Connect to AWS for vulnerability detection and risk assessment

You can connect Security Command Center Enterprise tier to your AWS environment so that you can complete the following:

Review and remediate findings (which includes threats and vulnerabilities) from AWS
Create and manage a security posture for AWS
Identify potential attack paths from the public internet to your high-value AWS assets
Map compliance of AWS resources with various standards and benchmarks

Connecting Security Command Center to AWS creates a single place for your security operations team to manage and remediate threats and vulnerabilities across Google Cloud and AWS.

To let Security Command Center monitor your AWS organization, you must configure a connection using a Google Cloud service agent and an AWS account that has access to the resources that you want to monitor. Security Command Center uses this connection to periodically collect asset metadata across all the AWS accounts and regions that you define.

This document describes how to set up the connection with AWS. When you set up a connection, you configure the following:

A series of accounts in AWS that have direct access to the AWS resources that you want to monitor. In the Google Cloud console, these accounts are called collector accounts.
An account in AWS that has the appropriate policies and roles to allow authentication to collector accounts. In the Google Cloud console, this account is called the delegated account. Both the delegated account and the collector accounts must be in the same AWS organization.
A service agent in Google Cloud that connects to the delegated account for authentication.
A pipeline to collect asset data from AWS resources.

This connection doesn't apply to the SIEM capabilities of Security Command Center that let you ingest AWS logs for threat detection.

The following diagram shows this configuration. The tenant project is a project that is created automatically and contains your asset data collection pipeline instance.

AWS and Security Command Center configuration.

Before you begin

Complete these tasks before you complete the remaining tasks on this page.

Activate Security Command Center Enterprise tier

Complete step 1 and step 2 of the setup guide to activate Security Command Center Enterprise tier.

Set up permissions

To get the permissions that you need to use the AWS connector, ask your administrator to grant you the Cloud Asset Owner (roles/cloudasset.owner) IAM role. For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create AWS accounts

Ensure that you have created the following AWS resources:

An AWS IAM user with AWS IAM access for the delegate and collector AWS account consoles.
The AWS account ID for an AWS account that you can use as the delegated account. If you want Security Command Center to automatically discover AWS accounts to find resources, the delegated account must be attached to an AWS organization and be one of the following:
- An AWS management account.
- An AWS delegated administrator.
- An AWS account with a resource-based delegation policy that provides organization and list permissions. For an example policy, see Example: View organization, OUs, accounts, and policies.

Configure Security Command Center

In the Google Cloud console, go to the setup page.

Go to setup
Verify that you are viewing the organization that you activated Security Command Center Enterprise tier on.
Click Step 3: Set up Amazon Web Services (AWS) connector.
In Delegated account ID, enter the AWS account ID for the AWS account that you can use as the delegated account.
Optionally, review the advanced options.
Click Continue.
Complete one of the following:
- Download the CloudFormation templates for the delegated role and the collector role.
- If you configured the advanced options or need to change the default AWS role names (aws-delegated-role and aws-collector-role), select Use the AWS console. Copy the service agent ID, delegated role name, and the collector role name.
You can't change the role names after you create the connection.

Don't click Create. Instead, configure your AWS environment.

Configure your AWS environment

You can set up your AWS environment using one of the following methods:

Use the CloudFormation templates that you downloaded in Configure Security Command Center. For instructions, see Use CloudFormation templates to set up your AWS environment.
If you are using customized settings or role names, configure the AWS accounts manually. For instructions, see Configure AWS accounts manually.

Use CloudFormation templates to set up your AWS environment

If you downloaded CloudFormation templates, use these steps to set up your AWS environment.

Sign in to the AWS delegate account console. Make sure that you're signed in to the delegate account that is used to assume other collector AWS accounts.
Go to the AWS CloudFormation Template console.
Click Stacks > With new resources (standard).
Upload the delegated role template file and click Next.
Enter a stack name. If you changed the role name for the delegated role, update the parameters. Click Next.
As required by your organization, update the stack options and click Next.
Review the information and click Submit. Wait for the stack to be created. If an issue occurs, see Troubleshooting.

