InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

Access Explorer - Configuration and Settings

An Overview of Access Explorer Configuration and Settings

This page assumes you have completed the set up required to launch Access Explorer. If you are looking for guidance on the first-time setup process, check out the Access Explorer - Setup page. This page includes details on each of the configuration options available for Access Explorer.

  • Refer to the in-page Table of Contents to the right to view the details around any specific configuration element.

From the InsightCloudSec main navigation menu, select “Security → Access Explorer” to launch Access Explorer and locate the settings options.

Access Explorer SettingsAccess Explorer Settings

Access Explorer Settings

Explorer Application Settings

In the Explorer Application Settings you have access to settings for the following: Account Whitelist, Application Group Rules, Principal Ignore List, and Application Property Customization.

  • Clicking on any of those options on the left navigates to the selected section on the page.
Access Explorer Application SettingsAccess Explorer Application Settings

Access Explorer Application Settings

CMDB/EIAM Configuration

In the CMDB Configuration / EIAM Configuration sections you have access to settings for your CMDB and EIAM configurations respectively. You can test settings and make changes based on your organization’s requirements.

  • Clicking on either of these options navigates to the section on the page.
  • Making changes to the CMDB or EIAM file(s) will trigger a cache rebuild.
CMDB & EIAM ConfigurationsCMDB & EIAM Configurations

CMDB & EIAM Configurations

Account Whitelisting

Account Whitelisting allows you to select the cloud accounts you would like to connect to Access Explorer. This can include some, or all, of the cloud accounts you have connected to your existing InsightCloudSec platform. Access Explorer will analyze any account you select.

  • For details on connecting a new Cloud account, check out our Cloud Account Setup documentation.

Modify Whitelisted Accounts

To revise the cloud accounts included in Access Explorer modify your selections from the drop-down list provided (this includes any AWS cloud accounts that are connected to your existing InsightCloudSec platform) and then click "Update Whitelisted Accounts."

  • Caching is scheduled to rebuild every 24 hours. If you want to rebuild the cache immediately to analyze any changes you've made, select the "IAM Data Last Updated" option from the top of the Access Explorer page and select "Rebuild Cache".
Rebuild the CacheRebuild the Cache

Rebuild the Cache

📘

Cache Rebuild - Data Status

If a cache rebuild is in progress, the data you are exploring will be based on the previous cache build. Once the cache is rebuilt, the "IAM Data Last Updated" will reflect the updated time and clicking on any option within Access Explorer will display the newly imported data.

Configuring Application Groups

To inspect IAM resources in Access Explorer by application you will need to configure InsightCloudSec to understand your tagging and naming configurations. By understanding your tagging or naming schema, we can dynamically group resources into applications through Application Groups.

Application Groups are a collection of rules you define to create an application.

  • Application groups can contain multiple rules.
  • Access Explorer can support multiple applications (though only one at a time will display).

Why Explore by Application?

Many operational and security teams view cloud resources by resource names or resource IDs. This approach limits the visibility of relationships between the resources and organization. In most enterprises cloud resources are logically grouped together under a common purpose (an application, a service, a micro-service), and this is usually configured using a tagging or naming convention.

By allowing Access Explorer to understand your tagging and naming conventions, we can dynamically group resources to their corresponding applications. This configuration will enable you to explore the resources that are part of an application and the users that have access to the application’s resources.

Setting Up an Application Group

Refer to the steps below to configure an Application Group.

1. From your InsightCloudSec main navigation menu locate "Security --> Access Explorer" and click to open "Access Explorer."

2. On the top right of the page, click the gear (“Settings”).

New Application Group SetupNew Application Group Setup

New Application Group Setup

3. Click “Add an Application Group Rule” to add a new Application name or tag pattern.

4. Give your application a name in "Application Group Name" and then select the appropriate "Group Rules" (either "Tags that have a key of..." or "Resource names that match the regex").

  • There are two ways that Application Groups can resolve applications: tagging and naming conventions. Regex is useful for scenarios where your organization does not have an established naming or tagging convention and/or when your organization may have resources that do not support tagging.
  • If you have a defined naming convention for applications in your environment, where resources are tagged with the key of “App” and the corresponding value is the name of the application, you would add a rule "Tags that have a key of... - App," as shown below.
Adding an Application/Application GroupAdding an Application/Application Group

Adding an Application/Application Group

5. Click “Add Another Rule” to add additional rules to your Application Group.

  • Repeat this step for any rules you want to include.

6. Click “Save Application Group” to create a new application.

Browsing Applications

Once you have created your applications (via Application Group), they will be visible on the main Access Explorer page under the Applications section. Applications with zero resources will display but be disabled.

