You can connect Security Command Center Enterprise tier to your Amazon Web Services (AWS) environment so that you can do the following:
- Detect and remediate software vulnerabilities and misconfigurations in your AWS environment
- Create and manage a security posture for AWS
- Identify potential attack paths from the public internet to your high-value AWS assets
- Map compliance of AWS resources with various standards and benchmarks
Connecting Security Command Center to AWS creates a single place for your security operations team to manage and remediate threats and vulnerabilities across Google Cloud and AWS.
To let Security Command Center monitor your AWS organization, you must configure a connection using a Google Cloud service agent and an AWS account that has access to the resources that you want to monitor. Security Command Center uses this connection to periodically collect data across all the AWS accounts and regions that you define.
You can create one AWS connection for each Google Cloud organization. The connector uses API calls to collect AWS asset data. These API calls may incur AWS charges.
This document describes how to set up the connection with AWS. When you set up a connection, you configure the following:
- A series of accounts in AWS that have direct access to the AWS resources that you want to monitor. In the Google Cloud console, these accounts are called collector accounts.
- An account in AWS that has the appropriate policies and roles to allow authentication to collector accounts. In the Google Cloud console, this account is called the delegated account. Both the delegated account and the collector accounts must be in the same AWS organization.
- A service agent in Google Cloud that connects to the delegated account for authentication.
- A pipeline to collect asset data from AWS resources.
- (Optional) Permissions for Sensitive Data Protection to profile your AWS content.
This connection doesn't apply to the SIEM capabilities of Security Command Center that let you ingest AWS logs for threat detection.
The following diagram shows this configuration. The tenant project is a project that is created automatically and contains your asset data collection pipeline instance.
Before you begin
Complete these tasks before you complete the remaining tasks on this page.
Activate Security Command Center Enterprise tier
Complete step 1 and step 2 of the setup guide to activate Security Command Center Enterprise tier.
Set up permissions
To get the permissions that you need to use the AWS connector,
ask your administrator to grant you the
Cloud Asset Owner (roles/cloudasset.owner
) IAM role.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Create AWS accounts
Ensure that you have created the following AWS resources:
- An AWS IAM user with AWS IAM access for the delegate and collector AWS account consoles.
The AWS account ID for an AWS account that you can use as the delegated account. If you want Security Command Center to automatically discover AWS accounts to find resources, the delegated account must be attached to an AWS organization and be one of the following:
An AWS account with a resource-based delegation policy that provides
organization
andlist
permissions. For an example policy, see Example: View organization, OUs, accounts, and policies.
Configure the AWS connector
In the Google Cloud console, go to the Setup guide page of Security Command Center.
Select the organization that you activated Security Command Center Enterprise tier on. The Setup guide page opens.
Click Step 3: Set up Amazon Web Services (AWS) integration. The Connectors page opens.
Select Add connector > Amazon Web Services. The Configure connector page opens.
In Delegated account ID, enter the AWS account ID for the AWS account that you can use as the delegated account.
To let Sensitive Data Protection profile your AWS data, keep Grant permissions for Sensitive Data Protection discovery selected. This option adds AWS IAM permissions in the CloudFormation template for the collector role.
AWS IAM permissions granted by this option
s3:GetBucketLocation
s3:ListAllMyBuckets
s3:GetBucketPolicyStatus
s3:ListBucket
s3:GetObject
s3:GetObjectVersion
s3:GetBucketPublicAccessBlock
s3:GetBucketOwnershipControls
s3:GetBucketTagging
iam:ListAttachedRolePolicies
iam:GetPolicy
iam:GetPolicyVersion
iam:ListRolePolicies
iam:GetRolePolicy
ce:GetCostAndUsage
dynamodb:DescribeTableReplicaAutoScaling
identitystore:ListGroupMemberships
identitystore:ListGroups
identitystore:ListUsers
lambda:GetFunction
lambda:GetFunctionConcurrency
logs:ListTagsForResource
s3express:CreateSession
s3express:GetBucketPolicy
s3express:ListAllMyDirectoryBuckets
wafv2:GetIPSet
Optionally, review and edit the Advanced options. See Customize the AWS connector configuration for information about additional options.
Click Continue. The Connect to AWS page opens.
