Resmo Documentation
SupportStatuspageTwitterLinkedIn
  • Welcome!
  • Getting Started
    • Quick Start Guide for Admins
    • SaaS Security Guide for Employees
    • Glossary
    • FAQ
    • Support
    • Resources documentation (automated)
  • Guides
    • Query Your First Resources
    • Create Your First Rule
  • Resources
    • Resources
    • Resource Changes
  • Notebooks
    • Notebooks
  • Audit Logs
    • Audit Logs
  • API
    • Basics
    • Query API
  • Resource Tags
    • Tag Rules
    • Manual Tagging
  • Queries
    • Query Types
    • Standard SQL Queries
    • Change SQL Queries
  • SaaS Discovery
    • SaaS Discovery Methods
    • Browser Extension Admin Guide
    • AI Email Scanning
    • Resmo Agent (Beta)
    • Apps Page
    • Users Page
  • Rules
    • Rules
    • Suppression
    • AWS Config Rules vs Resmo Rules
  • Dashboards
    • Dashboards
  • Packs (Compliance and Security Best Practices)
    • Packs
    • Pack Exports
  • Alerts
    • Alerts
  • Variables
    • Variables
  • integrations
    • Integrations Guide
    • Custom Data Integration
    • AWS Integration
    • Azure Integration
    • GCP Integration
    • Google Drive Integration
    • Kubernetes Integration
    • Google Workspace Integration
    • GitHub Integration
    • Slack Integration
    • GitLab Integration
    • New Relic Integration
    • Jira Integration
    • PagerDuty Integration
    • Opsgenie Integration
    • MongoDB Atlas Integration
    • Azure Active Directory Integration
    • Cloudflare Integration
    • Confluence Integration
    • Bitbucket Integration
    • Okta Integration
    • Datadog Integration
    • Gandi Integration
    • Snyk Integration
    • Duo Integration
    • Jamf Integration
    • Snowflake Integration
    • Heroku Integration
    • Fastly Integration
    • Hubspot Integration
    • BambooHR Integration
    • Azure DevOps Integration
    • Kolide Integration
    • Flyio Integration
    • Upstash Integration
    • Qualys Integration
    • Sentry Integration
    • Brex Integration
    • JumpCloud Integration
    • Webflow Integration
    • Tenable Integration
    • SonarCloud Integration
    • Salesforce Integration
    • LastPass Integration
    • Microsoft Teams Integration
    • Zendesk Integration
    • Segment Integration
    • Terraform Cloud Integration
    • Tailscale Integration
    • Vercel Integration
    • GoDaddy Integration
    • Kandji Integration
    • LaunchDarkly Integration
    • PlanetScale Integration
    • Zoom Integration
    • Jotform Integration
    • Auth0 Integration
    • Wizer Integration
    • Linear Integration
    • Figma Integration
    • Trello Integration
    • Mixpanel Integration
    • Trivy Integration
    • CSV Integration
    • DocuSign Integration
    • Tinybird Integration
    • MonoSign Integration
    • DigitalOcean Integration
    • Sophos Integration
    • Firebase Integration
    • MySQL Integration
    • PostgreSQL Integration
    • MongoDB Integration
    • ClickHouse Integration
    • Help Scout Integration
    • Intercom Integration
    • Atlassian Integration
    • Drata Integration
    • Hetzner Cloud Integration
    • Vanta Integration
    • Microsoft Intune Integration
    • Microsoft Defender Integration
    • Microsoft 365 Integration
    • NPM Integration
    • CrowdStrike Integration
    • 1Password Integration
    • Lucid Integration
    • OneDrive Integration
    • JetBrains Integration
    • Google Analytics Integration
    • Hexnode Integration
    • SendGrid Integration
    • WordPress Integration
  • Notifications
    • Notification Channels
    • Email Notification Channel
    • Slack Notification Channel
    • Webhook Notification Channel
    • Opsgenie Notification Channel
    • PagerDuty Notification Channel
    • Amazon SNS Notification Channel
    • Parny Notification Channel
    • Linear Notification Channel
    • Jira Notification Channel
    • Microsoft Teams Notification Channel
  • Plugins
    • Raycast
  • Users and Permissions
    • User
    • User Roles
    • RBAC (Role-Based Access Control)
      • Custom Roles and Policies
    • SSO - Social Login
  • Settings
    • Accounts
    • Billing Policy
    • Pricing
      • Resource Count Calculation
Powered by GitBook
On this page
  • Resmo + AWS Integration Fundamentals
  • What does Resmo offer to Amazon Web Services users?
  • How does the integration work?
  • Available resources
  • Common queries and rules
  • Integration Walkthrough
  • How to install
  • Install Using CloudFormation
  • Manually Install Using AWS CLI
  • Manually Using AWS Console
  • Manually Using Terraform Script
  • How to uninstall
  • FAQ
  • Related Documents and Links

Was this helpful?

