AWP for AWS Environments

When you enable AWP, it creates a cross-account stack on your AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. account. The cross-account stack deploys in your account these primary resources:

The data that the AWP scanner sends to CloudGuard are only CVEs and paths of the secrets.

All resources that AWP creates in your account have the Owner : CG.AWP tag.

Onboarding AWS Environments

To enable AWP on your AWS environment:

  1. In the CloudGuard portal, navigate to Assets > Environments.

  2. Click Enable AWP for your AWS environment.

  3. Follow the instructions on the wizard page that opens.

    1. Select the scan mode: SaaS or In-Account. For more details, see AWS SaaS Mode.

    2. Click Create a Cross-Account Stack. The prompt suggests you sign in to your AWS account, and then it redirects you to the CloudFormation page. You can see a CFT stack that grants CloudGuard a cross-account role and installs special resources in your AWS account. For more details about the permissions, see Resources and Permissions for SaaS Mode or Resources and Permissions for In-Account Mode.

    3. In AWS, select the option I acknowledge that AWSCloudFormation might create IAM resources with custom names.

    4. Click Create stack. CloudFormation starts to create the stack. After you create the stack, additional permissions are granted to CloudGuard.

    Important - Make sure you do not change the mode (SaaS/In-Account) during the onboarding. For successful onboarding, you must use the same mode that you selected before the stack creation.

  4. In the CloudGuard wizard, click Next. CloudGuard completes the process to enable AWP scanning.

AWS SaaS Mode

In the SaaS mode, AWP creates the snapshots of your EC2Closed Amazon EC2 - A web service for launching and managing Linux/UNIX and Windows Server instances in Amazon data centers. volumes and scans the snapshots on a virtual machine located on the CloudGuard's own AWS account. With this mode, you do not pay for the scans, and CloudGuard fully manages all the required resources.

Scanning Encrypted Volumes in SaaS Mode

For security reasons, AWP does not have access to encrypted volumes in your EC2 instance and cannot scan them. It happens because CloudGuard does not require access to the encryption keys and never obtains them from you as this would compromise your data.

To scan the encrypted volumes securely, CloudGuard re-encrypts the volume data with its own multi-Region key. It installs the key as part of the AWP cross-account stack. Likewise, it installs a proxy utility Lambda function as part of the cross-account stack. With its cross-account role, this Lambda function manages all procedures of the snapshots' creation and re-encryption on remote requests (invocations) from the AWP backend.

This limits access to your account keys only to the proxy Lambda, where you have full visibility and control.

AWS In-Account Mode

With the In-Account mode, AWP scans data locally, so everything stays in your AWS account. The only data sent to CloudGuard are the AWP scanner findings. With this mode, you can keep all your data private, however, the volumes scanning entails additional costs.

Scanning Workflow

To prepare your instance for AWP scanning:

  1. With the Cross-account role, AWP gathers information about your instance volumes.

  2. With the Cross-account role, AWP remotely invokes the proxy utility Lambda with a request to create snapshots from the instance volumes.

    In the case of encrypted snapshots, AWP sends one more request to Lambda to re-encrypt the snapshots with the CloudGuard multi-Region key.

    Note - The key resources are regional. Sometimes the instance is in a region where the multi-Region key does not have a replica yet. In such a case, AWP creates a replica of the key in the relevant region, with its Cross-account role.

  3. When all instance volumes have their equivalent snapshots created

    • For SaaS mode - a scanner machine launches at the AWP engine with the snapshots attached to it and performs the scanning.

    • For In-Account mode - AWP launches an EC2 instance on the customer account and performs the scanning. This instance runs in the same region as the original EC2, in a custom VPC that AWP creates for this task.

      • The scanner outbound traffic is restricted by a security group rule that limits access exclusively to S3 IP addresses.

      • No inbound rules are configured.

      To ensure that network traffic remains within the AWS backbone, the VPC utilizes an S3 endpoint.

      Note - Make sure that your account does not reach the VPC quota (by default, 5 VPCs for each region) before you enable AWP.

    The AWP scanner has access to the snapshots' data because they are encrypted with AWP's own multi-Region key.

  4. When the scan is complete, AWP sends a request to Lambda to delete the snapshots created for the scan.

Resources and Permissions for SaaS Mode

To enable AWP scanning on the snapshots of your EC2 instances, you have to let the stack install several resources and grant certain permissions to CloudGuard to access assets in your accounts. These permissions are additional to those granted to CloudGuard in the account onboarding process. See below for the details of these resources and required permissions.

The cross-account role for CloudGuard to obtain the required information on your instances and control the proxy Lambda.

Role Policy

Actions

Resource

Use

ec2:DescribeInstances

ec2:DescribeSnapshots

ec2:DescribeRegions

ec2:DescribeVolumes

*

 Allows AWP to get information about client's snapshots and volumes

lambda:InvokeFunction

lambda:GetFunction

lambda:GetLayerVersion

lambda:TagResource

lambda:ListTags

lambda:UntagResource

lambda:UpdateFunctionCode

lambda:UpdateFunctionConfiguration

CloudGuard proxy utility Lambda ARNClosed Amazon Resource Names (ARNs) uniquely identify AWS resources. They are required to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.

