Integrating with AWS

This section describes how securiCAD can be used to analyze your AWS environments. In short, securiCAD can analyze your AWS environment by collecting data from the environment which is then used to perform attack simulations.

IAM Permissions

To collect the required data, you need access to an IAM role or IAM User with read access to the accounts you want to analyze.

  1. Create an IAM policy with at least the following permissions. The permissions gives limited read access to the supported AWS services.

  2. Attach the IAM policy to an IAM user, role or group that you have access to. Go the AWS documentation to read more about IAM roles and IAM users.

  3. (Optional) Generate access keys to your IAM user.

Generating the AWS data

The securiCAD AWS Collector collects environment information from the AWS APIs, and stores the result in a JSON file. To gain access to the AWS APIs, the securiCAD AWS Collector needs to be configured with the credentials of an IAM user or an IAM role with this permissions described above.

Install the securicad-aws-collector with pip: pip install securicad-aws-collector

Below are a few examples of how to run the securiCAD AWS Collector. The script stores the collected data in a file named aws.json. Find more examples and options here.

Use credentials of an IAM user and a region:

securicad-aws-collector --access-key ACCESS_KEY --secret-key SECRET_KEY --region REGION

Use a pre-configured profile from ~/.aws/credentials or ~/.aws/config:

securicad-aws-collector --profile securicad

securiCAD Enterprise

The resulting JSON file can be uploaded directly into securiCAD Enterprise or by using the securiCAD Enterprise SDK.

securiCAD Vanguard

The resulting JSON file can be uploaded directly into securiCAD Vanguard by selecting the AWS CLI Script option.

The generated access keys can also be used directly in securiCAD Vanguard and it will run the AWS collector script for you.