Skip to content

Amazon Web Services (AWS)

The AQtive Guard (AQG) Amazon Web Services (AWS) integration provides a comprehensive view of cryptographic assets and how they’re used in your AWS environment.

AQG connects to your AWS account in an agentless manner, using an IAM role that follows the least-privilege principle to scan and discover your cryptographic inventory.

Data ingestion overview

The AWS integration discovers and inventories a wide range of cryptographic assets, including:

  • Certificates from AWS Certificate Manager (ACM)
  • Keys from AWS Key Management Service (KMS)
  • Secrets from AWS Secrets Manager and AWS Systems Manager (SSM)
  • EC2 instances, Lambda functions, API Gateway endpoints, and other AWS resources that use these cryptographic assets

The AWS integration uses CloudTrail events to maintain the inventory of cryptographic assets, and to discover other AWS resources that use the cryptographic assets.

Info

We use EventBridge to forward CloudTrail events to AQtive Guard for processing. To prevent an infinite loop, we filter out any events where the source IP is apidestinations.events.amazonaws.com, as these are events generated by EventBridge forwarding activity.

Tags

The AWS integration will automatically ingest any user-defined tags applied to your resources in AWS as tags in AQtive Guard. AWS-generated tags are not ingested. Refer to the AWS tags documentation for more information.

AWS services and API permissions

The AWS integration uses specific API calls to discover and ingest cryptographic asset data from your AWS account. This section details the AWS services AQG interacts with and the corresponding APIs it calls.

AWS Security Token Service (STS)

AQG uses the STS service to assume roles within your AWS account.

  • sts:GetCallerIdentity

For more information, refer to the AWS STS documentation.

AWS Key Management Service (KMS)

AQG discovers cryptographic keys and their properties from the AWS KMS service.

  • kms:ListKeys
  • kms:ListAliases
  • kms:DescribeKey
  • kms:GetKeyPolicy
  • kms:GetKeyRotationStatus

For more information, refer to the AWS KMS documentation.

AWS Certificate Manager (ACM)

For certificate discovery, AQG interacts with the ACM service.

  • acm:GetCertificate
  • acm:ListCertificates
  • acm:DescribeCertificate

For more information, refer to the AWS ACM documentation.

AWS Secrets Manager

AQG uses the following APIs to discover and inventory secrets stored in AWS Secrets Manager.

  • secretsmanager:ListSecrets
  • secretsmanager:DescribeSecret

For more information, refer to the AWS Secrets Manager documentation.

AWS Systems Manager (SSM)

AQG discovers and inventories SSM Parameters, which are treated as secrets.

  • ssm:DescribeParameters
  • ssm:ListTagsForResource

For more information, refer to the AWS SSM documentation.

Set up the integration

To set up the AWS integration, you’ll need to:

  1. Download the CloudFormation Template from AQG.
  2. Run the CloudFormation Template in your AWS account and copy the generated IAM role’s Amazon Resource Name (ARN) from the CloudFormation output.
  3. Return to AQG to complete the integration setup.

The following sections provide details for completing these steps.

Download the CloudFormation Template from AQG

Complete the following steps to retrieve the CloudFormation template.

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Configure in the AWS panel, then Download CloudFormation template.

Run the CloudFormation template and configure IAM role in AWS

Complete the following steps to configure an IAM role in AWS.

  1. Log into the AWS console.
  2. From the AWS dashboard, search for and then select CloudFormation.
  3. Under Stacks in the left navigation pane, select Create stack.
  4. In the Prerequisite - Prepare template section, select Choose an existing template.
  5. In the Specify template section, select Upload a template file.
  6. Select Choose file, upload the template you downloaded from AQG, and select Next.
  7. At the bottom of the next page, check the box that states I acknowledge that AWS CloudFormation might create IAM resources with customized names and select Next.
  8. Select Submit at the bottom of the page.
  9. Once the stack is created, navigate to the stack’s Outputs tab and copy the Amazon Resource Name (ARN) of the created role.

Finish setup in AQG

Complete the following steps in AQG to finish the setup.

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Configure in the AWS panel.
  3. Enter the Amazon Resource Name (ARN) for the role you created in the AWS console.

  4. Select Submit.

    You’ll see a notification confirming that the configuration has succeeded.

Tip

You can start the ingestion right away by selecting Start now.

Use

Once the integration is configured, you can trigger an AWS data ingestion.

Start an ingestion

To start an ingestion:

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Details in the AWS panel.

  3. Select Start now.

    You’ll see a notification confirming that the ingestion has started.

During an ingestion, AQtive Guard automatically:

  • Crawls AWS regions to discover cryptographic assets.
  • Ingests data on certificates from AWS Certificate Manager (ACM), keys from AWS Key Management Service (KMS), and secrets from both AWS Secrets Manager and SSM Parameter Store.
  • Populates the Inventory with the identified objects, listed with a source of AWS.
  • Monitors CloudTrail for updates to maintain the inventory.

Edit a connected AWS account

To edit a connected AWS account:

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Details in the AWS panel.
  3. Select Edit to make any changes you need, then Submit.

Unlink the AWS integration only if your organization needs to reconfigure or stop data sharing with AWS.

To unlink the AWS configuration:

  1. Select Data sources from the main menu, then select Details in the AWS panel.
  2. Select Edit, then Unlink.
  3. Select Confirm and unlink Amazon Web Services.