Integrating with AWS

This section describes how securiCAD can be used to analyze your AWS environments. In short, securiCAD can analyze your AWS environment by collecting data from the environment which is then used to perform attack simulations. To do this, you need to:

  1. Have the required IAM permissions in AWS
  2. Run the data collector
  3. Upload the collected data to securiCAD

❗️

In the instructions below, make sure that you are using the correct version of the securiCAD AWS Collector. If you are using securiCAD as a service hosted by Foreseeti, always use the latest version of the collector.

📘

For information on the latest AWS Collector versions, see our GitHub.

1. Required IAM Permissions

To collect the required data, you need access to an IAM role or IAM User with limited read access to the accounts you want to include.

  1. Create an IAM policy with the following permissions. You can restrict the policy further according to the Callout below if needed.

  2. Attach the IAM policy to an IAM user, role or group that you have access to. Go the AWS documentation to read more about IAM roles and IAM users.

🚧

Restricting data collection
The securicad-aws-collector will only be able to collect the data that the IAM policy allows it to do. Always follow Best practices for IAM policies when creating your policy and use the appropriate resource restrictions to limit the collected data.

  1. (Optional) Generate access keys to your IAM user.

2. Run the AWS data collector

The securiCAD AWS Collector collects environment information from the AWS APIs, and stores the result in a JSON file. To gain access to the AWS APIs, the securiCAD AWS Collector needs to be configured with the credentials of an IAM user or an IAM role with the permissions described above.

❗️

The latest version of the AWS Collector requires Python 3.8 or above. While older versions of Python might still allow you to install the securicad-aws-collector, the collected data will not be compatible with securiCAD.

Install the securicad-aws-collector with pip: pip install securicad-aws-collector

Below are a few examples of how to run the securiCAD AWS Collector. The script stores the collected data in a file named aws.json.

Use credentials of an IAM user and a region:

securicad-aws-collector --access-key ACCESS_KEY --secret-key SECRET_KEY --region REGION

Use a pre-configured profile from ~/.aws/credentials or ~/.aws/config:

securicad-aws-collector --profile securicad

👍

Find more examples and collector options on GitHub.

3. Upload the collected data to securiCAD

securiCAD Enterprise

The resulting JSON file can be uploaded directly into securiCAD Enterprise or by using the securiCAD Enterprise SDK.

Using the Enterprise SDK

We recommend using the securiCAD Enterprise SDK for generating AWS models and running simulations. It contains several helper functions and examples on how to get started with AWS.

securiCAD Vanguard

The resulting JSON file can be uploaded directly into securiCAD Vanguard by selecting the AWS CLI Script option. The generated access keys can also be used directly in securiCAD Vanguard and it will run the AWS collector script for you.

Vulnerability data

securiCAD Enterprise supports vulnerability data from third parties in combination with the AWS data. Typical examples are vulnerability scanners, static code analysis and dependency managers. Vulnerability data can be used to simulate the impact of known vulnerabilities in your AWS environment.

Vulnerability data can be added via the Generate model option in the GUI by selecting the aws-vul-parser or via the securiCAD Enterprise SDK.

The vulnerability data format is described on GitHub with example code for integrations and automation.


What’s Next

How to get started with your AWS data in securiCAD Enterprise