If you choose to add AWS accounts individually (by disabling auto-discovery for accounts), you can also create separate stacks for each AWS account instead of creating a single stack set.
Using an AWS management account or any member account that's registered as a delegated administrator, click Stackset > Create StackSet.
Click Service-managed permissions.

Note: You can choose to use self-managed permissions, but then you must grant the permissions manually.
Upload the collector role template file. Click Next.
On the Specify StackSet details page, enter the stack set name and description. Verify and update the delegate account ID and role names. Click Next.
As required by your organization, configure your stack set options. Click Next.
On the Set deployment options page, complete the following:
1. Choose your deployment targets. You can deploy to the entire AWS organization or deploy to an organization unit that includes all the AWS accounts that you want to collect data from.
  
  Note: If you choose self-managed permissions, you can choose which AWS accounts you want to deploy to. The CloudFormation template doesn't support having a list of AWS accounts to include or exclude, as described in Custom configuration. If you want to create a list of AWS accounts to include or exclude, the stack set might create some stacks that are not required. You can ignore or remove those stacks.
2. Specify the AWS regions to create the roles and policies in. Because roles are global resources, you don't need to specify multiple regions.
3. Change other settings if needed, then click Next.
Review the changes and click Submit. If you receive an error, see Troubleshooting.
Deploy a separate stack to provision the collector role under the management account because an AWS CloudFormation stack set doesn't create stack instances under a management account. For more information, see DeploymentTargets.

To complete the integration process, see Complete the integration process.

Configure AWS accounts manually

If you can't use the CloudFormation templates (for example, you are using different role names or are customizing the integration), you can create the required AWS IAM policies and AWS IAM roles manually.

You must create AWS IAM policies and AWS IAM roles for the delegated account and the collector accounts.

Create the AWS IAM policy for the delegated role

To create an AWS IAM policy for the delegated role (a delegated policy), complete the following:

Sign in to the AWS delegate account console.
Click Policies > Create policy.

Click JSON and paste the following:

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Action": "sts:AssumeRole",
          "Resource": "arn:aws:iam::*:role/COLLECTOR_ROLE_NAME",
          "Effect": "Allow"
      },
      {
          "Action": [
              "organizations:List*",
              "organizations:Describe*"
          ],
          "Resource": "*",
          "Effect": "Allow"
      }
  ]

}

Replace COLLECTOR_ROLE_NAME with the name of the collector role that you copied when configuring Security Command Center (the default is aws-collector-role).

Click Next.
In the Policy details section, enter a name and description for the policy.
Click Create policy.

Create an AWS IAM role for the trust relationship between AWS and Google Cloud

Create a delegated role that sets up a trusted relationship between AWS and Google Cloud. This role uses the delegated policy that was created in Create the AWS IAM policy for the delegated role.

Sign in to the AWS delegate account console as an AWS user that can create IAM roles and policies.
Click Roles > Create role.
For Trusted entity type, click Web Identity.
For Identity Provider, click Google.
For Audience, enter the service account ID that you copied when you configured Security Command Center. Click Next.
To grant the delegated role access to the collector roles, attach the permission policies to the role. Search for the delegated policy that was created in Create the AWS IAM policy for the delegated role and select it.
In the Role details section, enter the Delegated role name that you copied when you configured Security Command Center (the default name is aws-delegated-role).
Click Create role.

Create the AWS IAM policy for asset data collection

To create an AWS IAM policy for asset data collection (the collector policy), complete the following:

Sign in to the AWS collector account console.
Click Policies > Create policy.

