DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

Configuring AWS

Overview

As one of the leading public cloud service providers, DivvyCloud includes extensive support for Amazon Web Services (AWS). You can add an AWS account to DivvyCloud using Instance Assume Role/ Secure Token Service Assume Role.




This page walks through: the supported services for AWS, details on configuring your AWS account for connection with DivvyCloud, our detailed policies, and instructions on how to set up the IAM policy. 



Once you have your AWS Cloud account properly configured you can move on to AWS - EC2 or ECS Fargate - CFT for deployment instructions or review our Product Architecture details.

As always, if you have questions — reach out to us at [email protected], or through any of the contact options shared on the Getting Support page.

Supported Services - AWS

📘

AWS Supported Services & Regions

In general, DivvyCloud provides support for the AWS resources listed below for all regions in which they are available. In some scenarios some resources or services may not be available in certain regions. This is typically the result of restrictions related to the region itself or otherwise imposed by AWS to comply with regional policies. We recommend that you refer to the AWS documentation on those specific regions for official details.

(For example, refer to the table for AWS services in China here. )

Also note that DivvyCloud now recognizes the EC2 Serial Console as part of general EC2 service support.

If you have other questions related to AWS, regions, or specific services and their support contact us through [email protected].

Access Analyzer
API Gateway
API Gateway Domain
API Gateway Key
API Gateway Stage
AppSync API
Athena Workgroup
Autoscaling Group
Backup Vault
Cloud Account
CloudFormation Templates
CloudFront
CloudSearch Cluster
CloudTrail
CloudWatch Alarm
CloudWatch Log Group
CloudWatch Logs Destination
CloudWatch Rule
CloudWatch Event Bridge Event Bus
CodeBuild Project
Cognito User Pool
Consolidated Bill
Container
Container Image (ECR)
Container Instance (EKS)
Container Registry (ECR)
Container Task (ECS/Fargate)
DataSync Task
Dedicated Instance
DirectConnect
Directory Service
DMS Replication Instance
DynamoDB 
DynamoDB Accelerator (DAX)
EBS Snapshot
EBS Volume
EC2 Instance
EFS/FSx
EKS/ECS/Fargate cluster
Elastic Beanstalk Application
Elastic Beanstalk Environment
Elastic IP
Elastic MapReduce (EMR)
Elastic Network Interface (ENI)
Elastic Transcoder Pipeline
ElastiCache
ElastiCache Snapshot
Elasticsearch
Firehose
Flow Log (VPC)
Glacier
Glue Data Catalog
Glue Security Configuration
GuardDuty
GuardDuty Detector
IAM Access Analyzer
IAM Group
IAM Policy (Customer Managed)
IAM Role
IAM User
IAM User Access Key
IAM/ACM SSL Certificate
Internet Gateway
Kendra Index
Kinesis
Kinesis Video Stream
KMS
Lambda
Launch Configurations
Lightsail
Load Balancer (ELB/ALB/NLB/Gateway)
Managed Airflow Environment
Managed Prefix List
MQ
MSK Instance
NACL/Security Group
NACL/Security Group Rules
NAT Gateway (VPC)
NFS/SMB File Gateway Share
Outpost
RDS Aurora, Neptune, DocumentDB
RDS Database Aurora, Neptune, DocumentDB
RDS Database Proxy
RDS Event Subscription
RDS Snapshot
Redshift
Redshift Snapshot
Region
Reserved Instance
Resource Limit
Route
Route Table
Route 53 DNS Zone
Route 53 Domain
Route 53 Resolver Configuration
S3 Access Point
S3 Bucket
Sagemaker Notebook
SAML Identity Provider
Secret
Serverless Application Repository
Service Control Policy
SFTP Server
Shield
Simple Email Service (SES)
Simple Queue Service (SQS)
Site-to-Site VPN (VPC)
SNS Subscription
SNS Topic
SSH Key Pair
Systems Manager (SSM) Parameter Store (Parameter)
Systems Manager (SSM) Document
Task Definition (ECS)
Transit Gateway
Trusted Advisor
Virtual Private Gateway
VPC
VPC Endpoint Service
VPC Endpoint/PrivateLink
VPC Peer
VPC Subnet
VPC Traffic Mirror Target
Web Application Firewall (WAF)
Workspace Instances

Opt-In Regions for AWS

DivvyCloud includes support for four AWS regions with a the "opt-in" classification. Bahrain me-south-1, Hong Kong ap-east-1, Cape Town af-south-1, and Milan eu-south-1 are all configured within AWS as “opt-in” regions and require active configuration to be enabled.

