Update AWS settings for vulnerability management

After you connect Security Command Center to Amazon Web Services (AWS) for vulnerability management, with the exception of the names of the delegated role and the collector role, you can modify your AWS connection settings. If you need to change the role names, you must delete your AWS connector and set up a new connection.

Before you begin

Complete these tasks before you complete the remaining tasks on this page.

Set up permissions

To get the permissions that you need to use the AWS connector, ask your administrator to grant you the Cloud Asset Owner (roles/cloudasset.owner) IAM role. For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create AWS accounts

Ensure that you have created the following AWS resources:

• An AWS IAM user with AWS IAM access for the delegate and collector AWS account consoles.

• The AWS account ID for an AWS account that you can use as the delegated account. If you want Security Command Center to automatically discover AWS accounts to find resources, the delegated account must be attached to an AWS organization and be one of the following:

  • An AWS management account.

  • An AWS delegated administrator.

  • An AWS account with a resource-based delegation policy that provides organization and list permissions. For an example policy, see Example: View organization, OUs, accounts, and policies.

Modify an existing AWS connection for vulnerability detection and risk assessment

Modify an existing AWS connection when your AWS environment configuration changes. For example, you want to monitor different AWS regions, or change the list of AWS accounts that Security Command Center uses.

1. In the Google Cloud console, go to the Security Command Center page.

   Go to Security Command Center

2. Select the organization that you activated Security Command Center Enterprise on.

3. Click settings Settings.

4. Click the Connectors tab.

5. Click the Edit option beside the connection that you want to update.

6. In the Edit Amazon Web Services connector page, make your changes. The following table describes the options.

   Option	Description
   Specify which AWS accounts to use	You can let Security Command Center discover the AWS accounts automatically, or you can provide a list of AWS accounts that Security Command Center can use to find resources.
   Specify which AWS accounts to exclude	If you let Security Command Center automatically discover accounts, you can provide a list of AWS accounts that Security Command Center cannot use to find resources.
   Specify which AWS regions to monitor	You can select one or more AWS regions for Security Command Center to monitor. Leave the AWS regions field empty to monitor all regions.
   Override the default queries per second (QPS) for AWS services	You can change the QPS to control the quota limit for Security Command Center. Set the override to a value that is less than the default value for that service, and greater than or equal to 1. The default value is the maximum value. If you do change the QPS, Security Command Center might encounter issues fetching data. Therefore, we don't recommend changing this value.
   Change the endpoint for AWS Security Token Service	You can specify a specific endpoint for the AWS Security Token Service (for example, https://sts.us-east-2.amazonaws.com). Leave the AWS Security Token Service (AWS STS) (optional) field empty to use the default global endpoint (https://sts.amazonaws.com).

7. If you changed the delegated account ID or the list of AWS accounts to include or exclude, you must update your AWS environment. A change to the delegated account ID requires that you set up your AWS configuration again. A change to the list of AWS accounts requires that you add or remove collector roles. Removing AWS accounts from the exclude list because you want to include them requires you to add the collector roles to those accounts. Complete the following:

   1. Click Continue.

   2. In the Create connection with AWS page, complete one of the following:

      • Download the CloudFormation templates for the delegated role and the collector role. For instructions on using the templates, see Use CloudFormation templates to set up your AWS environment.

      • If you want to change the AWS configuration manually, select Use the AWS console. Copy the service agent ID, delegated role name, and the collector role name. For instructions on updating AWS manually, see Configure AWS accounts manually.

8. If you added an AWS account to the list of AWS accounts to exclude, we recommend that you remove the collector role from the account.

9. Click Test connector to verify that Security Command Center can connect to your AWS environment. If the connection is successful, the Google Cloud service agent can assume the delegated role and the delegated role has all the required permissions to assume the collector role. If the connection isn't successful, see Troubleshooting errors when testing the connection.

10. Click Save.

What's next

• For troubleshooting information, see Connect Security Command Center to AWS.