  • Note: An Application Group can have multiple rules and you can have multiple application groups. However, only one Application Group can be active at a time for exploration. The Application Group can be selected from the “Application Group” widget at the top of the page.
Selecting an ApplicationSelecting an Application

Selecting an Application

Principal Ignore List

The Principal Ignore List (optional) is available under the Explorer Application Settings. This setting allows you to optionally define principals you would like to exclude from analysis and cache building in Access Explorer.

Calculating the access between principals and resources can be a potentially time-consuming process. When the InsightCloudSec IAM Governance module builds the cache, it examines actions a principal can perform against accessible resources. For example, let’s say you have the following classifications of Admin - Level users provisioned in each one of your AWS accounts:

Principal Name

Number of Accessible Divvy-managed AWS Resources Per Account

Number of Accounts Where Principle Exists

SecOpsAdmin

1000

1000

OperationsAdmin

1000

100

In this example above the calculations needed to be performed are as follows:

  • To understand what 1,000 SecOpsAdmin user has access to across all 1000 accounts is 1000*1000 = 1,000,000.
  • For the Operations Admin it is 1000 * 100 = 100,000.

Since the user types in the example above are typically provisioned into accounts with automation, and are well known to security and operational staff, it may not make sense to iterate what they have access to every time the cache builds.

Adding an Ignore Principal Rule

From the Access Explorer landing page, click the gear ("Settings") in the top right corner, then click "Principal Ignore List".

  • You can view any existing rules and then test, edit, or delete those rules.
  • To add a new rule, click "+ Add Rule" and provide a name and regular expression, then optionally test the rule. When finished, click "Add to Principal Ignore List."

For example, the following regular expression will ignore any roles in accounts named "CloudAdmin": arn:aws:iam::[0-9]{12}:role/CloudAdmin

Adding to the Principal Ignore ListAdding to the Principal Ignore List

Adding to the Principal Ignore List

Application Property Customization

Application Property Customization (optional) is available under the Explorer Application Settings. This setting allows you to optionally create memorable or friendly names for the fields that you have imported from your CMDB file. These can optionally displayed in Access Explorer.

  • By default, the Display Name is the same as the name in the field exported in the CMDB file you provided.
Application Property CustomizationApplication Property Customization

Application Property Customization

Configuring CMDB

Many enterprises maintain a Configuration Management Database (CMDB) that contains a lot of useful data, including information about applications. This information may include reporting structure details, information-classification requirements, compliance requirements, business units, etc.

Unfortunately, that information is often locked inside the CMDB and not available to other tools. By enabling the CMDB configuration for Access Explorer, that data is associated with applications and their associated resources. It allows you to view that data alongside the applications and resources in Access Explorer.

Some Examples of CMDB data in Access Explorer:

  • Finding principals that have access Applications that require HIPAA compliance
  • Finding S3 buckets that require PCI compliance and who has access to those buckets
  • Find users who can access PCI-compliant RDS instances the “Machine Learning” organization owns.

Configuring the CSV Import File

Access Explorer includes two options for importing your CMDB configuration. Both options rely on a specifically formatted CMDB file in a comma-separated value (CSV) format. The CMDB CSV file requires 2 fields, all others are optional. The required fields are as follows:

  • APPLICATION NAME: an ID or short name of your application.
  • APPLICATION LABEL: human friendly version of your Application Name that will be displayed in Access Explorer.

Note: The above columns MUST be present somewhere in the CSV file (the order doesn’t matter), named exactly as listed above.

All other fields are optional and can be shown in the Access Explorer UI.

Example CMDB File

APPLICATION NAME,APPLICATION LABEL,DESCRIPTION,CROWN JEWEL, PORTFOLIO,COMPLIANCE
1245,Records Processing,Processes healthcare records.,TRUE,Health Care Management,HIPAA
RM,Records Management,Maintains healthcare records,TRUE,Health Care Management,HIPAA
Deployment Manager,Deployment Manager,Handles system deployments.,None,Devops Tooling,None

Configuring the CMDB Import

For Access Explorer to understand your applications and any metadata you may have regarding those applications, you will need to import your CMDB data.

You have two options for configuring the CMDB Import: You can upload the file directly or point to the file hosted in an S3 Bucket. Note that any changes to the CMDB file automatically trigger a cache rebuild.

Upload a CMDB File
Users can select and upload a file to share their CMDB data with Access Explorer.

Simply "Choose a File" and select "Upload" to upload your properly formatted CSV file.

Fetch CMDB File
Users can share the required CMDB file via S3 Bucket. This can be done with an existing S3 Bucket or a newly created one. Information on creating a new bucket can be found here.

