This section describes how securiCAD can be used to analyze your AWS environments. In short, securiCAD can analyze your AWS environment by collecting data from the environment which is then used to perform attack simulations. To do this, you need to:
- Have the required IAM permissions in AWS
- Run the data collector
- Upload the collected data to securiCAD
In the instructions below, make sure that you are using the correct version of the securiCAD AWS Collector. If you are using securiCAD as a service hosted by Foreseeti, always use the latest version of the collector.
For information on the latest AWS Collector versions, see our GitHub.
To collect the required data, you need access to an IAM role or IAM User with limited read access to the accounts you want to include.
Create an IAM policy with the following permissions. You can restrict the policy further according to the Callout below if needed.
Restricting data collection
securicad-aws-collectorwill only be able to collect the data that the IAM policy allows it to do. Always follow Best practices for IAM policies when creating your policy and use the appropriate resource restrictions to limit the collected data.
- (Optional) Generate access keys to your IAM user.
The securiCAD AWS Collector collects environment information from the AWS APIs, and stores the result in a JSON file. To gain access to the AWS APIs, the securiCAD AWS Collector needs to be configured with the credentials of an IAM user or an IAM role with the permissions described above.
The latest version of the AWS Collector requires Python 3.8 or above. While older versions of Python might still allow you to install the securicad-aws-collector, the collected data will not be compatible with securiCAD.
Install the securicad-aws-collector with pip:
pip install securicad-aws-collector
Below are a few examples of how to run the securiCAD AWS Collector. The script stores the collected data in a file named
Use credentials of an IAM user and a region:
securicad-aws-collector --access-key ACCESS_KEY --secret-key SECRET_KEY --region REGION
Use a pre-configured profile from ~/.aws/credentials or ~/.aws/config:
securicad-aws-collector --profile securicad
Find more examples and collector options on GitHub.
We recommend using the securiCAD Enterprise SDK for generating AWS models and running simulations. It contains several helper functions and examples on how to get started with AWS.
The resulting JSON file can be uploaded directly into securiCAD Vanguard by selecting the AWS CLI Script option. The generated access keys can also be used directly in securiCAD Vanguard and it will run the AWS collector script for you.
securiCAD Enterprise supports vulnerability data from third parties in combination with the AWS data. Typical examples are vulnerability scanners, static code analysis and dependency managers. Vulnerability data can be used to simulate the impact of known vulnerabilities in your AWS environment.
Vulnerability data can be added via the Generate model option in the GUI by selecting the
aws-vul-parser or via the securiCAD Enterprise SDK.
The vulnerability data format is described on GitHub with example code for integrations and automation.
Updated 5 months ago
How to get started with your AWS data in securiCAD Enterprise