scanned by runZero.
8. Activate the connection when you are done. The sync will run on the defined schedule. You can always check the Scheduled tasks to see when the next sync will occur.

Step 4b: Configure the AWS integration as a scan probe

1. Create a new scan task or select a future or recurring scan task from your Tasks page.
2. Add or update the scan parameters based on any additional requirements.
3. On the Probes and SNMP tab, choose which additional probes to include, set the AWS toggle to Yes, and change any of the default options if needed.
4. On the Credentials tab, set the AWS toggle for the credential you wish to use to Yes.
5. Click Initialize scan to save the scan task and have it run immediately or at the scheduled time.

Step 5: View AWS assets

After a successful sync, you can go to your inventory to view your AWS assets. These assets will have an AWS icon listed in the Source column.

To filter by AWS assets, consider running the following queries:

• View all AWS assets:

   source:aws
  

• View all AWS EC2 instances:

  source:aws AND has:"@aws.ec2.instanceID"
  

• View all AWS Elastic Load Balancers:

  source:aws AND (has:"@aws.elb.loadBalancerArn" OR has:"@aws.elb.loadBalancerName")
  

Click into each asset to see its individual attributes. runZero will show you the attributes returned by the AWS APIs.

Troubleshooting

If you are having trouble using this integration, the questions and answers below may assist in your troubleshooting.

Why is the Amazon Web Services integration unable to connect?

1. Are you getting any data from the AWS integration?
   • Make sure to query the inventory rather than look at the task details to review all the data available from this integration.
   • In some cases, integrations have a configuration set that limits the amount of data that comes into the runZero console.
2. Some integrations require very specific actions that are easy to overlook. If a step is missed when setting up the intergration, it may not work correctly. Please review this documentation and follow the steps exactly.
3. If the AWS integration is unable to connect be sure to check the task log for errors. Some common errors include:
   • 500 - server error, unable to connect to the endpoint
   • 404 - hitting an unknown endpoint on the server
   • 403 - not authorized, likely a credential issue