Skip to content

Amazon Web Services (AWS)

The AQtive Guard (AQG) Amazon Web Services (AWS) integration provides a comprehensive view of cryptographic assets and how they’re used in your AWS environment.

AQG connects to your AWS account in an agentless manner, using an IAM role that follows the least-privilege principle to scan and discover your cryptographic inventory.

Data ingestion overview

The AWS integration discovers and inventories a wide range of cryptographic assets, including:

  • Certificates from AWS Certificate Manager (ACM)
  • Keys from AWS Key Management Service (KMS)

AWS services and API permissions

The AWS integration uses specific API calls to discover and ingest cryptographic asset data from your AWS account. This section details the AWS services AQG interacts with and the corresponding APIs it calls.

AWS Security Token Service (STS)

AQG uses the STS service to assume roles within your AWS account.

  • sts:GetCallerIdentity

For more information, refer to the AWS STS documentation.

AWS Key Management Service (KMS)

AQG discovers cryptographic keys and their properties from the AWS KMS service.

  • kms:ListKeys
  • kms:ListAliases
  • kms:DescribeKey
  • kms:GetKeyPolicy
  • kms:GetKeyRotationStatus

For more information, refer to the AWS KMS documentation.

AWS Certificate Manager (ACM)

For certificate discovery, AQG interacts with the ACM service.

  • acm:GetCertificate
  • acm:ListCertificates
  • acm:DescribeCertificate

For more information, refer to the AWS ACM documentation.

Set up the integration

To set up the AWS integration, you’ll need to:

  1. Download the Cloud Formation Template from AQG.
  2. Run the CloudFormation Template in your AWS account and copy the generated IAM role’s Amazon Resource Name (ARN) from the Cloud Formation output.
  3. Return to AQG to complete the integration.

The following sections provide details for completing these steps.

Download the CloudFormation Template from AQG

Complete the following steps to retrieve the CloudFormation template.

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Configure in the AWS panel, then Download CloudFormation template

Run the CloudFormation template and configure IAM role in AWS

Complete the following steps to configure an IAM role in AWS.

  1. Log into the AWS console.
  2. From the AWS dashboard, search for and then select CloudFormation.
  3. Under Stacks in the left navigation pane, select Create stack.
  4. In the Prerequisite - Prepare template section, select Choose an existing template.
  5. In the Specify template section, select Upload a template file.
  6. Select Choose file, upload the template you downloaded from AQG, and select Next.
  7. At the bottom of the next page, check the box that states I acknowledge that AWS CloudFormation might create IAM resources with customised names and select Next.
  8. Select Submit at the bottom of the page.
  9. Once the stack is created, navigate to the stack’s Outputs tab and copy the Amazon Resource Name (ARN) of the created role.

Finish setup in AQG

Complete the following steps in AQG to finish the setup.

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Configure in the AWS panel.
  3. Enter the Amazon Resource Name (ARN) for the role you created in the AWS console.

  4. Select Submit.

    You’ll see a notification confirming that the configuration has succeeded.

Tip

You can start the ingestion right away by selecting Start now.

Use

Once the integration is configured, you can trigger an AWS data ingestion.

Start an ingestion

To start an ingestion:

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Details in the AWS panel.

  3. Select Start now.

    You’ll see a notification confirming that the ingestion has started.

During an ingestion, AQtive Guard automatically:

  • Crawls AWS regions to discover cryptographic assets.
  • Ingests data on certificates from AWS Certificate Manager (ACM), keys from AWS Key Management Service (KMS), and secrets from both AWS Secrets Manager and SSM Parameter Store.
  • Populates the Inventory tab with the discovered objects.

Edit a connected AWS account

To edit a connected AWS account:

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Details in the AWS panel.
  3. Select Edit to make any changes you need, then Submit.

Unlink the AWS integration only if your organization needs to reconfigure or stop data sharing with AWS.

To unlink the AWS configuration:

  1. Select Data sources from the main menu, then select Details in the AWS panel.
  2. Select Edit, then Unlink.
  3. Select Confirm and unlink Amazon Web Services.