AWP for AWS Environments
When you enable AWP, it creates a cross-account stack on your AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. account. The cross-account stack deploys in your account these primary resources:
-
Cross-account IAM Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. role
-
Proxy utility Lambda
-
Multi-Region key (for SaaS mode)
The data that the AWP scanner sends to CloudGuard are only CVEs and paths of the secrets.
All resources that AWP creates in your account have the Owner : CG.AWP tag.
Onboarding AWS Environments
To enable AWP on your AWS environment:
-
In the CloudGuard portal, navigate to Assets > Environments.
-
Click Enable AWP for your AWS environment.
-
Follow the instructions on the wizard page that opens.
-
Select the scan mode: SaaS or In-Account. For more details, see AWS SaaS Mode.
-
Click Create a Cross-Account Stack. The prompt suggests you sign in to your AWS account, and then it redirects you to the CloudFormation page. You can see a CFT stack that grants CloudGuard a cross-account role and installs special resources in your AWS account. For more details about the permissions, see Resources and Permissions for SaaS Mode or Resources and Permissions for In-Account Mode.
-
In AWS, select the option I acknowledge that AWSCloudFormation might create IAM resources with custom names.
-
Click Create stack. CloudFormation starts to create the stack. After you create the stack, additional permissions are granted to CloudGuard.
Important - Make sure you do not change the mode (SaaS/In-Account) during the onboarding. For successful onboarding, you must use the same mode that you selected before the stack creation.
-
-
In the CloudGuard wizard, click Next. CloudGuard completes the process to enable AWP scanning.
AWS SaaS Mode
In the SaaS mode, AWP creates the snapshots of your EC2 Amazon EC2 - A web service for launching and managing Linux/UNIX and Windows Server instances in Amazon data centers. volumes and scans the snapshots on a virtual machine located on the CloudGuard's own AWS account. With this mode, you do not pay for the scans, and CloudGuard fully manages all the required resources.
Scanning Encrypted Volumes in SaaS Mode
For security reasons, AWP does not have access to encrypted volumes in your EC2 instance and cannot scan them. It happens because CloudGuard does not require access to the encryption keys and never obtains them from you as this would compromise your data.
To scan the encrypted volumes securely, CloudGuard re-encrypts the volume data with its own multi-Region key. It installs the key as part of the AWP cross-account stack. Likewise, it installs a proxy utility Lambda function as part of the cross-account stack. With its cross-account role, this Lambda function manages all procedures of the snapshots' creation and re-encryption on remote requests (invocations) from the AWP backend.
This limits access to your account keys only to the proxy Lambda, where you have full visibility and control.
AWS In-Account Mode
With the In-Account mode, AWP scans data locally, so everything stays in your AWS account. The only data sent to CloudGuard are the AWP scanner findings. With this mode, you can keep all your data private, however, the volumes scanning entails additional costs.
Scanning Workflow
To prepare your instance for AWP scanning:
-
With the Cross-account role, AWP gathers information about your instance volumes.
-
With the Cross-account role, AWP remotely invokes the proxy utility Lambda with a request to create snapshots from the instance volumes.
For Encrypted SnapshotsIn the case of encrypted snapshots, AWP sends one more request to Lambda to re-encrypt the snapshots with the CloudGuard multi-Region key.
Note - The key resources are regional. Sometimes the instance is in a region where the multi-Region key does not have a replica yet. In such a case, AWP creates a replica of the key in the relevant region, with its Cross-account role.
-
When all instance volumes have their equivalent snapshots created
-
For SaaS mode - a scanner machine launches at the AWP engine with the snapshots attached to it and performs the scanning.
-
For In-Account mode - AWP launches an EC2 instance on the customer account and performs the scanning. This instance runs in the same region as the original EC2, in a custom VPC that AWP creates for this task.
-
The scanner outbound traffic is restricted by a security group rule that limits access exclusively to S3 IP addresses.
-
No inbound rules are configured.
To ensure that network traffic remains within the AWS backbone, the VPC utilizes an S3 endpoint.
Note - Make sure that your account does not reach the VPC quota (by default, 5 VPCs for each region) before you enable AWP.
-
For Encrypted SnapshotsThe AWP scanner has access to the snapshots' data because they are encrypted with AWP's own multi-Region key.
-
-
When the scan is complete, AWP sends a request to Lambda to delete the snapshots created for the scan.
Resources and Permissions for SaaS Mode
To enable AWP scanning on the snapshots of your EC2 instances, you have to let the stack install several resources and grant certain permissions to CloudGuard to access assets in your accounts. These permissions are additional to those granted to CloudGuard in the account onboarding process. See below for the details of these resources and required permissions.
The cross-account role for CloudGuard to obtain the required information on your instances and control the proxy Lambda.
Actions |
Resource |
Use |
---|---|---|
|
* |
Allows AWP to get information about client's snapshots and volumes |
|
CloudGuard proxy utility Lambda ARN Amazon Resource Names (ARNs) uniquely identify AWS resources. They are required to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls. |
Allows the AWP engine access to remotely invoke the proxy utility Lambda that prepares the snapshots for scanning |
|
AWP CloudFormation template ARN |
Allows to the AWP engine to get the template output |
This policy is attached to CloudGuardAWPCrossAccountRole as well. It allows AWP to create replicas of its multi-Region key in other regions that have client instances.
This policy is installed only in SaaS mode.
Actions |
Resource |
Use |
---|---|---|
|
CloudGuardAWPKey |
Allows CloudGuard to replicate the installed key to other regions |
|
* |
Allows CloudGuard to replicate the installed key to other regions |
A proxy Lambda function controlled by the AWP engine to perform snapshot operations such as create, copy (re-encrypt), and delete during the scan preparation and cleanup, as well as to launch AWP scanner instances and clean up all running scanners on deletion of the AWP stack.
