Online Help

Creating AWS segments

Preview

This page describes how to create an AWS segment for scanning your Amazon Web Services environment to discover resources and later audit those you need.

NOTE: This feature is currently in preview and may change or evolve over time.

AWS minimal permissions

Before creating an AWS segment, prepare an IAM user with the minimal permissions required to discover and audit your AWS resources. The Audit Service uses the user’s programmatic access keys (Access Key ID and Secret Access Key, so an IAM user is required unless the audit is performed from within AWS using an IAM role.

When creating the segment, you will be asked to provide the AWS credentials for that IAM user. These credentials will be used by the Audit Service to access and audit the AWS resources in the segment.

You can copy the JSON snippet below into your AWS security policy or attach it to the IAM user. Make sure the account has access to all resources you intend to scan, following the principle of least privilege.

NOTE: The permissions listed here reflect the current configuration. They may be updated from time to time as new resource types are supported.

 

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"ec2:DescribeInstances",
				"ec2:DescribeRegions",
				"ec2:DescribeVolumes",
				"rds:DescribeDBInstances",
				"ec2:DescribeAvailabilityZones",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DescribeLoadBalancerAttributes",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeImages",
				"ec2:DescribeVpcs",
				"ec2:DescribeSubnets",
				"ec2:DescribeNetworkInterfaces",
				"ec2:DescribeKeyPairs",
				"s3:ListBucket",
				"s3:ListBucketVersions",
				"s3:ListAllMyBuckets",
				"s3:GetBucketLocation",
				"compute-optimizer:GetEnrollmentStatus",
				"rds:DescribeCertificates"
			],
			"Resource": "*"
		}
	]
}

Copy the Access key ID and Secret access key from your AWS Management Console now. You will need them when creating the segment.

Create an AWS segment

Follow these steps to set up a new AWS segment and provide the necessary credentials for scanning and auditing your cloud resources.

To create an AWS segment:

  1. In the left navigation sidebar, choose Network.

  2. In the Network section, click on the Segments tile.

  3. Click the + New Segment button.

  4. Select the AWS icon and click Next to open the new segment's configuration parameters.

  5. In the Select or install Audit Service section, click the down arrow and choose a previously deployed Audit Service instance.

    TIP: If none of the registered services apply, click Download Alloy Audit Service to download a new Audit Service, and then run the installation package on a computer with internet access. Once the Alloy Audit Service is successfully installed, it will appear in the list above, so you can select it and proceed with the configuration.

  6. Expand the AWS section.

  7. The Name of the new segment is assigned automatically, but you can edit it if necessary.

  8. Under Available resources, select the cloud resources you want to scan.

  9. Expand the Credentials section and enter the AWS credentials for the IAM user or role used for the audit:

    • Access key ID: Enter the access key ID for the IAM user or role.

    • Secret access key: Enter and confirm the secret access key for the same IAM user or role.

    You can obtain these credentials from the AWS Management Console when creating the IAM user or role.

    INFO: For details, refer to Segment audit credentials.

  10. Creating a Scan schedule is entirely optional at this stage. You can opt to continue without setting a schedule by clicking Continue without a schedule. Alternatively, if you prefer to establish a schedule, you can choose the scan frequency from options like Daily, Weekly, or Monthly and specify the details accordingly.

  11. The final Let's get started! Discover where to find the results step shows where you can find discovered resources.

    After creating the segment, it will appear in the Network section and can be scanned either automatically or on demand.

    The first scan performs discovery only, listing resources by name. To collect detailed information about a resource, you must run an audit. Audited resources are automatically added to the Inventory section.

    IMPORTANT: Scanning lists only resource names and does not count toward your licensed nodes. Auditing collects detailed information and does count. For details and best practices, see Scanning and auditing

  12. To finalize the process, click Create.