InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

Adding Additional AWS Accounts

After you've setup one AWS cloud account within InsightCloudSec, adding additional, individual cloud accounts is straightforward. The steps below describe how to add additional cloud accounts, but note that the approach is different depending on what authentication type you used when setting up the initial account: Instance or Secure Token Service (STS).

Note: This process is very different from adding an AWS organization to InsightCloudSec. Review AWS Cloud Setup (Organizations) for more information on this process. You can always migrate an existing cloud account to an organization later via the Clouds page in InsightCloudSec.

Adding Additional Instance-based Accounts

If you've already added one account to InsightCloudSec using the Instance Assume Role authentication method, then this section can be used to add additional accounts to InsightCloudSec using similar authentication credentials.

🚧

Prerequisites

Before continuing on to setup another cloud account within InsightCloudSec, the following value must be acquired:

  • Account ID for the AWS account that hosts InsightCloudSec

1. Login as an Admin to the AWS account you want to add to InsightCloudSec and access the Identity & Access Management (IAM) service.

  • This service can be found on the Services main page under Security, Identity, & Compliance. You can also enter "IAM" into the search bar.
  • Once at the IAM dashboard, click "Roles".

2. Click "Create role".

3. Select the trusted entity and use case for the role.

  • Select "Another AWS account" for the trusted entity.
  • Provide the Account ID for the AWS account that hosts InsightCloudSec.
  • Optionally, select the "Require external ID" checkbox and provide an external ID for additional security. This is strongly recommended.
  • Click "Next: Permissions".

❗️

External ID & Security

While the External ID field is optional and only relevant if you are adding a trusted AWS account, we strongly recommend including an external ID to ensure additional security for this account.

Trusted Entity - AccountTrusted Entity - Account

Trusted Entity - Account

4. Attach the IAM user policy you created during initial setup.

  • Type into the search bar or use the filter functionality to search for the policy you created.
  • Select the checkbox next to the policy to attach them to the role.
  • Click "Next: Tags".

Note: If you'd like to create a different IAM policy, review the available policies and follow these instructions to create a new policy within your AWS account.

5. Optionally, add tags to help identify, organize, or search for the role.

  • Provide a "Key" and optional "Value".
  • Click "Next: Review" when finished adding tags.

6. Review and create the role.

  • Name the role something meaningful to you. We recommend something like InsightCloudSec-MyAccount-Assume-Role. Note: you cannot have spaces in the role name.
  • Optionally, update the role description to help clarify for what the role will be used.
  • Confirm the correct policy is attached.
  • If everything looks good, click "Create role".

7. After successful creation of the role, search for it and click the name.

Search for a RoleSearch for a Role

Search for a Role

8. Copy the Role ARN and save it for later use. You will use this Amazon Resource Name (ARN) to configure InsightCloudSec and connect to your AWS account.

Role ARNRole ARN

Role ARN

9. Add the AWS account to InsightCloudSec.

  • Login to your InsightCloudSec platform and click "Clouds" in the left-hand navigation menu.
  • Click "Add Cloud" in the top right-hand corner.
  • Click "Amazon Web Services".
  • Click "Instance Assume Role".
Add CloudAdd Cloud

Add Cloud

10. Provide account details.

  • Input a nickname for the cloud account. This name will only be surfaced in InsightCloudSec and can be used to differentiate between other cloud accounts.
  • Input the Role ARN for the role you created [above}(#create-a-role-for-the-insightcloudsec-user).
  • Update the session name as desired. This name is only used for CloudTrail API audit purposes. We recommend InsightCloudSec (the default).
  • If you supplied an External ID in previous sections, provide that value.
  • Optionally, select a Harvesting Strategies for this account.

11. Click "Add Cloud".

Adding Additional STS-based Accounts

If you've already added one account to InsightCloudSec using the STS Assume Role authentication method, then this section can be used to add additional accounts to InsightCloudSec using similar authentication credentials.

🚧

Prerequisites

Before continuing on to setup another cloud account within InsightCloudSec, the following value must be acquired:

  • Account ID for the AWS account that contains InsightCloudSec STS user. See initial STS setup instructions for details.
  • Username for the InsightCloudSec STS user.
  • Credentials for the InsightCloudSec STS user (API Key / Secret Key).

1. Login as an Admin to the AWS account you want to add to InsightCloudSec and access the Identity & Access Management (IAM) service.

  • This service can be found on the Services main page under Security, Identity, & Compliance. You can also enter "IAM" into the search bar.
  • Once at the IAM dashboard, click "Roles".

2. Click "Create role".

3. Select the trusted entity and use case for the role.

  • Select "Another AWS account" for the trusted entity.
  • Provide the Account ID for the AWS account that hosts InsightCloudSec.
  • Optionally, select the "Require external ID" checkbox and provide an external ID for additional security. This is strongly recommended.
  • Click "Next: Permissions".

❗️

External ID & Security

While the External ID field is optional and only relevant if you are adding a trusted AWS account, we strongly recommend including an external ID to ensure additional security for this account.

Trusted Entity - AccountTrusted Entity - Account

Trusted Entity - Account

4. Attach the IAM user policy you created during initial setup.

  • Type into the search bar or use the filter functionality to search for the policy you created.
  • Select the checkbox next to the policy to attach them to the role.
  • Click "Next: Tags".

Note: If you'd like to create a different IAM policy, review the available policies and follow these instructions to create a new policy within your AWS account.

5. Optionally, add tags to help identify, organize, or search for the role.

  • Provide a "Key" and optional "Value".
  • Click "Next: Review" when finished adding tags.

6. Review and create the role.

  • Name the role something meaningful to you. We recommend something like InsightCloudSec-MyAccount-Assume-Role. Note: you cannot have spaces in the role name.
  • Optionally, update the role description to help clarify for what the role will be used.
  • Confirm the correct policy is attached.
  • If everything looks good, click "Create role".

7. After successful creation of the role, search for it and click the name.

Search for a RoleSearch for a Role

Search for a Role

8. Copy the Role ARN and save it for later use. You will use this Amazon Resource Name (ARN) to configure InsightCloudSec and connect to your AWS account.

Role ARNRole ARN

Role ARN

9. Update the role's trust relationships.

  • Click "Trust Relationships".
  • Click "Edit trust relationship".
  • Replace "root" in the Principal AWS value with the username of the STS user, prefixed with user/. For example:
// Before
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123412341234:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "test-external-id"
        }
      }
    }
  ]
}

// After
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123412341234:user/InsightCloudSec-STS-User"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "test-external-id"
        }
      }
    }
  ]
}

9. Add the AWS account to InsightCloudSec.

  • Login to your InsightCloudSec platform and click "Clouds" in the left-hand navigation menu.
  • Click "Add Cloud" in the top right-hand corner.
  • Click "Amazon Web Services".
  • Click "STS Assume Role".
Add CloudAdd Cloud

Add Cloud

10. Provide account details.

  • Input a nickname for the cloud account. This name will only be surfaced in InsightCloudSec and can be used to differentiate between other cloud accounts.
  • Input the API and Secret Key for the user you created during initial STS setup instructions
  • Optionally, update the session duration as desired. We recommend leaving this as the default value.
  • Input the Role ARN for the role you created above.
  • Update the session name as desired. This name is only used for CloudTrail API audit purposes. We recommend InsightCloudSec.
  • If you supplied an External ID in previous sections, provide that value.
  • Optionally, select a Harvesting Strategies for this account.

11. Click "Add Cloud".

Updated 4 months ago

Adding Additional AWS Accounts


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.