This role is attached to CloudGuardAWPSnapshotsUtilsFunction that allows snapshot operations to create snapshots from the client's instance volumes.
Actions |
Resource |
Use |
---|---|---|
|
* |
Allows the proxy utility Lambda to create snapshots from your volumes and re-encrypt them if necessary |
|
* |
Allows the proxy utility Lambda to describe enabled regions |
|
CloudGuard proxy utility Lambda ARN |
Logging permissions for the proxy utility Lambda |
This policy is attached to CloudGuardAWPSnapshotsUtilsFunction as well, and, in the SaaS mode, it allows the snapshot re-encryption with the AWP key.
Actions |
Resource |
Use |
---|---|---|
|
* | Allows the proxy Lambda to attach AWP snapshots from the client side to the AWP scanner |
|
CloudGuardAWPKey |
Allows the proxy Lambda to use the installed key for re-encryption |
|
* |
Permissions to use the clients' own key during the re-encryption process |
|
Only AWP tagged resources |
Allow the proxy Lambda to delete all AWP replica keys |
A multi-Region key that re-encrypts AWP’s snapshots created from your encrypted volumes to allow scanning of the encrypted data.
This resource is installed only in SaaS mode.
Actions |
Principal |
Use |
---|---|---|
|
arn:aws:iam::${AWS::AccountId}:root |
Enables the IAM user permissions for the CloudGuard key |
|
arn:aws:iam::${AWS::AccountId}:root |
Allows the CloudGuard key administration for the user |
|
arn:aws:iam::${CloudguardAccountId}:root |
Allows CloudGuard to use the key for re-encryption |
|
arn:aws:iam::${CloudguardAccountId}:root |
Allows CloudGuard to attach re-encrypted volumes to the CloudGuard scanners |
Log group resource for the proxy Lambda logging.
A key alias for the CloudGuard multi-Region key that allows CloudGuard to address all its regional replicas with the same name.
This resource is installed only in SaaS mode.
Resources and Permissions for In-Account Mode
To enable AWP scanning on the snapshots of your EC2 instances, you have to let the stack install several resources and grant certain permissions to CloudGuard to access assets in your accounts. These permissions are additional to those granted to CloudGuard in the account onboarding process. See below for the details of these resources and required permissions.
The cross-account role for CloudGuard to obtain the required information on your instances and control the proxy Lambda.
Actions |
Resource |
Use |
---|---|---|
|
* |
Allows AWP to get information about client's snapshots and volumes |
|
CloudGuard proxy utility Lambda ARN |
Allows the AWP engine access to remotely invoke the proxy utility Lambda that prepares the snapshots for scanning |
|
AWP CloudFormation template ARN |
Allows to the AWP engine to get the template output |
This policy is attached to CloudGuardAWPCrossAccountRole as well. It allows AWP engine to create its own security groups to be attached to the AWP scanner that runs on the client side.
This policy is installed only in In-Account mode.
Actions |
Principal |
Use |
---|---|---|
|
* |
Allows AWP to create and configure security groups for the AWP scanners to use |
|
AWP-created security groups |
Allows AWP to delete AWP-tagged security groups |
A proxy Lambda function controlled by the AWP engine to perform snapshot operations such as create, copy (re-encrypt), and delete during the scan preparation and cleanup, as well as to launch AWP scanner instances and clean up all running scanners on deletion of the AWP stack.
This role is attached to CloudGuardAWPSnapshotsUtilsFunction that allows snapshot operations to create snapshots from the client's instance volumes.
Actions |
Resource |
Use |
---|---|---|
|
* |
Allows the proxy utility Lambda to create snapshots from your volumes and re-encrypt them if necessary |
|
* |
Allows the proxy utility Lambda to describe enabled regions |
|
CloudGuard proxy utility Lambda ARN |
Logging permissions for the proxy utility Lambda |
This policy is attached to CloudGuardAWPSnapshotsUtilsFunction as well. With In-Account mode, it allows the proxy Lambda to launch AWP scanner instances on the client side.
Actions |
Principal |
Use |
---|---|---|
|
* |
Allows the proxy Lambda to run new instances on the client's account |
|
Only AWP tagged instances |
Allows the proxy Lambda to terminate and delete AWP scanners |
|
arn:aws:iam::${AWS::AccountId}:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot |
Allows the proxy Lambda to run Spot Instances on the client's account |
|
* |
Allows the proxy Lambda to access client keys to scan encrypted volumes |
|
* |
Allows the proxy Lambda to create and describe all needed configuration for the scanner custom VPC |
|
Only AWP tagged resources |
Allows the proxy Lambda to detach and delete all AWP scanners related configuration |
Log group resource for the proxy Lambda logging.
Actions
If you need to deliberately skip scanning an instance, set a tag for the instance on the AWS console.
To set a tag for the AWP scanner to ignore an EC2 instance:
-
In the AWS console, navigate to EC2 > Instances and select your instance.
-
On the Tags tab, click Manage tags.
-
In the Manage tags window, click Add tag and add a new tag with the key
CG_AWP_SKIP_SCAN
.
When you disable AWP for your environment, you must delete the CloudFormation stack created on your account. This process removes the stack created with the CloudFormation Template.
To disable AWP:
-
Sign in to your AWS account.
-
Delete the AWP CloudFormation stack.
-
Use an API call to remove AWP from your environment. For more information, see Delete Agentless Account.
You cannot instantly switch the AWP mode from SaaS to In-Account and in reverse. For this, you must offboard AWP and then onboard it again with another mode.
To change the AWP mode:
-
Remove AWP from your AWS account.
-
Onboard AWP on the account with another mode.
More Links