After installing InsightCloudSec, you're ready to start harvesting resources and detailed usage information from the various cloud service providers (CSPs) that InsightCloudSec supports. This documentation details configuring your Amazon Web Services (AWS) environment to "talk" with InsightCloudSec securely. Review the sections below to determine the best starting point for your environment.
As one of the leading public cloud service providers, InsightCloudSec provides broad support for Amazon Web Services (AWS). Review the full list of AWS-specific supported services on the AWS Support Reference page.
InsightCloudSec relies on a process called "harvesting" to pull data from various CSPs. You can harvest individual accounts or AWS Organizations using two different assume role authentication methods. Review the prerequisites in the "What do I need before getting started" section below to review information around harvesting your AWS data.
After at least one AWS account is harvested by InsightCloudSec, you're free to configure additional AWS services as necessary to enhance, optimize, or further secure your experience. Review AWS Additional Configuration for more information.
InsightCloudSec offers Event-Driven Harvesting for AWS, which requires additional configuration but optimizes harvesting by only pulling in new data when certain AWS CloudWatch Events occur. Review AWS Event-Driven Harvesting for more information.
You'll need to review and decide on the following before getting started with your first AWS Cloud setup:
1. The type of policy you'll be using to give InsightCloudSec access to your AWS services.
2. Whether you have any applicable additional configuration that must be completed, e.g., allowing InsightCloudSec through GuardDuty, enabling opt-in regions, etc.
4. Determine if your AWS environment utilizes Service Control policies. In more limited cases, an SCP in conflict with an existing role/policy can also result in visibility issues (noted below).
Warnings with False Positives - Known AWS Service Control Policy Issue
When viewing details on the Clouds Listing page, InsightCloudSec may provide false positive "Warnings" around missing permissions. In some scenarios the permissions are granted within a Service Control Policy (SCP) but falsely report as denied.
This scenario is the result of a known issue within AWS where if an Organization has an SCP with conditions based on global keys (e.g. aws:PrincipalArn) the IAM Policy Simulator results are not accurate because it does not have context with the global keys.
If you have verified that your resources are being harvested as expected you can safely disregard these warnings. If you're not sure or otherwise have remaining questions or concerns, contact us through the Customer Support Portal.
Updated 5 months ago