AWS Integration

Integration guide for Resmo AWS Integration.

Resmo + AWS Integration Fundamentals

Resmo integrates with Amazon Web Services to ensure that your cloud environment is secure and compliant.

What does Resmo offer to Amazon Web Services users?

• Collect all your AWS assets in place (really!)

• Ability to query your AWS IAM roles, VPC security groups, Lambda functions, and 100+ other resources.

• Track changes across your entire AWS organization.

• Set up rule notifications based on AWS resource configurations and their changes.

• Use GitHub Best Practices packs to check your GitHub security and compliance posture.

How does the integration work?

Resmo has an AWS integration that you can install securely once you sign up for a Resmo account.

Our application uses API to make the initial polling and receive existing resources.

• API polling

• Webhook (Coming soon via CloudTrail!)

Available resources

Resmo AWS integration collects Autoscaling groups, IAM roles, DynamoDB tables, KMS keys, EC2 instances, and more.

See the full list:

Amazon Web ServicesResource Directory

Common queries and rules

• List SQS queues

• Detect EC2 instances with public IPs

• Identify Lambda functions with timeout/memory values

• Find S3 buckets with public read access

• See permissions of a specific IAM user

• Find DynamoDB Tables with KMS encryption disabled

• TBA

Integration Walkthrough

You have to create a customer-managed IAM Policy and IAM Role to let Resmo access your AWS resources. There are several options for creating policy and role; you can choose the best fitting option from the above list;

1. CloudFormation

2. Manually using AWS CLI

3. Manually using AWS Console

4. Terraform

How to install

The installation steps in this section present a general route you'll follow. To see the individual methods you can use to create the required IAM Policy and IAM Role for your Resmo AWS integration, navigate to each related heading below.

• Installation using CloudFormation

Watch a 2-min video to learn how to install the AWS integration using CloudFormation.

• Manual installation using AWS CLI
• Manual installation with AWS Console
• Manual installation with Terraform

Integration steps on Resmo

1. Login to Resmo and navigate to Integrations.

2. Select AWS and click the Add Integration button from the bottom right corner of the opening modal window.

3. To install the integration using CloudFormation, hit the Launch Stack button. Or you can install it manually by clicking the Connect Manually button.

If you are using AWS Organizations, please ensure you apply the template to the management (root) account and sub-accounts.

The following steps are for manual installation.

1. Enter your 12-digit AWS account ID into the Account ID field.

2. Then, enter a Role Name (a valid IAM Role in your AWS account, which Resmo can assume to fetch resources).

1. Next, paste your External ID into the related field. (This step is required for extra authentication.)

2. Select either Yes or No, depending on whether you will collect all the accounts under the organization. Note that the given role must be available in each account.

3. Hit the Create button, and your AWS integration is ready to roll.

Install Using CloudFormation

1. On your Resmo Integrations page, click Add Integration>AWS. You'll see the Create page for a new AWS integration. Then, click on the 'Need Help?' button next to the "Amazon Web Services Integration" title.

2. Hit the LaunchStack button to open the CloudFormation Quick create stack page.

If you are using AWS Organizations, please ensure;

to apply the CloudFormation template to the management (root) account or create required policies and roles at the management (root) account. Resmo will understand that the account is the management account and discover other accounts in the organization.

3. Create the stack by clicking Create Stack button.

4. After Stack completion, return to Resmo Integration Create Page, enter your AWS Account ID, and update Role Name and External ID if you update CloudFormation Stack parameters.

5. Create the integration.

Install to Organizational Management Account

After the above stack is completed in the management account of an organization, active accounts under the organization should be visible in the Not-Available Accounts section of select accounts.

In order to connect Resmo to those accounts as well, you can click on the launch stack button, and it should direct you to Create Stack-Set Page in AWS Console. You can copy and paste the stack-set required information, template url, external ID, etc., from Resmo.

In step 4, you can select automatic deployment enabled so that if a new account is added to the organization, a stack will be run, and resources in the new account will be visible seamlessly. After stack instances are completed for your accounts, accounts will be listed in the Available Accounts section of the Resmo integration, and resources in those accounts will be visible within a few minutes.