The screenshot below provides an example of how to enable the region in the AWS console.

Enabling Opt-In Regions

Once enabled, you will also need to update the STS token compatibility to allow DivvyCloud to communicate with these regions.

🚧

Session Tokens

These tokens need to be enabled in the AWS account where your DivvyCloud instance is deployed.

To do this, visit the AWS console here and modify the Global Endpoint option to allow larger session tokens to the global endpoint (https://sts.amazonaws.com).

Modifying Global Endpoints

📘

Note About Opt-In Regions

Without the change noted above, DivvyCloud will be unable to retrieve information from these regions even if they are enabled.

For customers who prefer to keep these regions disabled, there are no changes required. Contact [email protected] with any questions or concerns.

Opt-In Region Changes

A full list of AWS Regions can be found here.

Prerequisite - IAM Policy

You will need to add an Identity and Access Management (IAM) Policy to your AWS accounts in order to provide DivvyCloud user-defined access to those accounts. We recommend using either a read-only policy (standard managed policy) or a power user policy.

  • The read-only policy will prevent DivvyCloud from taking actions against your AWS resources. If you would like to use DivvyCloud to manage your AWS resources directly or through the use of Bots, then use the power user policy.
  • If you are using AWS GovCloud, then you will want to use either the read-only or the power user policy specific to AWS GovCloud.

📘

Policy Configuration

Finally, you will need an additional policy with your read-only or power user policy for Instance Assume Role or STS, both of which use STS. This applies to both AWS and AWS Gov Cloud.

Our recommended policies--or links to longer policies--are shown here:

AWS Standard & Power User Policies

For commercial (non-GovCloud) AWS accounts, there are three parts of the Standard User Policy (the permissions have exceeded AWS's limitation on policy size).

AWS Standard User (read-only) Policy - Option 1:
This option employs AWS' managed read-only policy. While this policy does not enumerate every permission, its benefit lies in AWS' continuously updating the policy for new services, making it easier for the customer to attach and maintain the policy. DivvyCloud's operation requires one small additional policy be added, as shown here:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AwsReadOnlyMissingPermissions",
            "Action": [
                "airflow:GetEnvironment",
                "airflow:ListEnvironments",
                "lightsail:GetContainerServices",
                "pricing:GetProducts",
                "support:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "AwsReadOnlyDenyPermissions",
            "Action": [
                "s3:GetObject*"
            ],
            "Effect": "Deny",
            "Resource": "*"
        }
    ]
}

AWS Standard User (read-only) Policy - Option 2:
This option enumerates every permission in the policy and must be manually updated with each new AWS service that DivvyCloud supports. New required permissions can be found in the product's release notes.

  • You must create three separate policies, one for each part. There is no significance to how the policy permissions are separated except ease of reading.

AWS Standard User (read-only) Policy - Part 1
AWS Standard User (read-only) Policy - Part 2
AWS Standard User (read-only) Policy - Part 3

AWS Power User Policy:
AWS Power User Policy

AWS GovCloud Standard & Power User Policy

AWS GovCloud Standard User (read-only) Policy
AWS GovCloud Power User Policy

AWS Instance Assume Role/STS

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/*"
        },
        {
            "Action": "sts:GetCallerIdentity",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

📘

AWS GovCloud

For GovCloud, update arn:aws:iam::*:role/* to arn:aws-us-gov:iam::*:role/* in the policy above.

Setting Up Your AWS IAM Policy

AWS Managed Standard User (read-only) with DivvyCloud Supplemental Policy

Note: To set up the fully-enumerated Standard User read-only policy, or any Power User or GovCloud policy, use the instructions under AWS Standard & Power User Policies.

  1. Login to the AWS console and access the Identity & Access Management (IAM) service. This service can be found on the Services main page under Security, then Identity & Compliance. You can also enter 'IAM' in the search bar.

