AWS + JupiterOne Integration Benefits
- Visualize AWS cloud resources across several services in the JupiterOne graph.
- Map AWS users to employees in your JupiterOne account.
- Monitor visibility and governance of your AWS cloud environment by leveraging hundreds of out of the box queries.
- Monitor compliance against the AWS CIS Framework and other security benchmarks using the JupiterOne compliance app.
- Monitor AWS vulnerabilities and findings from multiple services within the alerts app.
- Monitor changes to your AWS cloud resources using multiple JupiterOne alert rule packs specific to AWS.
- Monitor several out of the box dashboards of your security across AWS services.
- Create automated workflows in JupiterOne alerts using SNS & SQS to remediate configuration gaps in AWS.
How it Works
- JupiterOne periodically fetches users and cloud resources from AWS to update the graph.
- Enable CloudTrail event delivery through EventBridge to capture additional details on supported entities. See the setup guide AWS CloudTrail Event Streaming.
- Enable configuration of AWS accounts through Organizations and ingest Organization specific data. See the setup guide AWS Organizations.
- Write JupiterOne queries to review and monitor updates to the graph, or leverage existing queries.
- Configure alerts to take action when the JupiterOne graph changes, or leverage existing alerts.
Information is ingested from all AWS regions that do not require additional contractual arrangements with AWS. Please submit a JupiterOne support request if you need to monitor additional regions.
Requirements
- JupiterOne provides a policy statement that defines the needed AWS permissions. An AWS IAM Role must be configured for JupiterOne that allows reading configuration details of supported resources. The Role must be configured to include an External ID provided by JupiterOne.
- You must have permission in JupiterOne to install new integrations.
Support
If you need help with this integration, please contact JupiterOne Support.
Integration Walkthrough
The integration instance configuration requires the customer's roleArn to
assume in order to read infrastructure information through AWS APIs. The role is
configured to require an externalId; this also must be maintained in the
instance configuration.
In AWS
- Detailed setup instructions and a pre-built CloudFormation Stack are provided in the application and maintained in the public JupiterOne AWS CloudFormation project on Github. Follow the steps under In JupiterOne to capture the auto-generated External ID specific to the integration instance.
In JupiterOne
- From the configuration Gear Icon, select Integrations.
- Scroll to the AWS integration tile and click it.
- Click the Add Configuration button and configure the following settings:
- Enter the Account Name by which you'd like to identify this AWS account in
JupiterOne. Ingested entities will have this value stored in
tag.AccountNamewhen Tag with Account Name is checked. - Enter a Description that will further assist your team when identifying the integration instance.
- Select a Polling Interval that you feel is sufficient for your monitoring
needs. You may leave this as
DISABLEDand manually execute the integration. - Enter the Role ARN of the IAM role to assume in order to authenticate with AWS.
- Click Create Configuration once all values are provided.
Permissions
The AWS integration requires security auditor permissions into the target AWS
account, as defined by a combination of the SecurityAudit IAM policy
managed by AWS, and a few additional List*, Get*, and Describe*
permissions missing from the AWS managed policy. The exact policy and permission
statements can be found in the public JupiterOne AWS CloudFormation project
on Github.
How to Uninstall
- From the configuration Gear Icon, select Integrations.
- Scroll to the AWS integration tile and click it.
- Identify and click the integration to delete.
- Click the trash can icon.
- Click the Remove button to delete the integration.