Manually Install Using AWS CLI

1. Create a policy with the name ResmoDataCollection

aws iam create-policy --policy-name ResmoDataCollection --policy-document file://policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "account:Get*",
        "account:List*",
        "backup:Describe*",
        "backup:Get*",
        "backup:List*",
        "codebuild:ListSourceCredentials",
        "cognito-identity:DescribeIdentityPool",
        "ec2:GetDefaultCreditSpecification",
        "ec2:GetEbsDefaultKmsKeyId",
        "ec2:GetEbsEncryptionByDefault",
        "eks:DescribeAddon",
        "eks:DescribeAddonVersions",
        "eks:DescribeIdentityProviderConfig",
        "eks:ListAddons",
        "eks:ListIdentityProviderConfigs",
        "elasticfilesystem:DescribeAccessPoints",
        "glue:GetTables",
        "iam:GenerateCredentialReport",
        "kinesisvideo:ListStreams",
        "network-firewall:DescribeFirewall",
        "network-firewall:DescribeFirewallPolicy",
        "network-firewall:DescribeResourcePolicy",
        "network-firewall:DescribeRuleGroup",
        "network-firewall:ListFirewallPolicies",
        "network-firewall:ListFirewalls",
        "network-firewall:ListRuleGroups",
        "ses:GetConfigurationSet",
        "ses:GetEmailIdentity",
        "ses:GetIdentityNotificationAttributes",
        "ses:ListConfigurationSets",
        "ses:ListEmailIdentities",
        "sns:GetSubscriptionAttributes",
        "ssm:GetInventory",
        "ssm:GetPatchBaseline",
        "support:DescribeCases",
        "support:DescribeSeverityLevels",
        "tag:GetComplianceSummary",
        "waf-regional:GetRule",
        "waf-regional:GetRuleGroup",
        "waf-regional:ListRuleGroups",
        "waf-regional:ListRules",
        "waf:GetRule",
        "waf:GetRuleGroup",
        "waf:ListRuleGroups",
        "waf:ListRules"
      ]
    }
  ]
}

2. Create a role with the name resmo-data-collect Note: Update <EXTERNAL_ID> with a proper secret of your choice, or you can use what Resmo has generated for you in Create Integration Page

aws iam create-role --role-name resmo-data-collect --assume-role-policy-document file://assume-role-policy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::512995177166:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<EXTERNAL_ID>"
                }
            }
        }
    ]
}

​You can use the Resmo-generated External ID or the secret of your choice.

3. Attach policies to the role resmo-data-collect aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/SecurityAudit --role-name resmo-data-collect

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSSOReadOnly --role-name resmo-data-collect

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonOpenSearchServiceReadOnlyAccess --role-name resmo-data-collect

aws iam attach-role-policy --policy-arn arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:policy/ResmoDataCollection --role-name resmo-data-collect

4. After completing all steps, return to Resmo Integration Create Page, set your AWS Account ID, and update Role Name if you create the role with a different name. Set External ID the same as what you have set on assume-role-policy.json.

Manually Using AWS Console

1. Create a policy with the name ResmoDataCollection and following document.

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Resource": "*",
         "Action": [
           "account:Get*",
           "account:List*",
           "backup:Describe*",
           "backup:Get*",
           "backup:List*",
           "codebuild:ListSourceCredentials",
           "cognito-identity:DescribeIdentityPool",
           "ec2:GetDefaultCreditSpecification",
           "ec2:GetEbsDefaultKmsKeyId",
           "ec2:GetEbsEncryptionByDefault",
           "eks:DescribeAddon",
           "eks:DescribeAddonVersions",
           "eks:DescribeIdentityProviderConfig",
           "eks:ListAddons",
           "eks:ListIdentityProviderConfigs",
           "elasticfilesystem:DescribeAccessPoints",
           "glue:GetTables",
           "iam:GenerateCredentialReport",
           "kinesisvideo:ListStreams",
           "network-firewall:DescribeFirewall",
           "network-firewall:DescribeFirewallPolicy",
           "network-firewall:DescribeResourcePolicy",
           "network-firewall:DescribeRuleGroup",
           "network-firewall:ListFirewallPolicies",
           "network-firewall:ListFirewalls",
           "network-firewall:ListRuleGroups",
           "ses:GetConfigurationSet",
           "ses:GetEmailIdentity",
           "ses:GetIdentityNotificationAttributes",
           "ses:ListConfigurationSets",
           "ses:ListEmailIdentities",
           "sns:GetSubscriptionAttributes",
           "ssm:GetInventory",
           "ssm:GetPatchBaseline",
           "support:DescribeCases",
           "support:DescribeSeverityLevels",
           "tag:GetComplianceSummary",
           "waf-regional:GetRule",
           "waf-regional:GetRuleGroup",
           "waf-regional:ListRuleGroups",
           "waf-regional:ListRules",
           "waf:GetRule",
           "waf:GetRuleGroup",
           "waf:ListRuleGroups",
           "waf:ListRules"
         ]
       }
     ]
   }

