Overview
JupiterOne provides a managed integration with Amazon Web Services. The integration connects directly to AWS APIs to obtain infrastructure metadata and analyze resource relationships. Customers authorize read-only, security audit access by establishing an IAM trust relationship that allows JupiterOne to assume a role in their account.
Information is ingested from all AWS regions that do not require additional contractual arrangements with AWS. Please submit a JupiterOne support request if you need to monitor additional regions.
Integration Instance Configuration
The integration is triggered by an event containing the information for a specific integration instance.
The integration instance configuration requires the customer's roleArn to
assume in order to read infrastructure information through AWS APIs. The role is
configured to require an externalId; this also must be maintained in the
instance configuration.
Detailed setup instructions and a pre-built CloudFormation Stack are provided in the application and maintained in the public JupiterOne AWS CloudFormation project on Github.
Permissions
The AWS integration requires security auditor permissions into the target AWS
account, as defined by a combination of the SecurityAudit IAM policy
managed by AWS, and a few additional List*, Get*, and Describe*
permissions missing from the AWS managed policy. The exact policy and permission
statements can be found in the public JupiterOne AWS CloudFormation project
on Github.
Entities
The following entity resources and their meta data (not actual contents) are ingested when the integration runs:
| AWS Service | AWS Entity Resource | _type : _class of the Entity |
|---|---|---|
| Account | n/a | aws_account : Account |
| ACM | ACM Certificate | aws_acm_certificate : Certificate |
| API Gateway | REST API | aws_api_gateway_rest_api : Gateway |
| Batch | Batch Compute Environment | aws_batch_compute_environment : Configuration |
| Batch Job | aws_batch_job : Process, Task |
|
| Batch Job Definition | aws_batch_job_definition : Configuration, Function |
|
| Batch Job Queue | aws_batch_job_queue : Queue |
|
| CloudFormation | Stack | aws_cloudformation_stack: Configuration |
| CloudFront | Distribution | aws_cloudfront_distribution: Gateway |
| CloudWatch | Event Rule | aws_cloudwatch_event_rule : Task |
| Metric Alarm | aws_cloudwatch_metric_alarm : Monitor |
|
| Log Group | aws_cloudwatch_log_group : Logs |
|
| Config | Config Rule | aws_config_rule : ControlPolicy |
| DynamoDB | DynamoDB Table | aws_dynamodb_table : DataStore, Database |
| EC2 | AMI Image | aws_ami : Image |
| EC2 Instance | aws_instance : Host |
|
| EC2 Key Pair | aws_key_pair : AccessKey |
|
| EBS Volume | aws_ebs_volume : DataStore, Disk |
|
| EBS Volume Snapshot | aws_ebs_snapshot : DataStore, Disk, Image |
|
| Elastic IP | aws_eip : IpAddress |
|
| Internet Gateway | aws_internet_gateway : Gateway |
|
| NAT Gateway | aws_nat_gateway : Gateway |
|
| Network ACL | aws_network_acl : Firewall |
|
| Network Interface | aws_eni : NetworkInterface |
|
| Route Table | aws_route_table : Configuration |
|
| Security Group | aws_security_group : Firewall |
|
| Subnet | aws_subnet : Network |
|
| VPC | aws_vpc : Network |
|
| VPN Gateway | aws_vpn_gateway : Gateway |
|
| AutoScaling | Auto Scaling Group | aws_autoscaling_group : Deployment, Group |
| ECR | ECR Container Repository | aws_ecr_repository : Repository |
| ECR Container Image | aws_ecr_image : Image |
|
| ECR Image Scan Finding | aws_ecr_image_scan_finding : Finding |
|
| ECS | ECS Cluster | aws_ecs_cluster : Cluster |
| ECS Container Instance | aws_ecs_container_instance : Host, Container |
|
| ECS Service | aws_ecs_service : Service |
|
