Big savings, Better ROI! Exclusive discounts on ManageEngine Products!* Boost your business *T&C apply
    Click here to shrink
    Click here to expand Click here to expand

    Attack Surface Analyzer for Amazon Web Services

    With the Attack Surface Analyzer, you can identify misconfigurations in your AWS cloud directory and enhance cloud security.

    Listed below are the services tracked by the Attack Surface Analyzer for AWS cloud directory:

    • Amazon EC2
    • Amazon VPC
    • AWS IAM
    • Amazon S3
    • Amazon RDS
    • Amazon DynamoDB
    • AWS Lambda
    • AWS Elastic Beanstalk
    • AWS CloudTrail
    • Amazon EFS
    • AWS KMS
    • Amazon SNS
    • Amazon SQS
    • Amazon EC2 Auto Scaling
    • AWS Elastic Load Balancing
    • AWS Elastic Load Balancing V2
    • Amazon CloudFront
    • Amazon CloudWatch
    • Amazon CloudWatch Logs
    • Amazon ElastiCache
    • Amazon MemoryDB for Redis
    • Amazon DocumentDB
    • AWS CodeBuild
    • Amazon Config Service
    • Amazon Route 53
    • AWS WAF
    • AWS WAF Regional
    • AWS WAF V2

    Prerequisites

    For the Attack Surface Analyzer to function seamlessly, the ADAudit Plus server should have a working internet connection. Additionally, the outbound HTTPS port 443 needs to be opened on the ADAudit Plus server to communicate with AWS cloud directory.

    Before configuring your AWS cloud directory for attack surface analysis in ADAudit Plus, you will need to:

    • Create a user and attach appropriate permissions through an IAM policy.
    • Retrieve the account ID, access key, and secret access key.

    There are two ways to create the user and attach appropriate permissions through an IAM policy:

    1. Using AWS CloudFormation
    2. Using the AWS IAM console

    Create a user and attach the IAM policy using AWS CloudFormation

    1. Sign in to the AWS Management console and go to CloudFormation.
    2. From the navigation bar on the top, click the region list to the left of your account information, and select the region where you want to create the stack.
    3. Attack Surface Analyzer for Amazon Web Services

    4. Click Create stack and select With new resources (standard) from the drop-down.
    5. Attack Surface Analyzer for Amazon Web Services

    6. On the Create stack page, on the Specify template panel under Template source, choose Upload a template file.
    7. Download this template file.
    8. Click Choose file, browse to the file that you just downloaded, select it, and click Open.
    9. Once the file is uploaded, click Next.
    10. Attack Surface Analyzer for Amazon Web Services

    11. Enter a suitable Stack name. On the Parameters panel, you can choose to change the name of the policy and the user. Select false under UseExistingUser and click Next.
    12. Attack Surface Analyzer for Amazon Web Services

    13. On the Configure stack options page, retain the default settings and click Next.
    14. On the Review and create page, review your settings, check the Acknowledgement check box, and then click Submit.
    15. Attack Surface Analyzer for Amazon Web Services

    16. Once the stack is created, select the Resources tab and click the user you just created. You will be redirected to the IAM console. Proceed with the steps under Retrieve the access key and secret access key.
    17. Attack Surface Analyzer for Amazon Web Services

    Create a user and attach the IAM policy using the AWS IAM console

    In this method, you need to create a policy in the IAM console first, and then create a user and attach the policy.

    Create a policy in the IAM Console

    1. Sign in to the AWS Management console and open the IAM console.
    2. From the IAM dashboard, select Policies, and then click Create policy.
    3. Attack Surface Analyzer for Amazon Web Services

    4. On the Policy Editor page, select JSON mode, copy and paste the permission statement from this file, and click Next.
    5. Attack Surface Analyzer for Amazon Web Services

    6. Enter a suitable name and description for this policy, review the permissions required by the service, and then click Create policy.
    7. Attack Surface Analyzer for Amazon Web Services

    8. You will be redirected to the IAM policies page on completion.

    Create a user and attach the policy

    1. In the the IAM console, select Users from the navigation menu, and then click Create user.
    2. Attack Surface Analyzer for Amazon Web Services

    3. Enter a suitable User name for the new user, and click Next.
    4. Attack Surface Analyzer for Amazon Web Services

    5. On the Set permissions page, select Attach policies directly.
    6. Browse and select the policy that you just created and click Next.
    7. Attack Surface Analyzer for Amazon Web Services

    8. Review your choices and click Create user.
    9. Attack Surface Analyzer for Amazon Web Services

    Retrieve the access key and secret access key

    1. In the IAM console, click Users from the navigation menu, and select the user that you created.
    2. Click the Security credentials tab, and on the Access keys panel, click Create access key.
    3. Attack Surface Analyzer for Amazon Web Services

    4. Select Other as your use case, and click Next.
    5. Attack Surface Analyzer for Amazon Web Services

    6. Set a suitable description tag value if required, and click Create access key.
    7. Once the key is created, you can view the user's Access key and the Secret access key. Copy them to your clipboard as you will need them when configuring the AWS cloud directory in ADAudit Plus.
    8. From the navigation bar on the top, click the drop-down next to your account information, copy the Account ID, and then click Done.
    9. Attack Surface Analyzer for Amazon Web Services

    Configure the AWS cloud directory in ADAudit Plus

    1. Log in to your ADAudit Plus web console.
    2. Navigate to the Cloud Directory tab > Attack Surface Analyzer > Configuration > Cloud Directory.
    3. Click +Add Cloud Directory in the top-right.
    4. Select AWS Cloud from the Add Cloud Directory popup.
    5. Attack Surface Analyzer for Amazon Web Services

    6. Enter a suitable Display Name and enter the account ID, access key, and secret access key that you copied earlier in the Account Number, Access Key ID, and Secret Access Key fields respectively.
    7. Select the Audit Log check box if you want to fetch and monitor all the operations performed in your AWS cloud directory, and then click Next.
    8. Attack Surface Analyzer for Amazon Web Services

    9. Review your settings and click Finish.

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try onboarding

       

    On this page

    Get download link