2. Create a role with the name resmo-data-collect and attach the following policies to the role.

   1. SecurityAudit

   2. AWSSSOReadOnly

   3. AmazonOpenSearchServiceReadOnlyAccess

   4. ResmoDataCollection(Newly created customer-managed Policy)

3. Set Trust Policy of resmo-data-collect role with the following policy. Update <EXTERNAL_ID> with a proper secret of your choice or use Resmo Generated External ID.

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::512995177166:root"
               },
               "Action": "sts:AssumeRole",
               "Condition": {
                   "StringEquals": {
                       "sts:ExternalId": "<EXTERNAL_ID>"
                   }
               }
           }
       ]
   }

4. After the steps are completed, return to Resmo Integration Create Page, set your AWS Account ID, and update Role Name if you create the role with a different name. Set External ID the same as what you have set on Trust Policy of resmo-data-collect.

Manually Using Terraform Script

1. Copy the following Terraform script. Update <EXTERNAL_ID> with a proper secret of your choice or use Resmo Generated External ID.

   terraform {
     required_providers {
       aws = {
         source = "hashicorp/aws"
         version = "4.29.0"
       }
     }
   }
   
   resource "aws_iam_policy" "resmo_data_collection_policy" {
     description = "Resmo Data Collection policy for additional rights"
     name        = "ResmoDataCollection"
     path        = "/"
   
     policy = <<POLICY
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Resource": "*",
         "Action": [
           "account:Get*",
           "account:List*",
           "backup:Describe*",
           "backup:Get*",
           "backup:List*",
           "codebuild:ListSourceCredentials",
           "cognito-identity:DescribeIdentityPool",
           "ec2:GetDefaultCreditSpecification",
           "ec2:GetEbsDefaultKmsKeyId",
           "ec2:GetEbsEncryptionByDefault",
           "eks:DescribeAddon",
           "eks:DescribeAddonVersions",
           "eks:DescribeIdentityProviderConfig",
           "eks:ListAddons",
           "eks:ListIdentityProviderConfigs",
           "elasticfilesystem:DescribeAccessPoints",
           "glue:GetTables",
           "iam:GenerateCredentialReport",
           "kinesisvideo:ListStreams",
           "network-firewall:DescribeFirewall",
           "network-firewall:DescribeFirewallPolicy",
           "network-firewall:DescribeResourcePolicy",
           "network-firewall:DescribeRuleGroup",
           "network-firewall:ListFirewallPolicies",
           "network-firewall:ListFirewalls",
           "network-firewall:ListRuleGroups",
           "ses:GetConfigurationSet",
           "ses:GetEmailIdentity",
           "ses:GetIdentityNotificationAttributes",
           "ses:ListConfigurationSets",
           "ses:ListEmailIdentities",
           "sns:GetSubscriptionAttributes",
           "ssm:GetInventory",
           "ssm:GetPatchBaseline",
           "support:DescribeCases",
           "support:DescribeSeverityLevels",
           "tag:GetComplianceSummary",
           "waf-regional:GetRule",
           "waf-regional:GetRuleGroup",
           "waf-regional:ListRuleGroups",
           "waf-regional:ListRules",
           "waf:GetRule",
           "waf:GetRuleGroup",
           "waf:ListRuleGroups",
           "waf:ListRules"
         ]
       }
     ]
   }
   POLICY
   }
   
   resource "aws_iam_role" "resmo_data_collect_role" {
     assume_role_policy = <<POLICY
   {
     "Statement": [
       {
         "Action": "sts:AssumeRole",
         "Condition": {
           "StringEquals": {
             "sts:ExternalId": "<EXTERNAL_ID>"
           }
         },
         "Effect": "Allow",
         "Principal": {
           "AWS": "arn:aws:iam::512995177166:root"
         }
       }
     ],
     "Version": "2012-10-17"
   }
   POLICY
     max_session_duration = "3600"
     name                 = "resmo-data-collect"
     path                 = "/"
   }
   