| ECS Task Definition | aws_ecs_task_definition : Function, Configuration |
|
| ECS Task | aws_ecs_task : Task, Process |
|
| EFS | EFS File System | aws_efs_file_system : DataStore |
| EFS Mount Target | aws_efs_mount_target : NetworkEndpoint |
|
| EKS | EKS Cluster | aws_eks_cluster : Cluster |
| ELB | Application Load Balancer | aws_alb : Gateway |
| Network Load Balancer | aws_nlb : Gateway |
|
| Classic Load Balancer | aws_elb : Gateway |
|
| Target Group | aws_lb_target_group : Group |
|
| ElastiCache | Cache Cluster (Memcached) | aws_elasticache_memcached_cluster : Database, DataStore, Cluster |
| Replication Group (Redis) | aws_elasticache_redis_cluster : Database, DataStore, Cluster |
|
| Node Group Member | aws_elasticache_cluster_node : Database, DataStore, Host |
|
| Elasticsearch | Elasticsearch Domain | aws_elasticsearch_domain : Database, DataStore, Cluster |
| GuardDuty | GuardDuty Detector | aws_guardduty_detector : Assessment, Scanner |
| GuardDuty Finding | aws_guardduty_finding : Finding |
|
| IAM | Account Password Policy | aws_iam_account_password_policy : PasswordPolicy |
| IAM User | aws_iam_user : User |
|
| IAM User Access Key | aws_iam_access_key : AccessKey |
|
| IAM User MFA Device | mfa_device : AccessKey |
|
| IAM Group | aws_iam_group : UserGroup |
|
| IAM Role | aws_iam_role : AccessRole |
|
| IAM User Policy | aws_iam_user_policy : AccessPolicy |
|
| IAM Group Policy | aws_iam_group_policy : AccessPolicy |
|
| IAM Role Policy | aws_iam_role_policy : AccessPolicy |
|
| IAM Managed Policy | aws_iam_policy : AccessPolicy |
|
| IAM SAML Provider | aws_iam_saml_provider : Service |
|
| Access Analyzer | Access Analyzer | aws_accessanalyzer_analyzer : Accessment, Scanner |
| Access Analyzer Finding | aws_accessanalyzer_finding : Finding |
|
| Inspector | Inspector Assessment Run | aws_inspector_assessment : Assessment |
| Inspector Finding | aws_inspector_finding : Finding |
|
| KMS | KMS Key | aws_kms_key : CryptoKey |
| Lambda | Lambda Function | aws_lambda_function : Function |
| RedShift | Redshift Cluster | aws_redshift_cluster : DataStore, Database, Cluster |
| RDS | RDS DB Cluster | aws_rds_cluster : DataStore, Database, Cluster |
| RDS DB Instance | aws_db_instance : DataStore, Database, Host |
|
| RDS DB Instance Snapshot | aws_db_snapshot : DataStore, Database, Image |
|
| RDS DB Cluster Snapshot | aws_db_cluster_snapshot : DataStore, Database, Image |
|
| Route53 | Route53 Domain | aws_route53_domain : Domain |
| Route53 Hosted Zone | aws_route53_zone : DomainZone |
|
| Route53 RecordSet | aws_route53_record : DomainRecord, |
|
| S3 | S3 Bucket | aws_s3_bucket : DataStore |
| S3 Bucket Policy | aws_s3_bucket_policy : AccessPolicy |
|
| SNS | SNS Subscription | aws_sns_subscription : Subscription |
| SNS Topic | aws_sns_topic : Channel |
|
| SQS | SQS Queue | aws_sqs_queue : Queue |
| Transfer | Transfer Server (SFTP) | aws_transfer_server : Host, Gateway |
| Transfer User (SFTP) | aws_transfer_user : User |
|
| WAF | Web ACL | aws_waf_web_acl : Firewall |
| WorkSpaces | Workspace | aws_workspace : Host |
| Bundle | aws_workspaces_bundle : Configuration |
Relationships
The following relationships are created/mapped:
Basic relationships within the integration instance account/resources
| Relationships |
|---|
aws_account (master) HAS aws_account (sub-account) |
aws_account HAS Service (e.g. aws_ec2, aws_iam, …) |
aws_acm HAS aws_acm_certificate |
aws_batch HAS aws_batch_compute_environment |
aws_batch HAS aws_batch_job_definition |
aws_batch HAS aws_batch_job_queue |
aws_batch_compute_environment USES aws_ecs_cluster |
aws_batch_compute_environment ASSIGNED|USES aws_iam_role |
aws_batch_job_queue HAS aws_batch_job |
aws_apigateway HAS aws_api_gateway_rest_api |