Complete one of the following:
- Download and review the CloudFormation templates for the delegated role and the collector role.
- If you configured the advanced options or need to change the default AWS role names (aws-delegated-role, aws-collector-role, and aws-sensitive-data-protection-role), select Configure AWS accounts manually. Copy the service agent ID, delegated role name, collector role name, and the Sensitive Data Protection collector role name.
You can't change the role names after you create the connection.
Don't click Create. Instead, configure your AWS environment.
Configure your AWS environment
You can set up your AWS environment using one of the following methods:
- Use the CloudFormation templates that you downloaded in Configure Security Command Center. For instructions, see Use CloudFormation templates to set up your AWS environment.
- If you are using customized settings or role names, configure the AWS accounts manually. For instructions, see Configure AWS accounts manually.
Use CloudFormation templates to set up your AWS environment
If you downloaded CloudFormation templates, use these steps to set up your AWS environment.
- Sign in to the AWS delegate account console. Make sure that you're signed in to the delegate account that is used to assume other collector AWS accounts (that is, either an AWS management account or any member account that's registered as a delegated administrator).
- Go to the AWS CloudFormation Template console.
Create a stack that provisions the delegate role:
- On the Stacks page, click Create stack > With new resources (standard).
- When specifying a template, upload the delegated role template file.
- When specifying the stack details, enter a stack name.
If you changed the role name for the delegated role, collector role, or Sensitive Data Protection role, update the parameters accordingly. The parameters that you enter must match the ones that are listed in the Connect to AWS page in the Google Cloud console.
As required by your organization, update the stack options.
On the Review and create page, select I acknowledge that AWS CloudFormation might create IAM resources with custom names.
Click Submit to create the stack.
Wait for the stack to be created. If an issue occurs, see Troubleshooting. For more information, see Creating a stack on the AWS CloudFormation console in the AWS documentation.
Create a stack set that provisions collector roles.
- On the StackSets page, click Create StackSet.
Click Service-managed permissions.
When specifying a template, upload the collector role template file.
When specifying the StackSet details, enter a stack set name and description.
Enter the delegate account ID.
If you changed the role name for the delegated role, collector role, or Sensitive Data Protection role, update the parameters accordingly. The parameters that you enter must match the ones that are listed in the Connect to AWS page in the Google Cloud console.
As required by your organization, configure your stack set options.
When specifying the deployment options, choose your deployment targets. You can deploy to the entire AWS organization or deploy to an organization unit (OU) that includes all the AWS accounts that you want to collect data from.
Specify the AWS regions to create the roles and policies in. Because roles are global resources, you don't need to specify multiple regions.
Change other settings if needed.
Review the changes and click Submit to create the stack set. If you receive an error, see Troubleshooting. For more information, see Create a stack set with service-managed permissions in the AWS documentation.
If you need to collect data from the management account, then sign in to the management account and deploy a separate stack to provision the collector roles. When specifying the template, upload the collector role template file.
This step is needed because AWS CloudFormation stack sets don't create stack instances in management accounts. For more information, see DeploymentTargets in the AWS documentation.
To complete the integration process, see Complete the integration process.
Configure AWS accounts manually
If you can't use the CloudFormation templates (for example, you are using different role names or are customizing the integration), you can create the required AWS IAM policies and AWS IAM roles manually.
You must create AWS IAM policies and AWS IAM roles for the delegated account and the collector accounts.
Create the AWS IAM policy for the delegated role
To create an AWS IAM policy for the delegated role (a delegated policy), complete the following:
Sign in to the AWS delegate account console.
Click Policies > Create policy.
Click JSON and paste one of the following, depending on whether you selected the Grant permissions for Sensitive Data Protection discovery checkbox in Configure Security Command Center.