   resource "aws_iam_role_policy_attachment" "role_custom_policy_attach" {
     role       = aws_iam_role.resmo_data_collect_role.name
     policy_arn = aws_iam_policy.resmo_data_collection_policy.arn
   }
   resource "aws_iam_role_policy_attachment" "role_sso_policy_attach" {
     role       = aws_iam_role.resmo_data_collect_role.name
     policy_arn = "arn:aws:iam::aws:policy/AWSSSOReadOnly"
   }
   resource "aws_iam_role_policy_attachment" "role_opensearch_policy_attach" {
     role       = aws_iam_role.resmo_data_collect_role.name
     policy_arn = "arn:aws:iam::aws:policy/AmazonOpenSearchServiceReadOnlyAccess"
   }
   resource "aws_iam_role_policy_attachment" "role_security_audit_policy_attach" {
     role       = aws_iam_role.resmo_data_collect_role.name
     policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
   }

2. Run the following commands

   terraform plan --out="resmo-data-colletion-role"
   terraform apply "resmo-data-colletion-role"

How to uninstall

• Login to your Resmo account.

• Navigate to the Integrations page and click your AWS integration.

• Click the Delete button to uninstall or Disable to stop polling AWS resources temporarily.

See the following methods to complete the uninstallation process.

1. Uninstall Resmo through CloudFormation

Delete CloudFormation Stack, and this will delete resources that the stack has created.

Uninstall Organizational Integration

If StackSet is not used to connect other accounts in the organization, you can just delete the CloudFormation stack, and that is all. Otherwise, the order of clean-up should be as follows:

1. Delete CloudFormation Stacks from StackSet in the organization management account; you can inspect their deletion from the Stack Instances tab of the StackSet. AWS will not allow the removal of StackSets if they contain Stack instances.

2. Delete CloudFormation StackSet in the organization management account.

3. Delete CloudFormation Stack (initially run to connect the management account to Resmo) in the organization management account.

2. Manually delete the role and policy using AWS CLI

1. Delete the role resmo-data-collect

aws iam delete-role --role-name resmo-data-collect

2. Delete the policy ResmoDataCollection

aws iam delete-policy --policy-arn arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:policy/ResmoDataCollection

3. Manually remove the role and policy using AWS Console

1. Delete the role resmo-data-collect

2. Delete the policy ResmoDataCollection

FAQ

What should I check if an integration fails to install?

1. Ensure you have run Cloudformation Stack before the integration creation.

2. Ensure you have entered the correct Account ID in the Resmo Integration create page.

3. Ensure Role Name and External IDs are matching with what Cloudformation Stack has created. You can check External ID from the Trust Relationships tab of the created IAM Role

What would happen if I delete required role used by integration?

I deleted the role before creating integration...

The integration will not pass into the ready state, you will see an error message on top of the integration page as Not authorized to assume your role.

I deleted the role after creating integration...

The integration will be in the ready state for a while. ~5 minutes later, your integration will pass into the not ready state and you will see an error message, Not authorized to assume your role , on top of the integration page.

Can I update my existing integration so that the integration will look at another AWS account?

No. The Account ID of an existing AWS integration could not be changed after the creation of the integration. You need to delete the integration and create a new AWS integration with the correct Account ID.

I have entered the wrong Account ID, Role Name, or External ID, what should I do?

Role Name and External ID can be updated after the creation of the integration, however, Account ID can only be set once, during the creation. You need to delete the integration and create a new AWS integration with the correct Account ID.

I have created my integration without selecting Organization true for my organization root account. Can I update that as the organization after the integration creation?

No. You need to create a new integration by marking the account as Organization.

How do you identify the account name field?

Our goal is to give user's a field they can recognize at a glance. AccountId isn't useful, but most users can't recognize which account it is at a glance and need to run another query to spot the account name.

If you're using AWS Organizations, we can get the AWS account name for each account from the API. So, it's set based on AWS organization's account names.

If an individual AWS account is integrated, we set the account name field as the Resmo integration name.

Related Documents and Links