aws_api_gateway_rest_api TRIGGERS aws_lambda_function |
aws_cloudfront HAS aws_cloudfront_distribution |
aws_cloudfront_distribution CONNECTS aws_api_gateway_rest_api |
aws_cloudfront_distribution CONNECTS aws_s3_bucket |
aws_cloudfront_distribution TRIGGERS aws_lambda_function |
aws_cloudfront_distribution USES aws_acm_certificate |
aws_cloudtrail LOGS aws_s3_bucket |
aws_cloudtrail LOGS aws_cloudwatch_log_group |
aws_cloudwatch_event_rule TRIGGERS aws_lambda_function |
aws_config HAS aws_config_rule |
aws_config_rule EVALUATES aws_account |
aws_config_rule EVALUATES <AWS Resource> |
aws_dynamodb HAS aws_dynamodb_table |
aws_dynamodb_table USES aws_kms_key |
aws_ec2 HAS aws_instance |
aws_ec2 HAS aws_security_group |
aws_ec2 HAS aws_subnet |
aws_ec2 HAS aws_ebs_volume |
aws_ec2 HAS aws_network_acl |
aws_ec2 HAS aws_vpc |
aws_autoscaling_group HAS aws_instance |
aws_instance USES aws_ebs_volume |
aws_instance USES aws_eip |
aws_instance USES aws_eni |
aws_ebs_volume HAS aws_ebs_snapshot |
aws_ebs_volume USES aws_ebs_snapshot |
aws_ebs_volume USES aws_kms_key |
aws_security_group PROTECTS aws_instance |
aws_instance HAS aws_security_group |
aws_nat_gateway USES aws_eni or aws_eip |
aws_eni USES aws_eip |
aws_vpc CONTAINS aws_subnet |
aws_vpc HAS aws_nat_gateway |
aws_vpc HAS aws_internet_gateway |
aws_vpc HAS aws_vpn_gateway |
aws_vpc HAS aws_route_table |
aws_vpc LOGS aws_cloudwatch_log_group |
aws_vpc LOGS aws_s3_bucket |
aws_subnet HAS aws_instance |
aws_subnet USES aws_route_table |
aws_network_acl PROTECTS aws_subnet |
aws_ecr HAS aws_ecr_repository |
aws_ecr_repository HAS aws_ecr_image |
aws_ecr_image HAS aws_ecr_image_scan_finding |
aws_ecs HAS aws_ecs_cluster |
aws_ecs HAS aws_ecs_task_definition |
aws_ecs_cluster HAS aws_ecs_service |
aws_ecs_cluster HAS aws_ecs_container_instance |
aws_ecs_cluster RUNS aws_ecs_task |
aws_ecs_container_instance RUNS aws_ecs_task |
aws_ecs_task_definition ASSIGNED|USES aws_iam_role |
aws_ecs_task_definition DEFINES aws_ecs_service |
aws_ecs_task_definition DEFINES aws_ecs_task |
aws_ecs_service TRIGGERS aws_ecs_task |
aws_instance RUNS aws_ecs_container_instance |
aws_efs HAS aws_efs_file_system |
aws_efs_file_system HAS aws_efs_mount_point |
aws_efs_mount_point USES aws_eni |
aws_subnet HAS aws_efs_mount_point |
aws_security_group PROTECTS aws_efs_mount_point |
aws_eks HAS aws_eks_cluster |
aws_elasticloadbalancing HAS aws_alb or aws_nlb or aws_elb |
aws_elasticache_redis_cluster HAS aws_elasticache_cluster_node |
aws_security_group PROTECTS aws_elasticache_cluster_node |
aws_security_group PROTECTS aws_elasticsearch_domain |
aws_alb USES aws_acm_certificate |
aws_alb or aws_nlb or aws_elb CONNECTS aws_lb_target_group |
aws_lb_target_group HAS aws_instance or aws_lambda_function |
aws_lb_target_group HAS aws_eip or aws_eni |
aws_guardduty_detector IDENTIFIED aws_guardduty_finding |
aws_instance HAS aws_guardduty_finding |
aws_iam HAS aws_iam_managed_policy |
aws_iam HAS aws_iam_role |
aws_iam HAS aws_iam_role_policy |
aws_iam HAS aws_iam_user |
aws_iam HAS aws_iam_user_policy |
aws_iam HAS aws_iam_group |
aws_iam HAS aws_iam_group_policy |
aws_iam_group HAS aws_iam_group_policy |
aws_iam_group CONTAINS aws_iam_user |
aws_iam_group HAS aws_iam_managed_policy |
aws_iam_role HAS aws_iam_role_policy |
aws_iam_role HAS aws_iam_managed_policy |
aws_iam_user HAS aws_iam_managed_policy |
aws_iam_user HAS aws_iam_user_policy |
aws_accessanalyzer_analyzer IDENTIFIED aws_accessanalyzer_finding |
aws_inspector_assessment IDENTIFIED aws_inspector_finding |
aws_instance HAS aws_inspector_finding |
aws_lambda HAS aws_lambda_function |
aws_lambda_function HAS aws_iam_role |
aws_lambda_function HAS aws_vpc |
aws_redshift HAS aws_redshift_cluster |
aws_vpc HAS aws_redshift_cluster |