Grant permissions for Sensitive Data Protection discovery: cleared
{ "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/COLLECTOR_ROLE_NAME", "Effect": "Allow" }, { "Action": [ "organizations:List*", "organizations:Describe*" ], "Resource": "*", "Effect": "Allow" } ] }
Replace
COLLECTOR_ROLE_NAME
with the name of the collector role that you copied when configuring Security Command Center (the default isaws-collector-role
).Grant permissions for Sensitive Data Protection discovery: selected
{ "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::*:role/COLLECTOR_ROLE_NAME", "arn:aws:iam::*:role/SCAN_SENSITIVE_DATA_COLLECTOR_ROLE_NAME" ], "Effect": "Allow" }, { "Action": [ "organizations:List*", "organizations:Describe*" ], "Resource": "*", "Effect": "Allow" } ] }
Replace the following:
COLLECTOR_ROLE_NAME
: the name of the configuration data collector role that you copied when configuring Security Command Center (the default isaws-collector-role
)SCAN_SENSITIVE_DATA_COLLECTOR_ROLE_NAME
: the name of the Sensitive Data Protection collector role that you copied when configuring Security Command Center (the default isaws-sensitive-data-protection-role
)
Click Next.
In the Policy details section, enter a name and description for the policy.
Click Create policy.
Create an AWS IAM role for the trust relationship between AWS and Google Cloud
Create a delegated role that sets up a trusted relationship between AWS and Google Cloud. This role uses the delegated policy that was created in Create the AWS IAM policy for the delegated role.
Sign in to the AWS delegate account console as an AWS user that can create IAM roles and policies.
Click Roles > Create role.
For Trusted entity type, click Web Identity.
For Identity Provider, click Google.
For Audience, enter the service agent ID that you copied when you configured Security Command Center. Click Next.
To grant the delegated role access to the collector roles, attach the permission policies to the role. Search for the delegated policy that was created in Create the AWS IAM policy for the delegated role and select it.
In the Role details section, enter the Delegated role name that you copied when you configured Security Command Center (the default name is
aws-delegated-role
).Click Create role.
Create the AWS IAM policy for asset configuration data collection
To create an AWS IAM policy for asset configuration data collection (a collector policy), complete the following:
Sign in to the AWS collector account console.
Click Policies > Create policy.
Click JSON and paste the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ce:GetCostAndUsage", "dynamodb:DescribeTableReplicaAutoScaling", "identitystore:ListGroupMemberships", "identitystore:ListGroups", "identitystore:ListUsers", "lambda:GetFunction", "lambda:GetFunctionConcurrency", "logs:ListTagsForResource", "s3express:GetBucketPolicy", "s3express:ListAllMyDirectoryBuckets", "wafv2:GetIPSet" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "apigateway:GET" ], "Resource": [ "arn:aws:apigateway:*::/usageplans", "arn:aws:apigateway:*::/usageplans/*/keys", "arn:aws:apigateway:*::/vpclinks/*" ] } ] }
Click Next.
In the Policy details section, enter a name and description for the policy.
Click Create policy.
Repeat these steps for each collector account.
Create the AWS IAM role for asset configuration data collection in each account
Create the collector role that lets Security Command Center get asset configuration data from AWS. This role uses the collector policy that was created in Create the AWS IAM policy for asset configuration data collection.
Sign in to the AWS collector account console as a user who can create IAM roles for the collector accounts.
Click Roles > Create role.
For Trusted entity type, click Custom trust policy.
In the Custom trust policy section, paste the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::DELEGATE_ACCOUNT_ID:role/DELEGATE_ACCOUNT_ROLE" }, "Action": "sts:AssumeRole" } ] }
Replace the following:
DELEGATE_ACCOUNT_ID
: the AWS account ID for the delegate accountDELEGATE_ACCOUNT_ROLE
: the Delegated role name that you copied when you configured Security Command Center.
To grant this collector role access to your AWS asset configuration data, attach the permission policies to the role. Search for the custom collector policy that was created in Create the AWS IAM policy for asset configuration data collection, and select it.
Search and select the following managed policies:
- arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
- arn:aws:iam::aws:policy/SecurityAudit
In the Role details section, enter the name of the configuration data collector role that you copied when you configured Security Command Center.
Click Create role.
Repeat these steps for each collector account.
If you selected the Grant permissions for Sensitive Data Protection discovery checkbox in Configure Security Command Center, then proceed to the next section.
If you didn't enable the Grant permissions for Sensitive Data Protection discovery checkbox, then complete the integration process.
Create the AWS IAM policy for Sensitive Data Protection
Complete these steps if you selected the Grant permissions for Sensitive Data Protection discovery checkbox in Configure Security Command Center.
To create an AWS IAM policy for Sensitive Data Protection (a collector policy), complete the following:
Sign in to the AWS collector account console.
