Skip to content

Amazon Web Services (AWS)

The AQtive Guard (AQG) Amazon Web Services (AWS) integration provides a comprehensive view of cryptographic assets and how they’re used in your AWS environment.

AQG connects to your AWS account in an agentless manner, using an IAM role that follows the least-privilege principle to scan and discover your cryptographic inventory.

Data ingestion overview

The AWS integration discovers and inventories a wide range of cryptographic assets, including:

  • Certificates from AWS Certificate Manager (ACM)
  • Keys from AWS Key Management Service (KMS)
  • Secrets from AWS Secrets Manager and AWS Systems Manager (SSM)
  • EC2 instances, Lambda functions, API Gateway endpoints, and other AWS resources that use these cryptographic assets

The AWS integration uses CloudTrail events to maintain the inventory of cryptographic assets, and to discover other AWS resources that use the cryptographic assets.

Info

We use EventBridge to forward CloudTrail events to AQtive Guard for processing. To prevent an infinite loop, we filter out any events where the source IP is apidestinations.events.amazonaws.com, as these are events generated by EventBridge forwarding activity.

Tags

The AWS integration will automatically ingest any user-defined tags applied to your resources in AWS as tags in AQtive Guard. AWS-generated tags are not ingested. Refer to the AWS tags documentation for more information.

AWS services and API permissions

The AWS integration uses specific API calls to discover and ingest cryptographic asset data from your AWS account. This section details the AWS services AQG interacts with and the corresponding APIs it calls.

AWS Security Token Service (STS)

AQG uses the STS service to assume roles within your AWS account.

  • sts:GetCallerIdentity

For more information, refer to the AWS STS documentation.

AWS Key Management Service (KMS)

AQG discovers cryptographic keys and their properties from the AWS KMS service.

  • kms:ListKeys
  • kms:ListAliases
  • kms:DescribeKey
  • kms:GetKeyPolicy
  • kms:GetKeyRotationStatus

For more information, refer to the AWS KMS documentation.

AWS Certificate Manager (ACM)

For certificate discovery, AQG interacts with the ACM service.

  • acm:GetCertificate
  • acm:ListCertificates
  • acm:DescribeCertificate

For more information, refer to the AWS ACM documentation.

AWS Secrets Manager

AQG uses the following APIs to discover and inventory secrets stored in AWS Secrets Manager.

  • secretsmanager:ListSecrets
  • secretsmanager:DescribeSecret

For more information, refer to the AWS Secrets Manager documentation.

AWS Systems Manager (SSM)

AQG discovers and inventories SSM Parameters, which are treated as secrets.

  • ssm:DescribeParameters
  • ssm:ListTagsForResource

For more information, refer to the AWS SSM documentation.

Before you begin

To set up the AWS integration, you’ll need the CloudFormation Template from AQG.

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Configure in the AWS panel, then Download CloudFormation template. You’ll need it to complete the integration.

Choose your deployment method

Depending on your organization’s needs, choose one of the following three methods to run the template in your AWS account.

  • Single region setup - Use this method if you only need to monitor a single AWS region.
  • Manual multi-region setup - Use this method if you want to monitor multiple regions without setting up additional IAM roles for orchestration.
  • AWS StackSets - Use this method if you want to monitor multiple regions using CloudFormation’s StackSets to deploy stacks into multiple regions simultaneously.

Refer to the linked sections for details.

Single region setup

Use this method if you only need to monitor a single AWS region.

  1. Log into the AWS console.
  2. From the AWS dashboard, search for and then select CloudFormation.

  3. Select Stacks in the left navigation pane, then select Create stack:

    • If this is your first stack, select the orange Create stack button.
    • If you have existing stacks, select the Create stack button in the top-right corner and select With new resources (standard) from the dropdown.

  4. In the Prerequisite - Prepare template section, verify Choose an existing template is selected.

  5. In the Specify template section, select Upload a template file.
  6. Select Choose file, upload the template you downloaded from AQG, and select Next.

  7. On the Specify stack details page:

    • Enter a Stack name.

    • Enter your AQGAPIKeyParameter. If you don’t have a key, you can browse to the URL listed directly under this field in the AWS console to generate the required API token in AQtive Guard. The token should have at least Uploader permissions. Refer to Create an API token for instructions.

      Then select Next. Refer to the AWS stacks documentation for more information.

  8. At the bottom of the next page, check the box I acknowledge that AWS CloudFormation might create IAM resources with customized names and select Next.

  9. Select Submit.
  10. Once the stack is created, navigate to the stack’s Outputs tab and copy the Amazon Resource Name (ARN) of the created IAM role named AQtiveGuardReadOnlyAccessRole.