Click JSON and paste the following:

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "ce:GetCostAndUsage",
              "dynamodb:DescribeTableReplicaAutoScaling",
              "identitystore:ListGroupMemberships",
              "identitystore:ListGroups",
              "identitystore:ListUsers",
              "lambda:GetFunction",
              "lambda:GetFunctionConcurrency",
              "logs:ListTagsForResource",
              "s3express:GetBucketPolicy",
              "s3express:ListAllMyDirectoryBuckets",
              "wafv2:GetIPSet"
          ],
          "Resource": [
              "*"
          ]
      },
      {
          "Effect": "Allow",
          "Action": [
              "apigateway:GET"
          ],
          "Resource": [
              "arn:aws:apigateway:*::/usageplans",
              "arn:aws:apigateway:*::/usageplans/*/keys",
              "arn:aws:apigateway:*::/vpclinks/*"
          ]
      }
  ]

}

Click Next.
In the Policy details section, enter a name and description for the policy.
Click Create policy.
Repeat these steps for each collector account.

Create the AWS IAM role for data collection in each account

Create the collector role that lets Security Command Center get asset data from AWS. This role uses the collector policy that was created in Create the AWS IAM policy for asset data collection.

Sign in to the AWS collector account console as a user who can create IAM roles for the collector accounts.
Click Roles > Create role.
For Trusted entity type, click Custom trust policy.
In the Custom trust policy section, paste the following:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::DELEGATE_ACCOUNT_ID:role/DELEGATE_ACCOUNT_ROLE"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
```
Replace the following:
- DELEGATE_ACCOUNT_ID: the AWS account ID for the delegate account
- DELEGATE_ACCOUNT_ROLE: the Delegated role name that you copied when you configured Security Command Center.
To grant the collector role access to your AWS asset configuration data, attach the permission policies to the role. Search for the custom collector policy that was created in Create the AWS IAM policy for asset data collection, and select it.
Search and select the following managed policies:
- arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
- arn:aws:iam::aws:policy/SecurityAudit
In the Role details section, enter the Collector role name that you copied when you configured Security Command Center.
Click Create role.
Repeat these steps for each collector account.

To complete the integration process, see Complete the integration process.

Complete the integration process

In Google Cloud console, go to the Add Amazon Web Services connector page.

Go to Amazon Web Services connector
Click Test connector to verify that Security Command Center can connect to your AWS environment. If the connection is successful, the Google Cloud service agent can assume the delegated and the delegated role has all the required permissions to assume the collector role. If the connection isn't successful, see Troubleshooting errors when testing the connection.
Click Create.

Custom configuration

This section describes some of the ways that you can customize the connection between Security Command Center and AWS. These options are available in the Advanced options (optional) section of the Add Amazon Web Services connector page in the Google Cloud console.

By default, Security Command Center automatically discovers your AWS accounts across all AWS regions. The connection uses the default global endpoint for the AWS Security Token Service and the default queries per second (QPS) for the AWS service that you're monitoring. These advanced options let you customize the defaults.

Option	Description
Specify which AWS accounts to use	You can let Security Command Center discover the AWS accounts automatically, or you can provide a list of AWS accounts that Security Command Center can use to find resources.
Specify which AWS accounts to exclude	If you let Security Command Center automatically discover accounts, you can provide a list of AWS accounts that Security Command Center cannot use to find resources.
Specify which AWS regions to monitor	You can select one or more AWS regions for Security Command Center to monitor. Leave the AWS regions field empty to monitor all regions.
Override the default queries per second (QPS) for AWS services	You can change the QPS to control the quota limit for Security Command Center. Set the override to a value that is less than the default value for that service, and greater than or equal to `1`. The default value is the maximum value. If you do change the QPS, Security Command Center might encounter issues fetching data. Therefore, we don't recommend changing this value.
Change the endpoint for AWS Security Token Service	You can specify a specific endpoint for the AWS Security Token Service (for example, `https://sts.us-east-2.amazonaws.com`). Leave the AWS Security Token Service (AWS STS) (optional) field empty to use the default global endpoint (`https://sts.amazonaws.com`).