Click Policies > Create policy.
Click JSON and paste the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets", "s3:GetBucketPolicyStatus", "s3:ListBucket", "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketPublicAccessBlock", "s3:GetBucketOwnershipControls", "s3:GetBucketTagging" ], "Resource": ["arn:aws:s3:::*"] }, { "Effect": "Allow", "Action": [ "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:ListRolePolicies", "iam:GetRolePolicy", "ce:GetCostAndUsage", "dynamodb:DescribeTableReplicaAutoScaling", "identitystore:ListGroupMemberships", "identitystore:ListGroups", "identitystore:ListUsers", "lambda:GetFunction", "lambda:GetFunctionConcurrency", "logs:ListTagsForResource", "s3express:GetBucketPolicy", "s3express:ListAllMyDirectoryBuckets", "wafv2:GetIPSet" ], "Resource": ["*"] }, { "Effect": "Allow", "Action": [ "s3express:CreateSession" ], "Resource": ["arn:aws:s3express:*:*:bucket/*"] } ] }
Click Next.
In the Policy details section, enter a name and description for the policy.
Click Create policy.
Repeat these steps for each collector account.
Create the AWS IAM role for Sensitive Data Protection in each account
Complete these steps if you selected the Grant permissions for Sensitive Data Protection discovery checkbox in Configure Security Command Center.
Create the collector role that lets Sensitive Data Protection profile the contents of your AWS resources. This role uses the collector policy that was created in Create the AWS IAM policy for Sensitive Data Protection.
Sign in to the AWS collector account console as a user who can create IAM roles for collector accounts.
Click Roles > Create role.
For Trusted entity type, click Custom trust policy.
In the Custom trust policy section, paste the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::DELEGATE_ACCOUNT_ID:role/DELEGATE_ACCOUNT_ROLE" }, "Action": "sts:AssumeRole" } ] }
Replace the following:
DELEGATE_ACCOUNT_ID
: the AWS account ID for the delegate accountDELEGATE_ACCOUNT_ROLE
: the Delegated role name that you copied when you configured Security Command Center
To grant this collector role access to the contents of your AWS resources, attach the permission policies to the role. Search for the custom collector policy that was created in Create the AWS IAM policy for Sensitive Data Protection, and select it.
In the Role details section, enter the name of the role for Sensitive Data Protection that you copied when you configured Security Command Center.
Click Create role.
Repeat these steps for each collector account.
To complete the integration process, see Complete the integration process.
Complete the integration process
In the Google Cloud console, on the Test connector page, click Test connector to verify that Security Command Center can connect to your AWS environment. If the connection is successful, the test determined that the delegated role has all the required permissions to assume the collector roles. If the connection isn't successful, see Troubleshooting errors when testing the connection.
Click Create.
Customize the AWS connector configuration
This section describes some of the ways that you can customize the connection between Security Command Center and AWS. These options are available in the Advanced options (optional) section of the Add Amazon Web Services connector page in the Google Cloud console.
By default, Security Command Center automatically discovers your AWS accounts across all AWS regions. The connection uses the default global endpoint for the AWS Security Token Service and the default queries per second (QPS) for the AWS service that you're monitoring. These advanced options let you customize the defaults.
Option | Description |
---|---|
Add AWS connector accounts | Select the Add accounts automatically (recommended) field, to let Security Command Center discover the AWS accounts automatically, or select Add accounts individually and provide a list of AWS accounts that Security Command Center can use to find resources. |
Exclude AWS connector accounts | If you selected the Add accounts individually field under the Add AWS connector accounts section, provide a list of AWS accounts that Security Command Center should not use to find resources. |
Select regions to collect data | Select one or more AWS regions for Security Command Center to collect data from. Leave the AWS regions field empty to collect data from all regions. |
Maximum queries per second (QPS) for AWS services | You can change the QPS to control the quota limit for
Security Command Center. Set the override to a value that is less than the
default value for that service, and greater than or equal to 1 .
The default value is the maximum value. If you do change the QPS, Security Command Center might encounter issues
fetching data. Therefore, we don't recommend changing this value. |
Endpoint for AWS Security Token Service | You can specify a specific endpoint for the AWS
Security Token Service (for example, https://sts.us-east-2.amazonaws.com ).