Data Model
Entities
The following entity resources and their meta data (not actual contents) are ingested when the integration runs:
| AWS Service | AWS Entity Resource | _type : _class of the Entity |
|---|---|---|
| Account | n/a | aws_account : Account |
| ACM | ACM Certificate | aws_acm_certificate : Certificate |
| API Gateway | REST API | aws_api_gateway_rest_api : Gateway |
| Batch | Batch Compute Environment | aws_batch_compute_environment : Configuration |
| Batch Job | aws_batch_job : Process, Task |
|
| Batch Job Definition | aws_batch_job_definition : Configuration, Function |
|
| Batch Job Queue | aws_batch_job_queue : Queue |
|
| CloudFormation | Stack | aws_cloudformation_stack: Configuration |
| CloudFront | Distribution | aws_cloudfront_distribution: Gateway |
| CloudWatch | Event Rule | aws_cloudwatch_event_rule : Task |
| Metric Alarm | aws_cloudwatch_metric_alarm : Monitor |
|
| Log Group | aws_cloudwatch_log_group : Logs |
|
| Config | Config Rule | aws_config_rule : ControlPolicy |
| DynamoDB | DynamoDB Table | aws_dynamodb_table : DataStore, Database |
| EC2 | AMI Image | aws_ami : Image |
| EC2 Instance | aws_instance : Host |
|
| EC2 Key Pair | aws_key_pair : AccessKey |
|
| EBS Volume | aws_ebs_volume : DataStore, Disk |
|
| EBS Volume Snapshot | aws_ebs_snapshot : DataStore, Disk, Image |
|
| Elastic IP | aws_eip : IpAddress |
|
| Internet Gateway | aws_internet_gateway : Gateway |
|
| NAT Gateway | aws_nat_gateway : Gateway |
|
| Network ACL | aws_network_acl : Firewall |
|
| Network Interface | aws_eni : NetworkInterface |
|
| Route Table | aws_route_table : Configuration |
|
| Security Group | aws_security_group : Firewall |
|
| Subnet | aws_subnet : Network |
|
| VPC | aws_vpc : Network |
|
| VPN Gateway | aws_vpn_gateway : Gateway |
|
| AutoScaling | Auto Scaling Group | aws_autoscaling_group : Deployment, Group |
| ECR | ECR Container Repository | aws_ecr_repository : Repository |
| ECR Container Image | aws_ecr_image : Image |
|
| ECR Image Scan Finding | aws_ecr_image_scan_finding : Finding |
|
| ECS | ECS Cluster | aws_ecs_cluster : Cluster |
| ECS Container Instance | aws_ecs_container_instance : Host, Container |
|
| ECS Service | aws_ecs_service : Service |
|
| ECS Task Definition | aws_ecs_task_definition : Function, Configuration |
|
| ECS Task | aws_ecs_task : Task, Process |
|
| EFS | EFS File System | aws_efs_file_system : DataStore |
| EFS Mount Target | aws_efs_mount_target : NetworkEndpoint |
|
| EKS | EKS Cluster | aws_eks_cluster : Cluster |
| ELB | Application Load Balancer | aws_alb : Gateway |
| Network Load Balancer | aws_nlb : Gateway |
|
| Classic Load Balancer | aws_elb : Gateway |
|
| Target Group | aws_lb_target_group : Group |
|
| ElastiCache | Cache Cluster (Memcached) | aws_elasticache_memcached_cluster : Database, DataStore, Cluster |
| Replication Group (Redis) | aws_elasticache_redis_cluster : Database, DataStore, Cluster |
|
| Node Group Member | aws_elasticache_cluster_node : Database, DataStore, Host |
|
| Elasticsearch | Elasticsearch Domain | aws_elasticsearch_domain : Database, DataStore, Cluster |
| GuardDuty | GuardDuty Detector | aws_guardduty_detector : Assessment, Scanner |
| GuardDuty Finding | aws_guardduty_finding : Finding |
|
| IAM | Account Password Policy | aws_iam_account_password_policy : PasswordPolicy |
| IAM User | aws_iam_user : User |
|
| IAM User Access Key | aws_iam_access_key : AccessKey |