Allows the AWP engine access to remotely invoke the proxy utility Lambda that prepares the snapshots for scanning

cloudformation:DescribeStacks

AWP CloudFormation template ARN

Allows to the AWP engine to get the template output

This policy is attached to CloudGuardAWPCrossAccountRole as well. It allows AWP to create replicas of its multi-Region key in other regions that have client instances.

This policy is installed only in SaaS mode.

Actions

Resource

Use

kms:DescribeKey

kms:ReplicateKey

kms:PutKeyPolicy

kms:CancelKeyDeletion

kms:TagResource

kms:ScheduleKeyDeletion

CloudGuardAWPKey

Allows CloudGuard to replicate the installed key to other regions

kms:CreateKey

*

Allows CloudGuard to replicate the installed key to other regions

A proxy Lambda function controlled by the AWP engine to perform snapshot operations such as create, copy (re-encrypt), and delete during the scan preparation and cleanup, as well as to launch AWP scanner instances and clean up all running scanners on deletion of the AWP stack.

This role is attached to CloudGuardAWPSnapshotsUtilsFunction that allows snapshot operations to create snapshots from the client's instance volumes.

Role Policy

Actions

Resource

Use

ec2:CreateTags

ec2:CopySnapshot

ec2:CreateSnapshot

ec2:CreateSnapshots

ec2:DescribeSnapshots

ec2:DeleteSnapshot

*

 Allows the proxy utility Lambda to create snapshots from your volumes and re-encrypt them if necessary

ec2:DescribeRegions

*

Allows the proxy utility Lambda to describe enabled regions

logs:CreateLogStream

logs:PutLogEvents

CloudGuard proxy utility Lambda ARN

 Logging permissions for the proxy utility Lambda

This policy is attached to CloudGuardAWPSnapshotsUtilsFunction as well, and, in the SaaS mode, it allows the snapshot re-encryption with the AWP key.

Actions

Resource

Use

ec2:ModifySnapshotAttribute

* Allows the proxy Lambda to attach AWP snapshots from the client side to the AWP scanner

kms:Encrypt

kms:ReEncrypt*

CloudGuardAWPKey

Allows the proxy Lambda to use the installed key for re-encryption

kms:Decrypt

kms:DescribeKey

kms:GenerateDataKey*

kms:CreateGrant

*

Permissions to use the clients' own key during the re-encryption process

kms:ScheduleKeyDeletion

Only AWP tagged resources

Allow the proxy Lambda to delete all AWP replica keys

A multi-Region key that re-encrypts AWP’s snapshots created from your encrypted volumes to allow scanning of the encrypted data.

This resource is installed only in SaaS mode.

Key Policy

Actions

Principal

Use

kms:*

arn:aws:iam::${AWS::AccountId}:root

Enables the IAM user permissions for the CloudGuard key

kms:ReplicateKey

kms:Create*

kms:Describe*

kms:Enable*

kms:List*

kms:Put*

kms:Update*

kms:Revoke*

kms:Disable*

kms:Get*

kms:Delete*

kms:ScheduleKeyDeletion

kms:CancelKeyDeletion

arn:aws:iam::${AWS::AccountId}:root

Allows the CloudGuard key administration for the user

kms:DescribeKey

kms:Encrypt

kms:Decrypt

kms:ReEncrypt*

kms:GenerateDataKey*

kms:PutKeyPolicy

kms:ScheduleKeyDeletion

kms:CancelKeyDeletion

arn:aws:iam::${CloudguardAccountId}:root

Allows CloudGuard to use the key for re-encryption

kms:CreateGrant

kms:ListGrants

kms:RevokeGrant

arn:aws:iam::${CloudguardAccountId}:root

Allows CloudGuard to attach re-encrypted volumes to the CloudGuard scanners

Log group resource for the proxy Lambda logging.

A key alias for the CloudGuard multi-Region key that allows CloudGuard to address all its regional replicas with the same name.

This resource is installed only in SaaS mode.

Resources and Permissions for In-Account Mode

To enable AWP scanning on the snapshots of your EC2 instances, you have to let the stack install several resources and grant certain permissions to CloudGuard to access assets in your accounts. These permissions are additional to those granted to CloudGuard in the account onboarding process. See below for the details of these resources and required permissions.

The cross-account role for CloudGuard to obtain the required information on your instances and control the proxy Lambda.