Whether you are creating a new S3 Bucket or using an existing one, the Authorization Type you select during CMDB configuration must have access to the bucket.

🚧

S3 Bucket Permissions

You must ensure that both the bucket policy and the identity policies associated with the Authorization Type allow the appropriate access. At a minimum the associated policies must explicitly or implicitly allow s3:GetObject permission to the configuration file.

To add a CMDB configuration after your initial setup refer to the following steps:

1. Navigate to "Security --> Access Explorer" and click on "Access Explorer" to launch.

2. Click the gear ("Settings") in the top right to open the Settings page and navigate to "CMDB Configuration."

3. Under the CMDB Configuration section select the "Fetch CMDB File" option and complete the form with your desired options.

Add a CMDB file via S3Add a CMDB file via S3

Add a CMDB file via S3

  • CMDB File Location

    • Bucket Name - The AWS S3 Bucket name where your CSV file is located
    • File Name - Name of the CSV file inside of the S3 Bucket you have specified
  • CMDB File Authentication

    • Authentication Type - Select from Use Cloud Credentials, API Key, Assume Role, or STS Role
    • Note - options vary based on the Authentication Type you select, as outlined in the table below.

Authentication Type

Field Name

Description

Use Cloud Credentials

Cloud

Select applicable cloud from drop-down list.

API Key

API Key

AWS API Key from target IAM Role

API Key

Secret Key

Secret Key from target IAM Role

Assume Role

Cloud

Select applicable cloud from drop-down list.

Assume Role

Role Name

The Role ARN from the target AWS IAM Role.

Assume Role

Session Name

Provide a unique name to identify a session. (In AWS this applies when IAM principals, federated identities, and applications assume the same IAM role.)

Assume Role

Minimum Role Duration

Minimum duration before the role is re-authenticated. In AWS, the session duration is set to 1 hour (in seconds) by default.

Assume Role

External IDaw (optional)

An optional field to provide an external ID.

STS Role

API Key

AWS API Key from target IAM Role

STS Role

Secret Key

Secret Key from target IAM Role.

STS Role

Session Name

Provide a unique name to identify a session. (In AWS this applies when IAM principals, federated identities, and applications assume the same IAM role.)

STS Role

Minimum Role Duration

Minimum duration before the role is re-authenticated. In AWS, the session duration is set to 1 hour (in seconds) by default.

STS Role

External ID (optional)

An optional field to provide an external ID.

4. Select "Save CMDB Configuration Changes" once you have supplied your details.

  • Optionally you may select "Test Settings" to verify that your S3 Bucket can communicate with Access Explorer.

Configuring EIAM

Understanding the Challenges

A common scenario for enterprise users logging in to AWS is through SAML Federation with Active Directory. A user logs in to the AWS console by providing their Active Directory credentials and assuming a role that gives them access. Although the user does not directly authenticate to AWS with their credentials, the SAML Federation configuration with Active Directory is able to provide AWS with details on the roles the authenticated user can assume. The actions the federated user can perform are defined primarily by the policies of the role they are assuming and the policies of their associated resources.

Access Explorer can identify which resources a given principal (including a role a federated user assumes) can access. However, tracking access back to the federated user can be time consuming. You would have to look at the role --> map that role back to the Active Directory (AD) Group --> verify Group Membership to determine that the federate user has the privileges granted by the associated role.

The purpose of EIAM integration is to shorten this process. For example, in Active Directory there is a group named AWS_123456789101_Developer

In that group there are a number of different Active Directory users. Given the proper Active Directory SAML configuration, each one of those users can assume an IAM role with the ARN of arn:aws:iam::123456789101:role/Developer

When you configure Access Explorer to fetch your enterprise group/user information as well as how those groups are mapped to AWS Roles, Access Explorer allows you to browse access by the federated principal. Refer to the image below for a comparison.

AWS vs. InsightCloudSec IAM ComparisonAWS vs. InsightCloudSec IAM Comparison

AWS vs. InsightCloudSec IAM Comparison

EIAM Configuration Data

Configuring the EIAM or enterprise identity data (EID) import is exactly the same as the CMDB import aside from the import data format. Note: Any changes to the EIAM file automatically trigger a cache rebuild.

For EID, we use a JSON data format. The JSON file is a list of every user that you may want to explore in Access Explorer along with the AWS roles they can access in AWS.