Manual multi-region setup

Use this method if you want to monitor multiple regions without setting up additional IAM roles for orchestration.

  1. Complete the steps for the Single region setup in your first region (for example, us-east-1).
  2. Once the first stack is finished, switch your AWS console to a different region (for example, us-west-2).
  3. Repeat the process for creating stacks using the same template.
  4. Continue this process for every region you wish to monitor.

Note

You only need to copy the Amazon Resource Name (ARN) from your primary region stack to finish the setup in AQG.

AWS StackSets

This approach involves using CloudFormation’s StackSets to deploy stacks into multiple regions simultaneously.

Configure IAM Roles for StackSets

Before uploading the template, you’ll need to first configure two specific IAM roles:

Admin role

The Admin role allows the CloudFormation service to manage your StackSets.

  1. Log in to the IAM Console.
  2. Select Roles, then Create role.
  3. For Trusted entity type, select Custom trust policy and paste the following:
    JSON
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudformation.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
  4. Select Next.
  5. Select the AWS managed policy AWSCloudFormationFullAccess, then select Next.
  6. Add a Role name and any required Tags, then select Create role.
  7. Locate your newly created role in the IAM Roles list and select its name to view the details.
  8. In the Permission policies section, select the Add permissions dropdown and select Create inline policy.
  9. Select the JSON tab and paste the following:
    JSON
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:*StackSet*",
                "iam:PassRole",
                "sts:AssumeRole"
            ],
            "Resource": "*"
        }
    ]
}
  10. Name the policy (for example, StackSetAdminInlinePolicy), then select Create policy.
Execution Role

The Execution role assumes the stack creation process in different regions.

  1. In the IAM Console, select Roles, then Create role.
  2. For Trusted entity type, select Custom trust policy and paste the following, replacing <ADMIN ROLE ARN> with the ARN of the Admin role created in admin role):
    JSON
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "<ADMIN ROLE ARN>"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
  3. Select Next.
  4. Select the AWS managed policy AdministratorAccess.
  5. Name the role AWSCloudFormationStackSetExecutionRole and select Create role.

StackSet deployment process and configuration

  1. Log into the AWS console and navigate to CloudFormation.
  2. Select StackSets, then Create stack set.
  3. Select the desired Admin and Execution roles.

  4. Upload the cloudformation-template.json file that you downloaded previously.

  5. On the Specify stack details page:

    • Enter a Stack name.
    • Enter your AQGAPIKeyParameter. If you don’t have a key, you can browse to the URL listed directly under this field in the AWS console to generate the required API token in AQtive Guard. The token should have at least Uploader permissions. Refer to Create an API token for instructions.

    • Select your central hub region from the PrimaryRegion dropdown.

      Then select Next. Refer to the AWS stacks documentation for more information.

  6. Under Execution configuration, select whichever option better suits your environment.

  7. Check the box I acknowledge that AWS CloudFormation might create IAM resources with customized names and select Next.
  8. In the Add stacks to stack set section, verify that Deploy new stacks is selected.

  9. In the Accounts area, verify that Deploy stacks in accounts is selected and add the Account number.

    You can find your 12-digit account number by selecting your account name in the top-right corner of the AWS Console, or by looking at your role’s ARN. In the ARN, it’s the numeric segment (for example, arn:aws:iam::123456789012:role/...)

  10. In the Specify regions area, select all regions you wish to monitor. You must pick at least the same region you selected earlier as the PrimaryRegion.

  11. Configure any Deployment options you want to be active. We recommend setting your Failure tolerance to 0. This will catch any errors immediately.
  12. Select Submit.

Finish setup in AQG

Complete the following steps in AQG to finish the setup.

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Configure in the AWS panel.
  3. Enter the Amazon Resource Name (ARN) for the role you created in the AWS console (if using StackSets, use the ARN from your primary Region stack).

  4. Select Submit.

    You’ll see a notification confirming that the configuration has succeeded.

Tip

You can start the ingestion right away by selecting Start now.

Use

Once the integration is configured, you can trigger an AWS data ingestion.

Start an ingestion

To start an ingestion:

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Details in the AWS panel.

  3. Select Start now.

    You’ll see a notification confirming that the ingestion has started.

During an ingestion, AQtive Guard automatically:

  • Crawls AWS regions to discover cryptographic assets.
  • Ingests data on certificates from AWS Certificate Manager (ACM), keys from AWS Key Management Service (KMS), and secrets from both AWS Secrets Manager and SSM Parameter Store.
  • Populates the Inventory with the identified objects, listed with a source of AWS.
  • Monitors CloudTrail for updates to maintain the inventory.

Edit a connected AWS account

To edit a connected AWS account:

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Details in the AWS panel.
  3. Select Edit to make any changes you need, then Submit.