Leave the AWS Security Token Service field empty to use
the default global endpoint (https://sts.amazonaws.com ). |
Grant sensitive data discovery permissions to an existing AWS connector
To perform sensitive data discovery on your AWS content, you need an AWS connector that has the required AWS IAM permissions.
This section describes how to grant those permissions to an existing AWS connector. The steps that you need to take depend on whether you configured your AWS environment using CloudFormation templates or manually.
Update an existing connector using CloudFormation templates
If you set up your AWS environment using CloudFormation templates, then follow these steps to grant sensitive data discovery permissions for your existing AWS connector.
In the Google Cloud console, go to the Setup guide page of Security Command Center.
Select the organization that you activated Security Command Center Enterprise tier on. The Setup guide page opens.
Click Step 3: Set up Amazon Web Services (AWS) integration. The Connectors page opens.
For the AWS connector, click > Edit.
MoreIn the Review data types section, select Grant permissions for Sensitive Data Protection discovery.
Click Continue. The Connect to AWS page opens.
Click Download delegated role template. The template is downloaded to your computer.
Click Download collector role template. The template is downloaded to your computer.
Click Continue. The Test connector page opens. Don't test the connector yet.
In the CloudFormation console, update the stack template for the delegated role:
- Sign in to the AWS delegate account console. Make sure that you're signed in to the delegate account that is used to assume other collector AWS accounts.
- Go to the AWS CloudFormation console.
Replace the stack template for the delegated role with the updated delegated role template that you downloaded.
For more information, see Update a stack's template (console) in the AWS documentation.
Update the stack set for the collector role:
- Using an AWS management account or any member account that's registered as a delegated administrator, go to the AWS CloudFormation console.
Replace the stack set template for the collector role with the updated collector role template that you downloaded.
For more information, see Update your stack set using the AWS CloudFormation console in the AWS documentation.
If you need to collect data from the management account, then sign in to the management account and replace the template in the collector stack with the updated collector role template that you downloaded.
This step is needed because AWS CloudFormation stack sets don't create stack instances in management accounts. For more information, see DeploymentTargets in the AWS documentation.
In the Google Cloud console, on the Test connector page, click Test connector. If the connection is successful, the test determined that the delegated role has all the required permissions to assume the collector roles. If the connection isn't successful, see Troubleshooting errors when testing the connection.
Click Save.
Update an existing connector manually
If you configured your AWS accounts manually when you created the AWS connector, then follow these steps to grant sensitive data discovery permissions for your existing AWS connector.
In the Google Cloud console, go to the Setup guide page of Security Command Center.
Select the organization that you activated Security Command Center Enterprise tier on. The Setup guide page opens.
Click Step 3: Set up Amazon Web Services (AWS) integration. The Connectors page opens.
For the AWS connector, click > Edit.
MoreIn the Review data types section, select Grant permissions for Sensitive Data Protection discovery.
Click Continue. The Connect to AWS page opens.
Click Configure AWS accounts manually (recommended if you use advanced settings or customized role names).
Copy the values of the following fields:
- Delegated role name
- Collector role name
- Sensitive Data Protection collector role name
Click Continue. The Test connector page opens. Don't test the connector yet.
In the AWS delegate account console, update the AWS IAM policy for the delegated role to use the following JSON:
{ "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::*:role/COLLECTOR_ROLE_NAME", "arn:aws:iam::*:role/SCAN_SENSITIVE_DATA_COLLECTOR_ROLE_NAME" ], "Effect": "Allow" }, { "Action": [ "organizations:List*", "organizations:Describe*" ], "Resource": "*", "Effect": "Allow" } ] }
Replace the following:
COLLECTOR_ROLE_NAME
: the name of the configuration data collector role that you copied (the default isaws-collector-role
)SCAN_SENSITIVE_DATA_COLLECTOR_ROLE_NAME
: the name of the Sensitive Data Protection collector role that you copied (the default isaws-sensitive-data-protection-role
)
For more information, see Editing customer managed policies (console) in the AWS documentation.
For each collector account, perform these procedures:
In the Google Cloud console, on the Test connector page, click Test connector. If the connection is successful, the test determined that the delegated role has all the required permissions to assume the collector roles. If the connection isn't successful, see Troubleshooting errors when testing the connection.