|
| IAM User MFA Device | mfa_device : AccessKey |
|
| IAM Group | aws_iam_group : UserGroup |
|
| IAM Role | aws_iam_role : AccessRole |
|
| IAM User Policy | aws_iam_user_policy : AccessPolicy |
|
| IAM Group Policy | aws_iam_group_policy : AccessPolicy |
|
| IAM Role Policy | aws_iam_role_policy : AccessPolicy |
|
| IAM Managed Policy | aws_iam_policy : AccessPolicy |
|
| IAM SAML Provider | aws_iam_saml_provider : Service |
|
| Access Analyzer | Access Analyzer | aws_accessanalyzer_analyzer : Accessment, Scanner |
| Access Analyzer Finding | aws_accessanalyzer_finding : Finding |
|
| Inspector | Inspector Assessment Run | aws_inspector_assessment : Assessment |
| Inspector Finding | aws_inspector_finding : Finding |
|
| KMS | KMS Key | aws_kms_key : CryptoKey |
| Lambda | Lambda Function | aws_lambda_function : Function |
| RedShift | Redshift Cluster | aws_redshift_cluster : DataStore, Database, Cluster |
| RDS | RDS DB Cluster | aws_rds_cluster : DataStore, Database, Cluster |
| RDS DB Instance | aws_db_instance : DataStore, Database, Host |
|
| RDS DB Instance Snapshot | aws_db_snapshot : DataStore, Database, Image |
|
| RDS DB Cluster Snapshot | aws_db_cluster_snapshot : DataStore, Database, Image |
|
| Route53 | Route53 Domain | aws_route53_domain : Domain |
| Route53 Hosted Zone | aws_route53_zone : DomainZone |
|
| Route53 RecordSet | aws_route53_record : DomainRecord, |
|
| S3 | S3 Bucket | aws_s3_bucket : DataStore |
| S3 Bucket Policy | aws_s3_bucket_policy : AccessPolicy |
|
| SNS | SNS Subscription | aws_sns_subscription : Subscription |
| SNS Topic | aws_sns_topic : Channel |
|
| SQS | SQS Queue | aws_sqs_queue : Queue |
| Transfer | Transfer Server (SFTP) | aws_transfer_server : Host, Gateway |
| Transfer User (SFTP) | aws_transfer_user : User |
|
| WAF | Web ACL | aws_waf_web_acl : Firewall |
| WorkSpaces | Workspace | aws_workspace : Host |
| Bundle | aws_workspaces_bundle : Configuration |
Relationships
The following relationships are created/mapped:
Basic relationships within the integration instance account/resources
| Relationships |
|---|
aws_account (master) HAS aws_account (sub-account) |
aws_account HAS Service (e.g. aws_ec2, aws_iam, …) |
aws_acm HAS aws_acm_certificate |
aws_batch HAS aws_batch_compute_environment |
aws_batch HAS aws_batch_job_definition |
aws_batch HAS aws_batch_job_queue |
aws_batch_compute_environment USES aws_ecs_cluster |
aws_batch_compute_environment ASSIGNED|USES aws_iam_role |
aws_batch_job_queue HAS aws_batch_job |
aws_apigateway HAS aws_api_gateway_rest_api |
aws_api_gateway_rest_api TRIGGERS aws_lambda_function |
aws_cloudfront HAS aws_cloudfront_distribution |
aws_cloudfront_distribution CONNECTS aws_api_gateway_rest_api |
aws_cloudfront_distribution CONNECTS aws_s3_bucket |
aws_cloudfront_distribution TRIGGERS aws_lambda_function |
aws_cloudfront_distribution USES aws_acm_certificate |
aws_cloudtrail LOGS aws_s3_bucket |
aws_cloudtrail LOGS aws_cloudwatch_log_group |
aws_cloudwatch_event_rule TRIGGERS aws_lambda_function |
aws_config HAS aws_config_rule |
aws_config_rule EVALUATES aws_account |
aws_config_rule EVALUATES <AWS Resource> |
aws_dynamodb HAS aws_dynamodb_table |
aws_dynamodb_table USES aws_kms_key |
aws_ec2 HAS aws_instance |
aws_ec2 HAS aws_security_group |
aws_ec2 HAS aws_subnet |
aws_ec2 HAS aws_ebs_volume |
aws_ec2 HAS aws_network_acl |
aws_ec2 HAS aws_vpc |
aws_autoscaling_group HAS aws_instance |