  1. integrations

AWS Integration

Integration guide for Resmo AWS Integration.

PreviousCustom Data IntegrationNextAzure Integration

Last updated 1 year ago

Was this helpful?

Resmo + AWS Integration Fundamentals

Resmo integrates with to ensure that your cloud environment is secure and compliant.

What does Resmo offer to Amazon Web Services users?

  • Collect all your AWS assets in place (really!)

  • Ability to query your AWS IAM roles, VPC security groups, Lambda functions, and 100+ other resources.

  • Track changes across your entire AWS organization.

  • Set up rule notifications based on AWS resource configurations and their changes.

  • Use GitHub Best Practices packs to check your GitHub security and compliance posture.

How does the integration work?

Resmo has an AWS integration that you can install securely once you sign up for a Resmo account.

Our application uses API to make the initial polling and receive existing resources.

  • API polling

  • Webhook (Coming soon via CloudTrail!)

Available resources

Resmo AWS integration collects Autoscaling groups, IAM roles, DynamoDB tables, KMS keys, EC2 instances, and more.

See the full list:

Common queries and rules

  • List SQS queues

  • Detect EC2 instances with public IPs

  • Identify Lambda functions with timeout/memory values

  • Find S3 buckets with public read access

  • See permissions of a specific IAM user

  • Find DynamoDB Tables with KMS encryption disabled

  • TBA

Integration Walkthrough

You have to create a customer-managed IAM Policy and IAM Role to let Resmo access your AWS resources. There are several options for creating policy and role; you can choose the best fitting option from the above list;

  1. CloudFormation

  2. Manually using AWS CLI

  3. Manually using AWS Console

  4. Terraform

How to install

The installation steps in this section present a general route you'll follow. To see the individual methods you can use to create the required IAM Policy and IAM Role for your Resmo AWS integration, navigate to each related heading below.

Integration steps on Resmo

  1. Login to Resmo and navigate to Integrations.

  2. Select AWS and click the Add Integration button from the bottom right corner of the opening modal window.

If you are using AWS Organizations, please ensure you apply the template to the management (root) account and sub-accounts.

The following steps are for manual installation.

  1. Enter your 12-digit AWS account ID into the Account ID field.

  2. Then, enter a Role Name (a valid IAM Role in your AWS account, which Resmo can assume to fetch resources).

  1. Next, paste your External ID into the related field. (This step is required for extra authentication.)

  2. Select either Yes or No, depending on whether you will collect all the accounts under the organization. Note that the given role must be available in each account.

  3. Hit the Create button, and your AWS integration is ready to roll.

Install Using CloudFormation

  1. On your Resmo Integrations page, click Add Integration>AWS. You'll see the Create page for a new AWS integration. Then, click on the 'Need Help?' button next to the "Amazon Web Services Integration" title.

  2. Hit the LaunchStack button to open the CloudFormation Quick create stack page.

If you are using AWS Organizations, please ensure;

to apply the CloudFormation template to the management (root) account or create required policies and roles at the management (root) account. Resmo will understand that the account is the management account and discover other accounts in the organization.

3. Create the stack by clicking Create Stack button.

4. After Stack completion, return to Resmo Integration Create Page, enter your AWS Account ID, and update Role Name and External ID if you update CloudFormation Stack parameters.

5. Create the integration.

Install to Organizational Management Account

After the above stack is completed in the management account of an organization, active accounts under the organization should be visible in the Not-Available Accounts section of select accounts.

In order to connect Resmo to those accounts as well, you can click on the launch stack button, and it should direct you to Create Stack-Set Page in AWS Console. You can copy and paste the stack-set required information, template url, external ID, etc., from Resmo.

In step 4, you can select automatic deployment enabled so that if a new account is added to the organization, a stack will be run, and resources in the new account will be visible seamlessly. After stack instances are completed for your accounts, accounts will be listed in the Available Accounts section of the Resmo integration, and resources in those accounts will be visible within a few minutes.