Unlink the AWS integration only if your organization needs to reconfigure or stop data sharing with AWS.

To unlink the AWS configuration:

  1. Select Data sources from the main menu, then select Details in the AWS panel.
  2. Select Edit, then Unlink.
  3. Select Confirm and unlink Amazon Web Services.

Troubleshooting

If your events aren’t reaching their destination, follow the troubleshooting steps that correspond to your deployment method:

The sections below outline the troubleshooting steps for each method.

AQtive Guard CloudFormation template

If you used the AQtive Guard CloudFormation template, the following specific naming conventions and configurations are required for the integration to succeed.

Verify EventBridge rule

To verify that the EventBridge rule is set up correctly:

  1. Log in to your AWS console.
  2. Navigate to Amazon EventBridge, then select Rules in the menu on the left.
  3. Under Event pattern rules, locate the rule named AQtiveGuardFilteredEventsRule.
  4. Ensure that the Status column shows Enabled (with CloudTrail read-only Management events).

Verify rule target

To verify that the rule target is set up correctly in AWS:

  1. Log in to your AWS console.
  2. Navigate to Amazon EventBridge, then select Rules in the menu on the left.
  3. Under Event pattern rules, locate the rule named AQtiveGuardFilteredEventsRule and select it.
  4. On the Rule details page, select the Targets tab.
  5. Look for the API destination named AQGAWSDestinationApiRoute and select it.
  6. Under the API destination details, ensure that the status is Active.

Check connection authorization

To verify that your connection is authorized:

  1. Log in to your AWS console.
  2. Navigate to Amazon EventBridge, then select Connections in the menu on the left.
  3. Locate the connection named AQGAWSConnectionKey and select it.
  4. Under the Connection details, ensure that the status is Authorized.

If the status is Deauthorized, you’ll need to re-authenticate the connection.

Note

Connections can become deauthorized for several reasons, such as credential expiration or manual revocation. For a full list of scenarios, refer to the AWS documentation.

If your rule is enabled, your destination is active, and your connection is authorized but events are still not flowing, please contact us through our support portal.

AWS StackSets troubleshooting

Because StackSet outcomes vary based on your specific deployment preferences (such as failure tolerance and region order), progress should be monitored directly through the AWS Console. You can track the real-time status of each region and account under the Operations and Stack instances tabs.

  • Primary region check: Ensure the region you designated as PrimaryRegion in the parameters was actually selected in the Regions deployment step. If the primary region stack fails, regional forwarders will have no destination.
  • Stack instances: Check the Stack instances tab in your StackSet. If an individual region shows OUTDATED or FAILED, drill down into that specific stack’s events to see the error.
  • Permissions check: Verify that your Administration role has an inline policy allowing it to sts:AssumeRole the Execution role.

Custom setup

If you manually configured your EventBridge resources, verify the status and configuration of your custom components.

Verify rule state

To verify that your custom rule is set up correctly:

  1. Log in to your AWS console.
  2. Navigate to Amazon EventBridge, then select Rules in the menu on the left.
  3. Under Event pattern rules, locate your custom rule.
  4. Ensure that your rule is Enabled. A disabled rule will not process any incoming event patterns.

Verify rule target

  1. Log in to your AWS console.
  2. Navigate to Amazon EventBridge, then select Rules in the menu on the left.
  3. Under Event pattern rules, locate your custom rule and select it.
  4. On the Rule details page, select the Targets tab.
  5. Look for your custom API destination and select it.
  6. Under the API destination details, ensure that the status is Active.

Check connection authorization

To verify that your connection is authorized:

  1. Log in to your AWS console.
  2. Navigate to Amazon EventBridge, then select Connections in the menu on the left.
  3. Locate your manually created connection attached to your custom rule and select it.
  4. Under the Connection details, ensure that the status is Authorized.

If the status is Deauthorized, you’ll need to re-authenticate the connection.

Note

Connections can become deauthorized for several reasons, such as credential expiration or manual revocation. For a full list of scenarios, refer to the AWS documentation.

Re-authenticate the connection

Connections can become deauthorized for several reasons, such as credential expiration or manual revocation. If your connection status is Deauthorized, follow these steps to restore the integration.

  1. From the Connection Details, select Edit to edit the connection.
  2. In the Configure authorization section, select API key.
  3. In the API key name field, enter X-API-Key.
  4. In the Value field, enter your AQG API token. For details on retrieving or generating an AQG token, refer to Create an API token.
  5. Select Update and confirm that the Connection details page now shows a status of Authorized.

If your rule is enabled, your destination is active, and your connection is authorized but events are still not flowing, please contact us through our support portal.