Troubleshooting

This section includes some common issues that you might encounter when you are integrating Security Command Center with AWS.

Resources already exist

This error occurs in the AWS environment when you try to create the AWS IAM policies and AWS IAM roles. This issue occurs when the role already exists in your AWS account and you are trying to create it again.

To resolve this issue, complete the following:

Check whether the role or policy that you are creating already exists and satisfies the requirements listed in this guide.
If necessary, change the role name to avoid conflicts.

Invalid principal in policy

This error can occur in the AWS environment when you are creating the collector roles, but the delegate role doesn't exist yet.

To resolve this issue, complete the steps in Create the AWS IAM policy for the delegated role and wait until the delegate role is created before continuing.

Throttling limitations in AWS

AWS throttles API requests for each AWS account on a per-account or per-region basis. To ensure that these limits are not exceeded when Security Command Center collects asset metadata from AWS, Security Command Center collects the data at a fixed maximum QPS for each AWS service, as described in the API documentation for the AWS service.

If you experience request throttling in your AWS environment because of the QPS consumed, you can mitigate the issue by completing the following:

In the AWS connector settings page, set a custom QPS for the AWS service that is experiencing request throttling issues.
Restrict the permissions of the AWS collector role so that the data from that specific service isn't collected anymore. This mitigation technique prevents attack path simulations from working correctly for AWS.

Revoking all permissions in AWS stops the data collector process immediately. Deleting the AWS connector doesn't immediately stop the data collector process but it won't start again after it finishes.

Troubleshooting errors when testing the connection

These errors can occur when you test the connection between Security Command Center and AWS.

AWS_FAILED_TO_ASSUME_DELEGATED_ROLE

The connection is invalid because the Google Cloud service agent can't assume the delegated role.

To resolve this issue, consider the following:

Verify that the delegated role exists. To create it, see Create an AWS IAM role for the trust relationship between AWS and Google Cloud.
The inline policy of the delegated role is missing. Without it, the service agent can't assume the role. To verify that the inline policy exists, see Create an AWS IAM role for the trust relationship between AWS and Google Cloud.

AWS_FAILED_TO_LIST_ACCOUNTS

The connection is invalid because auto-discovery is enabled and the delegated role can't get all AWS accounts in the organizations.

This issue indicates that the policy to allow the organizations:ListAccounts action on the delegated role is missing on certain resources. To resolve this issue, verify which resources are missing. To verify the settings for the delegated policy, see Create the AWS IAM policy for the delegated role.

AWS_INVALID_COLLECTOR_ACCOUNTS

The connection is invalid because there are invalid Collector accounts. The error message includes more information about the possible causes, which include the following:

AWS_FAILED_TO_ASSUME_COLLECTOR_ROLE
AWS_COLLECTOR_ROLE_POLICY_MISSING_REQUIRED_PERMISSION

AWS_FAILED_TO_ASSUME_COLLECTOR_ROLE

The collector account is invalid because the delegated role cannot assume the collector role in the collector account.

To resolve this issue, consider the following:

Verify that the collector role exists. To create it, see Create the AWS IAM role for data collection in each account.
The policy to allow the delegated role to assume the collector role is missing. To verify that the policy exists, see Create the AWS IAM policy for the delegated role.

AWS_COLLECTOR_ROLE_POLICY_MISSING_REQUIRED_PERMISSION

The connection is invalid because the collector policy is missing some of the required permission settings.

To resolve this issue, consider the following causes:

Some of the required AWS managed policies might not be attached to the collector role. To verify that all policies are attached, see step 6 in Create the AWS IAM role for data collection in each account.
The collector policy might not exist. To create it, see Create the AWS IAM policy for asset data collection.
The collector policy isn't attached to the collector role. To verify that it's attached, see Create the AWS IAM policy for asset data collection.
The collector policy doesn't include all the required permissions. For the list of required permissions, Create the AWS IAM policy for asset data collection.

What's next

Continue with step 4 of the setup guide in the console.
Review and remediate vulnerability findings from AWS.
Create and manage a security posture for AWS.
Create attack path simulations for AWS resources.
Map compliance of AWS resources with various standards and benchmarks.