Manually Install Using AWS CLI

  1. Create a policy with the name ResmoDataCollection

aws iam create-policy --policy-name ResmoDataCollection --policy-document file://policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "account:Get*",
        "account:List*",
        "backup:Describe*",
        "backup:Get*",
        "backup:List*",
        "codebuild:ListSourceCredentials",
        "cognito-identity:DescribeIdentityPool",
        "ec2:GetDefaultCreditSpecification",
        "ec2:GetEbsDefaultKmsKeyId",
        "ec2:GetEbsEncryptionByDefault",
        "eks:DescribeAddon",
        "eks:DescribeAddonVersions",
        "eks:DescribeIdentityProviderConfig",
        "eks:ListAddons",
        "eks:ListIdentityProviderConfigs",
        "elasticfilesystem:DescribeAccessPoints",
        "glue:GetTables",
        "iam:GenerateCredentialReport",
        "kinesisvideo:ListStreams",
        "network-firewall:DescribeFirewall",
        "network-firewall:DescribeFirewallPolicy",
        "network-firewall:DescribeResourcePolicy",
        "network-firewall:DescribeRuleGroup",
        "network-firewall:ListFirewallPolicies",
        "network-firewall:ListFirewalls",
        "network-firewall:ListRuleGroups",
        "ses:GetConfigurationSet",
        "ses:GetEmailIdentity",
        "ses:GetIdentityNotificationAttributes",
        "ses:ListConfigurationSets",
        "ses:ListEmailIdentities",
        "sns:GetSubscriptionAttributes",
        "ssm:GetInventory",
        "ssm:GetPatchBaseline",
        "support:DescribeCases",
        "support:DescribeSeverityLevels",
        "tag:GetComplianceSummary",
        "waf-regional:GetRule",
        "waf-regional:GetRuleGroup",
        "waf-regional:ListRuleGroups",
        "waf-regional:ListRules",
        "waf:GetRule",
        "waf:GetRuleGroup",
        "waf:ListRuleGroups",
        "waf:ListRules"
      ]
    }
  ]
}

2. Create a role with the name resmo-data-collect Note: Update <EXTERNAL_ID> with a proper secret of your choice, or you can use what Resmo has generated for you in Create Integration Page

aws iam create-role --role-name resmo-data-collect --assume-role-policy-document file://assume-role-policy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::512995177166:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<EXTERNAL_ID>"
                }
            }
        }
    ]
}

​You can use the Resmo-generated External ID or the secret of your choice.

3. Attach policies to the role resmo-data-collect aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/SecurityAudit --role-name resmo-data-collect

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSSOReadOnly --role-name resmo-data-collect

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonOpenSearchServiceReadOnlyAccess --role-name resmo-data-collect

aws iam attach-role-policy --policy-arn arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:policy/ResmoDataCollection --role-name resmo-data-collect

4. After completing all steps, return to Resmo Integration Create Page, set your AWS Account ID, and update Role Name if you create the role with a different name. Set External ID the same as what you have set on assume-role-policy.json.

Manually Using AWS Console

  1. Create a policy with the name ResmoDataCollection and following document.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Resource": "*",
          "Action": [
            "account:Get*",
            "account:List*",
            "backup:Describe*",
            "backup:Get*",
            "backup:List*",
            "codebuild:ListSourceCredentials",
            "cognito-identity:DescribeIdentityPool",
            "ec2:GetDefaultCreditSpecification",
            "ec2:GetEbsDefaultKmsKeyId",
            "ec2:GetEbsEncryptionByDefault",
            "eks:DescribeAddon",
            "eks:DescribeAddonVersions",
            "eks:DescribeIdentityProviderConfig",
            "eks:ListAddons",
            "eks:ListIdentityProviderConfigs",
            "elasticfilesystem:DescribeAccessPoints",
            "glue:GetTables",
            "iam:GenerateCredentialReport",
            "kinesisvideo:ListStreams",
            "network-firewall:DescribeFirewall",
            "network-firewall:DescribeFirewallPolicy",
            "network-firewall:DescribeResourcePolicy",
            "network-firewall:DescribeRuleGroup",
            "network-firewall:ListFirewallPolicies",
            "network-firewall:ListFirewalls",
            "network-firewall:ListRuleGroups",
            "ses:GetConfigurationSet",
            "ses:GetEmailIdentity",
            "ses:GetIdentityNotificationAttributes",
            "ses:ListConfigurationSets",
            "ses:ListEmailIdentities",
            "sns:GetSubscriptionAttributes",
            "ssm:GetInventory",
            "ssm:GetPatchBaseline",
            "support:DescribeCases",
            "support:DescribeSeverityLevels",
            "tag:GetComplianceSummary",
            "waf-regional:GetRule",
            "waf-regional:GetRuleGroup",
            "waf-regional:ListRuleGroups",
            "waf-regional:ListRules",
            "waf:GetRule",
            "waf:GetRuleGroup",
            "waf:ListRuleGroups",
            "waf:ListRules"
          ]
        }
      ]
    }

