DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

Configuring AWS

Overview

As one of the leading public cloud service providers, DivvyCloud includes extensive support for Amazon Web Services (AWS). You can add an AWS account to DivvyCloud using Instance Assume Role/ Secure Token Service Assume Role.




This page walks through: the supported services for AWS, details on configuring your AWS account for connection with DivvyCloud, our detailed policies, and instructions on how to set up the IAM policy. 



Once you have your AWS Cloud account properly configured you can move on to AWS - EC2 or ECS Fargate - CFT for deployment instructions or review our Product Architecture details.

As always, if you have questions — reach out to us at [email protected], or through any of the contact options shared on the Getting Support page.

Supported Services - AWS

DivvyCloud supports the following AWS services.

Access Analyzer
API Gateway
Athena
Aurora
Autoscaling
Certificate Manager
CloudFormation
CloudFront
CloudSearch
CloudTrail
CloudWatch
CodeBuild
Config
DirectConnect
DMS
DocumentDB
DynamoDB 
EBS
EC2
ECR
ECS
EFS
EKS
EMR (Elastics MapReduce)
Elastic Beanstalk
ElastiCache
Elasticsearch
ELB/ALB/NLB
Fargate
Firehose
FSx
Glacier
GuardDuty
IAM
Kinesis
KMS
Lambda
MQ
Neptune
Organizations
RDS
Redshift
Resource Group Tagging API
Route 53
Route53 Domains
S3
Sagemaker
Secrets Manager
SES
Shield
SNS
SQS
Transfer
Transit Gateway
Trusted Advisor
VPC
VPC Traffic Mirror Targets
WAF
WAF-Regional
WAFv2
Workspaces

Opt-In Regions for AWS

DivvyCloud includes support for four AWS regions with a the "opt-in" classification. Bahrain me-south-1, Hong Kong ap-east-1, Cape Town af-south-1, and Milan eu-south-1 are all configured within AWS as “opt-in” regions and require active configuration to be enabled.

The screenshot below provides an example of how to enable the region in the AWS console.

Enabling Opt-In Regions

Once enabled, you will also need to update the STS token compatibility to allow DivvyCloud to communicate with these regions.

To do this, visit the AWS console here and modify the Global Endpoint option to allow larger session tokens to the global endpoint (https://sts.amazonaws.com).

Modifying Global Endpoints

📘

Note About Opt-In Regions

Without the change noted above, DivvyCloud will be unable to retrieve information from these regions even if they are enabled.

For customers who prefer to keep these regions disabled, there are no changes required. Contact [email protected] with any questions or concerns.

Opt-In Region Changes

A full list of AWS Regions can be found here.

Prerequisite - IAM Policy

You will need to add an Identity and Access Management (IAM) Policy to your AWS accounts in order to provide DivvyCloud user-defined access to those accounts. We recommend using either a read-only policy (standard managed policy) or a power user policy.

  • The read-only policy will prevent DivvyCloud from taking actions against your AWS resources. If you would like to use DivvyCloud to manage your AWS resources directly or through the use of Bots, then use the power user policy.
  • If you are using AWS GovCloud, then you will want to use either the read-only or the power user policy specific to AWS GovCloud.

📘

Policy Configuration

Finally, you will need an additional policy with your read-only or power user policy for Instance Assume Role or STS, both of which use STS. This applies to both AWS and AWS Gov Cloud.

Our recommended policies--or links to longer policies--are shown here:

AWS Standard & Power User Policies

For commercial (non-GovCloud) AWS accounts, there are three parts of the Standard User Policy (the permissions have exceeded AWS's limitation on policy size).

  • You must create three separate policies, one for each part. There is no significance to how the policy permissions are separated except ease of reading.

AWS Standard User (read-only) Policy - Part 1
AWS Standard User (read-only) Policy - Part 2
AWS Standard User (read-only) Policy - Part 3
AWS Power User Policy

AWS GovCloud Standard & Power User Policy

AWS GovCloud Standard User (read-only) Policy
AWS GovCloud Power User Policy

AWS Instance Assume Role/STS

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/*"
        },
        {
            "Action": "sts:GetCallerIdentity",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Setting Up Your AWS IAM Policy

🚧

Standard User Policy

If using the Standard User Policy, you will need to create three separate policies to accommodate the three parts of the policy. Follow the steps below for each policy.

  1. Login to the AWS console and access the Identity & Access Management service. This service can be found by clicking on Services at the top left of the console and then clicking on the Identity & Access Management link under Security, Identity & Compliance.
  1. Select "Create policy".

Create Policy

  1. Select "JSON".

Select JSON

  1. Add Policy (Part 1 of 3)
  • Copy and paste your preferred policy in the Policy Document window.
  • Click "Review Policy".

Adding a Policy

  1. Review Policy (Part 2 of 3)
  • Name your policy something meaningful to you, e.g., DivvyCloud-PowerUser-Policy. (Note, you cannot have spaces in the Policy Name.)
  • Add a policy description that makes it clear whether the policy is Read-only or Power User.

Review Your Policy

  1. Create Policy (Part 3 of 3)
  • Click on "Create Policy".

Create Policy

  1. You will need to repeat steps 1-6 above if you are adding the AWS Standard User policy. (AWS Power User, AWS GovCloud Standard User, and AWS GovCloud Power User can be added in a single piece.)

  2. After adding your preferred user policy all users will also have to repeat steps 1-6 to add the Instance Assume Role/STS Policy.

After all of the policies referenced above have been added you will have all of the correct policies in place to use when installing an AWS account.

Additional AWS Configuration Options

Using Your Own SSL Cert with ELB

Customers interested in supplying their own certificate for ELB should refer to the following AWS documentation:

If you have questions about this configuration reach out to [email protected].

Updated 15 days ago


Other Helpful Pages

Once you added your policies, navigate to the correct section depending on how you want to add an AWS cloud account to DivvyCloud.

Instance Assume Role (AWS)
Secure Token Service Assume Role (AWS)
Event Driven Harvesting (AWS)
Supported Calls (AWS)

Configuring AWS


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.