aws_instance USES aws_ebs_volume |
aws_instance USES aws_eip |
aws_instance USES aws_eni |
aws_ebs_volume HAS aws_ebs_snapshot |
aws_ebs_volume USES aws_ebs_snapshot |
aws_ebs_volume USES aws_kms_key |
aws_security_group PROTECTS aws_instance |
aws_instance HAS aws_security_group |
aws_nat_gateway USES aws_eni or aws_eip |
aws_eni USES aws_eip |
aws_vpc CONTAINS aws_subnet |
aws_vpc HAS aws_nat_gateway |
aws_vpc HAS aws_internet_gateway |
aws_vpc HAS aws_vpn_gateway |
aws_vpc HAS aws_route_table |
aws_vpc LOGS aws_cloudwatch_log_group |
aws_vpc LOGS aws_s3_bucket |
aws_subnet HAS aws_instance |
aws_subnet USES aws_route_table |
aws_network_acl PROTECTS aws_subnet |
aws_ecr HAS aws_ecr_repository |
aws_ecr_repository HAS aws_ecr_image |
aws_ecr_image HAS aws_ecr_image_scan_finding |
aws_ecs HAS aws_ecs_cluster |
aws_ecs HAS aws_ecs_task_definition |
aws_ecs_cluster HAS aws_ecs_service |
aws_ecs_cluster HAS aws_ecs_container_instance |
aws_ecs_cluster RUNS aws_ecs_task |
aws_ecs_container_instance RUNS aws_ecs_task |
aws_ecs_task_definition ASSIGNED|USES aws_iam_role |
aws_ecs_task_definition DEFINES aws_ecs_service |
aws_ecs_task_definition DEFINES aws_ecs_task |
aws_ecs_service TRIGGERS aws_ecs_task |
aws_instance RUNS aws_ecs_container_instance |
aws_efs HAS aws_efs_file_system |
aws_efs_file_system HAS aws_efs_mount_point |
aws_efs_mount_point USES aws_eni |
aws_subnet HAS aws_efs_mount_point |
aws_security_group PROTECTS aws_efs_mount_point |
aws_eks HAS aws_eks_cluster |
aws_elasticloadbalancing HAS aws_alb or aws_nlb or aws_elb |
aws_elasticache_redis_cluster HAS aws_elasticache_cluster_node |
aws_security_group PROTECTS aws_elasticache_cluster_node |
aws_security_group PROTECTS aws_elasticsearch_domain |
aws_alb USES aws_acm_certificate |
aws_alb or aws_nlb CONNECTS aws_lb_target_group |
aws_elb CONNECTS aws_instance |
aws_lb_target_group HAS aws_instance or aws_lambda_function |
aws_lb_target_group HAS aws_eip or aws_eni |
aws_guardduty_detector IDENTIFIED aws_guardduty_finding |
aws_instance HAS aws_guardduty_finding |
aws_iam HAS aws_iam_policy |
aws_iam HAS aws_iam_role |
aws_iam HAS aws_iam_role_policy |
aws_iam HAS aws_iam_user |
aws_iam HAS aws_iam_user_policy |
aws_iam HAS aws_iam_group |
aws_iam HAS aws_iam_group_policy |
aws_iam_group HAS aws_iam_group_policy |
aws_iam_group CONTAINS aws_iam_user |
aws_iam_group HAS aws_iam_policy |
aws_iam_role HAS aws_iam_role_policy |
aws_iam_role HAS aws_iam_policy |
aws_iam_user HAS aws_iam_policy |
aws_iam_user HAS aws_iam_user_policy |
aws_accessanalyzer_analyzer IDENTIFIED aws_accessanalyzer_finding |
aws_inspector_assessment IDENTIFIED aws_inspector_finding |
aws_instance HAS aws_inspector_finding |
aws_lambda HAS aws_lambda_function |
aws_lambda_function HAS aws_iam_role |
aws_lambda_function HAS aws_vpc |
aws_redshift HAS aws_redshift_cluster |
aws_vpc HAS aws_redshift_cluster |
aws_rds HAS aws_rds_cluster |
aws_rds HAS aws_db_instance |
aws_rds_cluster CONTAINS aws_db_instance |
aws_rds_cluster USES aws_kms_key |
aws_rds_cluster CONTAINS aws_db_cluster_snapshot |
aws_db_instance CONTAINS aws_db_snapshot |
aws_route53 HAS aws_route53_domain |
aws_route53 HAS aws_route53_zone |
aws_route53_zone HAS aws_route53_record |
aws_db_instance USES aws_kms_key |
aws_s3 HAS aws_s3_bucket |
aws_s3_bucket USES aws_kms_key |
aws_s3_bucket HAS aws_s3_bucket_policy |
aws_sns_topic HAS aws_sns_subscription |