  2. Create a role with the name resmo-data-collect and attach the following policies to the role.

    1. SecurityAudit

    2. AWSSSOReadOnly

    3. AmazonOpenSearchServiceReadOnlyAccess

    4. ResmoDataCollection(Newly created customer-managed Policy)

  3. Set Trust Policy of resmo-data-collect role with the following policy. Update <EXTERNAL_ID> with a proper secret of your choice or use Resmo Generated External ID.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::512995177166:root"
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "<EXTERNAL_ID>"
                    }
                }
            }
        ]
    }

  4. After the steps are completed, return to Resmo Integration Create Page, set your AWS Account ID, and update Role Name if you create the role with a different name. Set External ID the same as what you have set on Trust Policy of resmo-data-collect.

Manually Using Terraform Script

  1. Copy the following Terraform script. Update <EXTERNAL_ID> with a proper secret of your choice or use Resmo Generated External ID.

    terraform {
      required_providers {
        aws = {
          source = "hashicorp/aws"
          version = "4.29.0"
        }
      }
    }
    
    resource "aws_iam_policy" "resmo_data_collection_policy" {
      description = "Resmo Data Collection policy for additional rights"
      name        = "ResmoDataCollection"
      path        = "/"
    
      policy = <<POLICY
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Resource": "*",
          "Action": [
            "account:Get*",
            "account:List*",
            "backup:Describe*",
            "backup:Get*",
            "backup:List*",
            "codebuild:ListSourceCredentials",
            "cognito-identity:DescribeIdentityPool",
            "ec2:GetDefaultCreditSpecification",
            "ec2:GetEbsDefaultKmsKeyId",
            "ec2:GetEbsEncryptionByDefault",
            "eks:DescribeAddon",
            "eks:DescribeAddonVersions",
            "eks:DescribeIdentityProviderConfig",
            "eks:ListAddons",
            "eks:ListIdentityProviderConfigs",
            "elasticfilesystem:DescribeAccessPoints",
            "glue:GetTables",
            "iam:GenerateCredentialReport",
            "kinesisvideo:ListStreams",
            "network-firewall:DescribeFirewall",
            "network-firewall:DescribeFirewallPolicy",
            "network-firewall:DescribeResourcePolicy",
            "network-firewall:DescribeRuleGroup",
            "network-firewall:ListFirewallPolicies",
            "network-firewall:ListFirewalls",
            "network-firewall:ListRuleGroups",
            "ses:GetConfigurationSet",
            "ses:GetEmailIdentity",
            "ses:GetIdentityNotificationAttributes",
            "ses:ListConfigurationSets",
            "ses:ListEmailIdentities",
            "sns:GetSubscriptionAttributes",
            "ssm:GetInventory",
            "ssm:GetPatchBaseline",
            "support:DescribeCases",
            "support:DescribeSeverityLevels",
            "tag:GetComplianceSummary",
            "waf-regional:GetRule",
            "waf-regional:GetRuleGroup",
            "waf-regional:ListRuleGroups",
            "waf-regional:ListRules",
            "waf:GetRule",
            "waf:GetRuleGroup",
            "waf:ListRuleGroups",
            "waf:ListRules"
          ]
        }
      ]
    }
    POLICY
    }
    
    resource "aws_iam_role" "resmo_data_collect_role" {
      assume_role_policy = <<POLICY
    {
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "<EXTERNAL_ID>"
            }
          },
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::512995177166:root"
          }
        }
      ],
      "Version": "2012-10-17"
    }
    POLICY
      max_session_duration = "3600"
      name                 = "resmo-data-collect"
      path                 = "/"
    }
    