Role Policy

Actions

Resource

Use

ec2:DescribeInstances

ec2:DescribeSnapshots

ec2:DescribeRegions

ec2:DescribeVolumes

*

 Allows AWP to get information about client's snapshots and volumes

lambda:InvokeFunction

lambda:GetFunction

lambda:GetLayerVersion

lambda:TagResource

lambda:ListTags

lambda:UntagResource

lambda:UpdateFunctionCode

lambda:UpdateFunctionConfiguration

CloudGuard proxy utility Lambda ARN

Allows the AWP engine access to remotely invoke the proxy utility Lambda that prepares the snapshots for scanning

cloudformation:DescribeStacks

AWP CloudFormation template ARN

Allows to the AWP engine to get the template output

This policy is attached to CloudGuardAWPCrossAccountRole as well. It allows AWP engine to create its own security groups to be attached to the AWP scanner that runs on the client side.

This policy is installed only in In-Account mode.

Actions

Principal

Use

ec2:CreateSecurityGroup

ec2:DescribeManagedPrefixLists

ec2:DescribeSecurityGroups

ec2:DescribeSecurityGroupRules

ec2:RevokeSecurityGroupEgress

ec2:AuthorizeSecurityGroupEgress

ec2:CreateTags

*

Allows AWP to create and configure security groups for the AWP scanners to use

ec2:DeleteSecurityGroup

AWP-created security groups

Allows AWP to delete AWP-tagged security groups

A proxy Lambda function controlled by the AWP engine to perform snapshot operations such as create, copy (re-encrypt), and delete during the scan preparation and cleanup, as well as to launch AWP scanner instances and clean up all running scanners on deletion of the AWP stack.

This role is attached to CloudGuardAWPSnapshotsUtilsFunction that allows snapshot operations to create snapshots from the client's instance volumes.

Role Policy

Actions

Resource

Use

ec2:CreateTags

ec2:CopySnapshot

ec2:CreateSnapshot

ec2:CreateSnapshots

ec2:DescribeSnapshots

ec2:DeleteSnapshot

*

 Allows the proxy utility Lambda to create snapshots from your volumes and re-encrypt them if necessary

ec2:DescribeRegions

*

Allows the proxy utility Lambda to describe enabled regions

logs:CreateLogStream

logs:PutLogEvents

CloudGuard proxy utility Lambda ARN

 Logging permissions for the proxy utility Lambda

This policy is attached to CloudGuardAWPSnapshotsUtilsFunction as well. With In-Account mode, it allows the proxy Lambda to launch AWP scanner instances on the client side.

Actions

Principal

Use

ec2:RunInstances

*

Allows the proxy Lambda to run new instances on the client's account

ec2:TerminateInstances

ec2:DeleteVolume

Only AWP tagged instances

Allows the proxy Lambda to terminate and delete AWP scanners

iam:CreateServiceLinkedRole

arn:aws:iam::${AWS::AccountId}:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot

Allows the proxy Lambda to run Spot Instances on the client's account

kms:Decrypt

kms:DescribeKey

kms:GenerateDataKey*

kms:CreateGrant

*

Allows the proxy Lambda to access client keys to scan encrypted volumes

ec2:CreateVpc

ec2:CreateSubnet

ec2:CreateInternetGateway

ec2:DescribeInstances

ec2:DescribeVolumes

ec2:DescribeVpcs

ec2:DescribeSubnets

ec2:DescribeRouteTables

ec2:DescribeSecurityGroups

ec2:DescribeInternetGateways

ec2:DescribeSecurityGroupRules

ec2:ModifySubnetAttribute

*

Allows the proxy Lambda to create and describe all needed configuration for the scanner custom VPC

ec2:CreateRoute

ec2:AssociateRouteTable

ec2:AttachInternetGateway

ec2:DetachInternetGateway

ec2:DeleteVpc

ec2:DeleteSubnet

ec2:DeleteVolume

ec2:DeleteInternetGateway

ec2:RevokeSecurityGroupEgress

ec2:RevokeSecurityGroupIngress

ec2:AuthorizeSecurityGroupEgress

Only AWP tagged resources

Allows the proxy Lambda to detach and delete all AWP scanners related configuration

Log group resource for the proxy Lambda logging.

Actions

If you need to deliberately skip scanning an instance, set a tag for the instance on the AWS console.

To set a tag for the AWP scanner to ignore an EC2 instance:

  1. In the AWS console, navigate to EC2 > Instances and select your instance.

  2. On the Tags tab, click Manage tags.

  3. In the Manage tags window, click Add tag and add a new tag with the key CG_AWP_SKIP_SCAN.

When you disable AWP for your environment, you must delete the CloudFormation stack created on your account. This process removes the stack created with the CloudFormation Template.

To disable AWP:

  1. Sign in to your AWS account.

  2. Delete the AWP CloudFormation stack.

  3. Use an API call to remove AWP from your environment. For more information, see Delete Agentless Account.

You cannot instantly switch the AWP mode from SaaS to In-Account and in reverse. For this, you must offboard AWP and then onboard it again with another mode.

To change the AWP mode:

  1. Remove AWP from your AWS account.

  2. Onboard AWP on the account with another mode.

More Links