[
   {
       "displayName": "Catherine Laine",
       "name": "Aurélie Legendre",
       "uid": "43d00bfc-cf0a-43da-xx1234-4936427xxxxx",
       "assumableRoles": [
           "arn:aws:iam::123456789101:role/cherry_role_sns_allow",
           "arn:aws:iam::123456789101:role/redoak_role_s3_deny_list"
       ]
   },
   {
       "displayName": "Maryse Aubert",
       "name": "Raymond Tanguy",
       "uid": "19855a44-8993-4780-123a-c543141xxxxx",
       "assumableRoles": [
           "arn:aws:iam::123456789101:role/silvermaple_role_sns_allow",
           "arn:aws:iam::123456789101:role/redoak_role_s3_deny",
           "arn:aws:iam::123456789101:role/redoak_role_s3_allow"
       ]
   }
]

📘

EIAM Import Script

We have created a script in Python and in PowerShell that can fetch the EIAM information from your Active Directory system. Note: These are just starting points and must be customized for your environment. These scripts are available through [email protected].

Steps to Configure EIAM

You have two options for configuring the EIAM Import: You can upload the file directly or point to the file that is hosted in an S3 Bucket.

Upload an EIAM File
Users can select and upload a file to share their EIAM data with Access Explorer.

Simply "Choose a File" and select "Upload" to provide your properly formatted JSON file.

Fetch EIAM File
Users can also share the EIAM file via S3 Bucket. This can be done with an existing S3 Bucket or a newly created one. Information on creating a new bucket can be found here.

Whether you are creating a new S3 Bucket or using an existing one, the Authorization Type you select during CMDB configuration must have access to the bucket.

🚧

S3 Bucket Permissions

You must ensure that both the bucket policy and the identity policies associated with the Authorization Type allow the appropriate access. At a minimum the associated policies must explicitly or implicitly allow s3:GetObject permission to the configuration file.

To add an EIAM configuration after your initial setup refer to the following steps:

1. Navigate to "Security --> Access Explorer" and click on "Access Explorer" to launch.

2. Click the gear ("Settings") in the top right to open the Settings page and navigate to "EIAM Configuration."

3. Under the EIAM Configuration section, select the "Fetch EIAM File" option and complete the form with your desired options.

EIAM Fetch File from S3EIAM Fetch File from S3

EIAM Fetch File from S3

  • EIAM File Location

    • Bucket Name - The AWS S3 Bucket name where your CSV file is located
    • File Name - Name of the JSON file inside of the S3 Bucket you have specified
  • EIAM File Authentication

    • Authentication Type - Select from Use Cloud Credentials, API Key, Assume Role, or STS Role.
    • Note - Options vary based on the Authentication Type you select, as outlined in the table below.

Authentication Type

Field Name

Description

Use Cloud Credentials

Cloud

Select applicable cloud from drop-down list.

API Key

API Key

AWS API Key from target IAM Role

API Key

Secret Key

Secret Key from target IAM Role

Assume Role

Cloud

Select applicable cloud from drop-down list.

Assume Role

Role Name

The Role ARN from the target AWS IAM Role.

Assume Role

Session Name

Provide a unique name to identify a session. (In AWS this applies when IAM principals, federated identities, and applications assume the same IAM role.)

Assume Role

Minimum Role Duration

Minimum duration before the role is re-authenticated. In AWS, the session duration is set to 1 hour (in seconds) by default.

Assume Role

External ID (optional)

An optional field to provide an external ID.

STS Role

API Key

AWS API Key from target IAM Role

STS Role

Secret Key

Secret Key from target IAM Role.

STS Role

Session Name

Provide a unique name to identify a session. (In AWS this applies when IAM principals, federated identities, and applications assume the same IAM role.)

STS Role

Minimum Role Duration

Minimum duration before the role is re-authenticated. In AWS, the session duration is set to 1 hour (in seconds) by default.

STS Role

External ID (optional)

An optional field to provide an external ID.

4. Select "Save EIAM Configuration Changes" once you have supplied your details.

  • Optionally you may select "Test Settings" to verify that your S3 Bucket can communicate with Access Explorer.

Cache Refresh

At any time after modifying your Access Explorer settings, you have the option to manually rebuild your cache.

Navigate to the IAM Data Last Updated section at the top of the Access Explorer page navigation. Click on the arrow to the right of the status and click "Rebuild Cache."

  • Cache builds are scheduled to rebuild every 24 hours.
  • Cache builds are automatically restarted if the CMDB or EIAM files are updated.
  • Cache build logs ("Debug Information" → "View Cache Build Logs") are retained for 45 days.
Rebuild the CacheRebuild the Cache

Rebuild the Cache

📘

Cache Rebuild - Data Status

If a cache rebuild is in progress, the data you are exploring will be based on the previous cache build. Once the cache is rebuilt, the "IAM Data Last Updated" will reflect the updated time and clicking on any option within Access Explorer will display the newly imported data.

Updated about a month ago

Access Explorer - Configuration and Settings


An Overview of Access Explorer Configuration and Settings

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.