    resource "aws_iam_role_policy_attachment" "role_custom_policy_attach" {
      role       = aws_iam_role.resmo_data_collect_role.name
      policy_arn = aws_iam_policy.resmo_data_collection_policy.arn
    }
    resource "aws_iam_role_policy_attachment" "role_sso_policy_attach" {
      role       = aws_iam_role.resmo_data_collect_role.name
      policy_arn = "arn:aws:iam::aws:policy/AWSSSOReadOnly"
    }
    resource "aws_iam_role_policy_attachment" "role_opensearch_policy_attach" {
      role       = aws_iam_role.resmo_data_collect_role.name
      policy_arn = "arn:aws:iam::aws:policy/AmazonOpenSearchServiceReadOnlyAccess"
    }
    resource "aws_iam_role_policy_attachment" "role_security_audit_policy_attach" {
      role       = aws_iam_role.resmo_data_collect_role.name
      policy_arn = "arn:aws:iam::aws:policy/SecurityAudit"
    }
  2. Run the following commands

    terraform plan --out="resmo-data-colletion-role"
    terraform apply "resmo-data-colletion-role"

How to uninstall

  • Login to your Resmo account.

  • Navigate to the Integrations page and click your AWS integration.

  • Click the Delete button to uninstall or Disable to stop polling AWS resources temporarily.

See the following methods to complete the uninstallation process.

1. Uninstall Resmo through CloudFormation

Delete CloudFormation Stack, and this will delete resources that the stack has created.

Uninstall Organizational Integration

If StackSet is not used to connect other accounts in the organization, you can just delete the CloudFormation stack, and that is all. Otherwise, the order of clean-up should be as follows:

  1. Delete CloudFormation Stacks from StackSet in the organization management account; you can inspect their deletion from the Stack Instances tab of the StackSet. AWS will not allow the removal of StackSets if they contain Stack instances.

  2. Delete CloudFormation StackSet in the organization management account.

  3. Delete CloudFormation Stack (initially run to connect the management account to Resmo) in the organization management account.

2. Manually delete the role and policy using AWS CLI

  1. Delete the role resmo-data-collect

aws iam delete-role --role-name resmo-data-collect

2. Delete the policy ResmoDataCollection

aws iam delete-policy --policy-arn arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:policy/ResmoDataCollection

3. Manually remove the role and policy using AWS Console

  1. Delete the role resmo-data-collect

  2. Delete the policy ResmoDataCollection

FAQ

What should I check if an integration fails to install?
  1. Ensure you have run Cloudformation Stack before the integration creation.

  2. Ensure you have entered the correct Account ID in the Resmo Integration create page.

  3. Ensure Role Name and External IDs are matching with what Cloudformation Stack has created. You can check External ID from the Trust Relationships tab of the created IAM Role

What would happen if I delete required role used by integration?

I deleted the role before creating integration...

The integration will not pass into the ready state, you will see an error message on top of the integration page as Not authorized to assume your role.

I deleted the role after creating integration...

The integration will be in the ready state for a while. ~5 minutes later, your integration will pass into the not ready state and you will see an error message, Not authorized to assume your role , on top of the integration page.

Can I update my existing integration so that the integration will look at another AWS account?

No. The Account ID of an existing AWS integration could not be changed after the creation of the integration. You need to delete the integration and create a new AWS integration with the correct Account ID.

I have entered the wrong Account ID, Role Name, or External ID, what should I do?

Role Name and External ID can be updated after the creation of the integration, however, Account ID can only be set once, during the creation. You need to delete the integration and create a new AWS integration with the correct Account ID.

I have created my integration without selecting Organization true for my organization root account. Can I update that as the organization after the integration creation?

No. You need to create a new integration by marking the account as Organization.

How do you identify the account name field?

Our goal is to give user's a field they can recognize at a glance. AccountId isn't useful, but most users can't recognize which account it is at a glance and need to run another query to spot the account name.

If you're using AWS Organizations, we can get the AWS account name for each account from the API. So, it's set based on AWS organization's account names.

If an individual AWS account is integrated, we set the account name field as the Resmo integration name.

Related Documents and Links

to learn how to install the AWS integration using CloudFormation.

To , hit the Launch Stack button. Or you can install it manually by clicking the Connect Manually button.

Watch a 2-min video
Installation using CloudFormation
Manual installation using AWS CLI
Manual installation with AWS Console
Manual installation with Terraform
install the integration using CloudFormation
Amazon Web Services
Amazon Web ServicesResource Directory
Logo