  2. Enter "ReadOnlyAccess" in the search bar and scroll down to select this AWS managed policy.

  1. Under 'Policy Actions', enter 'Attach policy'.
  1. Create the Divvy Add-on for this policy: Return to the Main IAM screen, Select Policy, Select "Create Policy":
  1. Select JSON:
  1. Add the 'DivvyCloud Supplement to AWS ReadOnly Policy':
  • Copy and paste the 'DivvyCloud Supplement to AWS ReadOnly Policy' (above) into the Policy Document window.
  • Click "Review Policy".
  1. Review the Policy
  • Name your policy something meaningful to you, e.g., DivvyCloud-Supplement-for-Managed-ReadOnly-Policy. (Note, you cannot have spaces in the Policy Name.)
  • Add a policy description that makes it clear that the policy is Read-only.
  • Select 'Review Policy'
  • If everything looks OK, select 'Create Policy'
  1. Be sure to Add the Instance Assume Role/STS Policy, described below.

AWS Standard & Power User Policies

🚧

Standard User (read-only) Policy

If using the Standard User (read-only) Policy, you will need to create three separate policies to accommodate the three parts of the policy. Follow the steps below for each policy.

  1. Login to the AWS console and access the Identity & Access Management (IAM) service. This service can be found on the Services main page under Security, Identity & Compliance. You can also enter 'IAM' in the search bar.

  2. Select "Create policy".

Create Policy

  1. Select "JSON".

Select JSON

  1. Add Policy (Part 1 of 3)
  • Copy and paste your preferred policy in the Policy Document window.
  • Click "Review Policy".

Adding a Policy

  1. Review Policy (Part 2 of 3)
  • Name your policy something meaningful to you, e.g., DivvyCloud-PowerUser-Policy. (Note, you cannot have spaces in the Policy Name.)
  • Add a policy description that makes it clear whether the policy is Read-only or Power User.

Review Your Policy

  1. Create Policy (Part 3 of 3)
  • Click on "Create Policy".

Create Policy

  1. If you are using the fully enumerated AWS Standard User (read-only) policy, you will need to repeat steps 1-6 above for both Part 2 and Part 3 of our read-only policy. (AWS Power User, AWS GovCloud Standard User, and AWS GovCloud Power User can be added in a single piece.)

Add the Instance Assume Role/STS Policy

After adding your preferred user policy, all users will also have to repeat steps 1-6 (from AWS Standard & Power User Policies) to add the Instance Assume Role/STS Policy.

After all of the policies referenced above have been added you will have all of the correct policies in place to use when installing an AWS account.

Service Control Policies - Implementation & Known Issues

Within AWS a Service Control Policy (SCPs) is a type of policy used to manage permissions at the organization level. Per AWS, "SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines.

  • Read more from AWS here on using SCPs.

Many organizations choose to implement SCPs for security purposes, while also providing the permissions required for DivvyCloud to function with full visibility into their AWS accounts.

It is important to note that when implemented, many SCPs will block the required permissions DivvyCloud needs to operate - even when permissions have been explicitly granted via Roles and Policies.

  • If this scenario applies to your environment, you will need to revise your SCP to ensure you have permitted the required DivvyCloud permissions.
  • This is normal SCP behavior as they are organization-wide policies. SCPs are configured within AWS to supersede other types of permissions.
  • You can review our AWS Standard & Power User Policies for details, otherwise refer to the AWS documentation on SCPs.

Another item to note - In more limited cases an SCP in conflict with an existing Role/Policy can also result in visibility issues (noted below).

🚧

Warnings with False Positives - Known AWS Service Control Policy Issue

When viewing details on the Clouds Listing page, DivvyCloud may provide false positive "Warnings" around missing permissions. In some scenarios the permissions are granted within a Service Control Policy (SCP) but falsely report as denied.

This scenario is the result of a known issue within AWS where if an Organization has an SCP with conditions based on global keys (e.g. aws:PrincipalArn) the IAM Policy Simulator results are not accurate because it does not have context with the global keys.

If you have verified that your resources are being harvested as expected you can safely disregard these warnings. If you're not sure or otherwise have remaining questions or concerns, contact us at [email protected].

Additional AWS Configuration Options

Using Your Own SSL Cert with ELB

Customers interested in supplying their own certificate for ELB should refer to the following AWS documentation:

If you have questions about this configuration reach out to [email protected].

Updated a day ago


Other Helpful Pages

Once you added your policies, navigate to the correct section depending on how you want to add an AWS cloud account to DivvyCloud.

Instance Assume Role (AWS)
Secure Token Service Assume Role (AWS)
Event Driven Harvesting (AWS)
Supported Calls (AWS)

Configuring AWS


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.