AWS Overview & Configuration

An Overview of InsightCloudSec Support for AWS Clouds

After installing InsightCloudSec, you're ready to start harvesting resources and detailed usage information from the various cloud service providers (CSPs) that InsightCloudSec supports. This documentation details configuring your Amazon Web Services (AWS) environment to "talk" with InsightCloudSec securely. Review the sections below to determine the best starting point for your environment.

What does InsightCloudSec support from AWS?

As one of the leading public cloud service providers, InsightCloudSec provides broad support for Amazon Web Services (AWS). Review the full list of AWS-specific supported services on the AWS Support Reference page.

How do I start seeing my environment(s) in InsightCloudSec?

InsightCloudSec relies on a process called "harvesting" to pull data from various CSPs. You can harvest individual accounts or AWS Organizations using two different assume role authentication methods. Review the prerequisites in the "What do I need before getting started" section below to review information around harvesting your AWS data.

What do I do after my environment(s) is being harvested?

After at least one AWS account is harvested by InsightCloudSec, you're free to configure additional AWS services as necessary to enhance, optimize, or further secure your experience. Review AWS Additional Configuration for more information.

How can I optimize harvesting?

InsightCloudSec offers Event-Driven Harvesting for AWS, which requires additional configuration but optimizes harvesting by only pulling in new data when certain AWS CloudWatch Events occur. Review AWS Event-Driven Harvesting for more information.

What do I need before getting started?

You'll need to review and decide on the following before getting started with your first AWS Cloud setup:

1. The type of policy you'll be using to give InsightCloudSec access to your AWS services.

2. Whether you have any applicable additional configuration that must be completed, e.g., allowing InsightCloudSec through GuardDuty, enabling opt-in regions, etc.

3. Whether you want to add a single AWS account or an AWS organization to InsightCloudSec.

4. Determine if your AWS environment utilizes Service Control policies. In more limited cases, an SCP in conflict with an existing role/policy can also result in visibility issues (noted below).


Warnings with False Positives - Known AWS Service Control Policy Issue

When viewing details on the Clouds Listing page, InsightCloudSec may provide false positive "Warnings" around missing permissions. In some scenarios the permissions are granted within a Service Control Policy (SCP) but falsely report as denied.

This scenario is the result of a known issue within AWS where if an Organization has an SCP with conditions based on global keys (e.g. aws:PrincipalArn) the IAM Policy Simulator results are not accurate because it does not have context with the global keys.

If you have verified that your resources are being harvested as expected you can safely disregard these warnings. If you're not sure or otherwise have remaining questions or concerns, contact us through the Customer Support Portal.

Did this page help you?