Click Save.
Troubleshooting
This section includes some common issues that you might encounter when you are integrating Security Command Center with AWS.
Resources already exist
This error occurs in the AWS environment when you try to create the AWS IAM policies and AWS IAM roles. This issue occurs when the role already exists in your AWS account and you are trying to create it again.
To resolve this issue, complete the following:
- Check whether the role or policy that you are creating already exists and satisfies the requirements listed in this guide.
- If necessary, change the role name to avoid conflicts.
Invalid principal in policy
This error can occur in the AWS environment when you are creating the collector roles, but the delegate role doesn't exist yet.
To resolve this issue, complete the steps in Create the AWS IAM policy for the delegated role and wait until the delegate role is created before continuing.
Throttling limitations in AWS
AWS throttles API requests for each AWS account on a per-account or per-region basis. To ensure that these limits are not exceeded when Security Command Center collects asset configuration data from AWS, Security Command Center collects the data at a fixed maximum QPS for each AWS service, as described in the API documentation for the AWS service.
If you experience request throttling in your AWS environment because of the QPS consumed, you can mitigate the issue by completing the following:
In the AWS connector settings page, set a custom QPS for the AWS service that is experiencing request throttling issues.
Restrict the permissions of the AWS collector role so that the data from that specific service isn't collected anymore. This mitigation technique prevents attack path simulations from working correctly for AWS.
Revoking all permissions in AWS stops the data collector process immediately. Deleting the AWS connector doesn't immediately stop the data collector process but it won't start again after it finishes.
Troubleshooting errors when testing the connection
These errors can occur when you test the connection between Security Command Center and AWS.
AWS_FAILED_TO_ASSUME_DELEGATED_ROLE
The connection is invalid because the Google Cloud service agent can't assume the delegated role.
To resolve this issue, consider the following:
Verify that the delegated role exists. To create it, see Create an AWS IAM role for the trust relationship between AWS and Google Cloud.
The inline policy of the delegated role is missing. Without it, the service agent can't assume the role. To verify that the inline policy exists, see Create an AWS IAM role for the trust relationship between AWS and Google Cloud.
AWS_FAILED_TO_LIST_ACCOUNTS
The connection is invalid because auto-discovery is enabled and the delegated role can't get all AWS accounts in the organizations.
This issue indicates that the policy to allow the
organizations:ListAccounts
action on the delegated role is missing on certain
resources. To resolve this issue, verify which resources are missing. To verify
the settings for the delegated policy, see
Create the AWS IAM policy for the delegated role.
AWS_INVALID_COLLECTOR_ACCOUNTS
The connection is invalid because there are invalid collector accounts. The error message includes more information about the possible causes, which include the following:
AWS_FAILED_TO_ASSUME_COLLECTOR_ROLE
The collector account is invalid because the delegated role cannot assume the collector role in the collector account.
To resolve this issue, consider the following:
Verify that the collector role exists.
- To create the collector role for asset configuration data, see Create the AWS IAM role for asset configuration data collection in each account.
- To create the collector role for Sensitive Data Protection, see Create the AWS IAM role for Sensitive Data Protection in each account.
The policy to allow the delegated role to assume the collector role is missing. To verify that the policy exists, see Create the AWS IAM policy for the delegated role.
AWS_COLLECTOR_ROLE_POLICY_MISSING_REQUIRED_PERMISSION
The connection is invalid because the collector policy is missing some of the required permission settings.
To resolve this issue, consider the following causes:
Some of the required AWS managed policies might not be attached to the collector role for asset configuration data. To verify that all policies are attached, see step 6 in Create the AWS IAM role for asset configuration data collection in each account.
One of the following issues with a collector policy might be present:
- The collector policy might not exist.
- The collector policy isn't attached to the collector role.
- The collector policy doesn't include all the required permissions.
To resolve issues with a collector policy, see the following:
What's next
- If you are setting up Security Command Center Enterprise for the first time, continue with step 4 of the setup guide in the console.
- Review and remediate vulnerability findings from AWS.
- Create and manage a security posture for AWS.
- Create attack path simulations for AWS resources.
- Map compliance of AWS
resources with various
standards and benchmarks.