aws_transfer_server HAS aws_transfer_user |
aws_s3_bucket ALLOWS aws_transfer_user |
aws_iam_role ASSIGNED aws_transfer_server |
aws_iam_role ASSIGNED aws_transfer_user |
aws_waf HAS aws_waf_web_acl |
aws_waf_web_acl PROTECTS aws_cloudfront_distribution |
aws_workspace USES aws_workspaces_bundle |
aws_subnet HAS aws_workspace |
Mapped Relationships - connections to broader entity resources
| Relationships |
|---|
aws_iam_user IS Person See Note 1 |
aws_route53_record CONNECTS Host or Gateway |
Domain HAS aws_route53_zone See Note 2 |
aws_vpc CONNECTS aws_vpc (VPC Peering Connections) |
This is mapped automatically only when the IAM user has an
Emailtag, or theusernameof the IAM User is an email that matches that of aPersonentity in the graph.Domainentities include domains registered on AWS Route53 (i.e.aws_route53_domain) and those registered outside of AWS and added into JupiterOne separately (e.g. a domain registered on GoDaddy).
Advanced mappings
The AWS integration performs analysis of security group rules, IAM policies, and assume role trust policies to determine the following mapping:
| Relationships |
|---|
aws_iam_role TRUSTS aws_iam_user or aws_<service> (within the same account) |
aws_iam_role TRUSTS aws_iam_role or aws_iam_user or aws_account (cross-account) |
aws_iam_policy ALLOWS <Resource> See notes below |
This creates permission relationships from an IAM policy -- including
both managed policies (i.e. aws_iam_policy) and inline polices (i.e.
aws_iam_user_policy, aws_iam_group_policy and aws_iam_role_policy) -- to
other AWS entities based on the actions and resources specified by the policy
document.
TIP Use AccessPolicy class in a query to easily include all types of IAM policies.
TIP The actions property on the permissions relationships/edges are normalized to
all lowercase and stored in normalizedActions property. Use this property for case
insensitive querying of IAM permissions.
ProTips and Best Practices
Tag your resources with the following tags:
ClassificationOwnerPIIorPHIorPCI(booleanto indicate data type)
Use email address as the
usernamefor your IAM Users, or tag them withEmailtag, so that they can be automatically mapped to aPerson(i.e.employee) entity.Configure tagging as part of your integration configuration (in JupiterOne), under Advanced Options, to tag the
AccountNameandProductionflag, if applicable.
Configure your integration name to be the same as your AWS account alias.
Multi-region Support
Multi-region support is built-in to the integration to ensure maximum visibility, especially to discover resources in an unauthorized region.
Supported Regions
Americas:
ca-central-1Montrealus-east-1N. Virginiaus-east-2Ohious-west-1N. Californiaus-west-2Oregonsa-east-1São Paulo
Europe:
eu-central-1Frankfurteu-north-1Stockholmeu-west-1Irelandeu-west-2Londoneu-west-3Paris
Asia Pacific:
ap-northeast-1Tokyoap-northeast-2Seoulap-south-1Mumbaiap-southeast-1Singaporeap-southeast-2Sydney
Unsupported Regions
All AWS regions are supported except for the following:
China Regions:
cn-north-1Beijingcn-northwest-1Ningxia
Customers who wish to use the China Regions are required to sign up for a separate set of account credentials unique to China services.
GovCloud:
us-gov-east-1us-gov-west-1
We do not run in the cloud of government yet.
Other:
ap-northeast-3Osaka-Localme-south-1Bahrain (Middle East)
Separate subscription or access token/client needed for these regions.