aws_rds HAS aws_rds_cluster |
aws_rds HAS aws_db_instance |
aws_rds_cluster CONTAINS aws_db_instance |
aws_rds_cluster USES aws_kms_key |
aws_rds_cluster CONTAINS aws_db_cluster_snapshot |
aws_db_instance CONTAINS aws_db_snapshot |
aws_route53 HAS aws_route53_domain |
aws_route53 HAS aws_route53_zone |
aws_route53_zone HAS aws_route53_record |
aws_db_instance USES aws_kms_key |
aws_s3 HAS aws_s3_bucket |
aws_s3_bucket USES aws_kms_key |
aws_s3_bucket HAS aws_s3_bucket_policy |
aws_sns_topic HAS aws_sns_subscription |
aws_transfer_server HAS aws_transfer_user |
aws_s3_bucket ALLOWS aws_transfer_user |
aws_iam_role ASSIGNED aws_transfer_server |
aws_iam_role ASSIGNED aws_transfer_user |
aws_waf HAS aws_waf_web_acl |
aws_waf_web_acl PROTECTS aws_cloudfront_distribution |
aws_workspace USES aws_workspaces_bundle |
aws_subnet HAS aws_workspace |
Mapped Relationships - connections to broader entity resources
| Relationships |
|---|
aws_iam_user IS Person See Note 1 |
aws_route53_record CONNECTS Host or Gateway |
Domain HAS aws_route53_zone See Note 2 |
aws_vpc CONNECTS aws_vpc (VPC Peering Connections) |
**Note 1: This is mapped automatically only when the IAM user has an Email
tag, or the username of the IAM User is an email that matches that of a Person
entity in the graph.
**Note 2: Domain entities include domains registered on AWS Route53 (i.e.
aws_route53_domain) and those registered outside of AWS and added into
JupiterOne separately (e.g. a domain registered on GoDaddy).
Advanced mappings
The AWS integration performs analysis of security group rules, IAM policies, and assume role trust policies to determine the following mapping:
| Relationships |
|---|
aws_iam_role TRUSTS aws_iam_user or aws_<service> (within the same account) |
aws_iam_role TRUSTS aws_iam_role or aws_iam_user or aws_account (cross-account) |
aws_iam_policy ALLOWS <Resource> See Note 3 |
**Note 3: This creates permission relationships from an IAM policy (including
both managed policies and inline polices -- i.e. aws_iam_user_policy,
aws_iam_group_policy and aws_iam_role_policy) -- to other AWS entities based
on the actions and resources specified by the policy document.
ProTips and Best Practices
Tag your resources with the following tags:
ClassificationOwnerPIIorPHIorPCI(booleanto indicate data type)
Use email address as the
usernamefor your IAM Users, or tag them withEmailtag, so that they can be automatically mapped to aPerson(i.e.employee) entity.Configure tagging as part of your integration configuration (in JupiterOne), under Advanced Options, to tag the
AccountNameandProductionflag, if applicable.
Configure your integration name to be the same as your AWS account alias.
Multi-region Support
Multi-region support is built-in to the integration to ensure maximum visibility, especially to discover resources in an unauthorized region.
Supported Regions
Americas:
ca-central-1Montrealus-east-1N. Virginiaus-east-2Ohious-west-1N. Californiaus-west-2Oregonsa-east-1São Paulo
Europe:
eu-central-1Frankfurteu-north-1Stockholmeu-west-1Irelandeu-west-2Londoneu-west-3Paris
Asia Pacific:
ap-northeast-1Tokyoap-northeast-2Seoulap-south-1Mumbaiap-southeast-1Singaporeap-southeast-2Sydney
Unsupported Regions
All AWS regions are supported except for the following:
China Regions:
cn-north-1Beijingcn-northwest-1Ningxia
Customers who wish to use the China Regions are required to sign up for a separate set of account credentials unique to China services.
GovCloud:
us-gov-east-1us-gov-west-1
We do not run in the cloud of government yet.
Other:
ap-northeast-3Osaka-Localme-south-1Bahrain (Middle East)
Separate subscription or access token/client needed for these regions.
Comments
0 comments
Please sign in to leave a comment.