Online Help

Creating AWS segments

Preview

This page describes how to create an AWS segment for scanning your Amazon Web Services environment to discover resources and later audit those you need.

NOTE: This feature is currently in preview and may change or evolve over time.

AWS minimal permissions

Before creating an AWS segment, prepare an IAM user with the minimal permissions required to discover and audit your AWS resources. The Audit Service uses the user’s programmatic access keys (Access Key ID and Secret Access Key, so an IAM user is required unless the audit is performed from within AWS using an IAM role.

When creating the segment, you will be asked to provide the AWS credentials for that IAM user. These credentials will be used by the Audit Service to access and audit the AWS resources in the segment.

You can copy the JSON snippet below into your AWS security policy or attach it to the IAM user. Make sure the account has access to all resources you intend to scan, following the principle of least privilege.

NOTE: The permissions listed here reflect the current configuration. They may be updated from time to time as new resource types are supported.

 

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"ec2:DescribeInstances",
				"ec2:DescribeRegions",
				"ec2:DescribeVolumes",
				"rds:DescribeDBInstances",
				"ec2:DescribeAvailabilityZones",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:DescribeLoadBalancerAttributes",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeImages",
				"ec2:DescribeVpcs",
				"ec2:DescribeSubnets",
				"ec2:DescribeNetworkInterfaces",
				"ec2:DescribeKeyPairs",
				"s3:ListBucket",
				"s3:ListBucketVersions",
				"s3:ListAllMyBuckets",
				"s3:GetBucketLocation",
				"compute-optimizer:GetEnrollmentStatus",
				"rds:DescribeCertificates"
			],
			"Resource": "*"
		}
	]
}

Copy the Access key ID and Secret access key from your AWS Management Console now. You will need them when creating the segment.

Create an AWS segment

Follow these steps to set up a new AWSAzure segment and provide the necessary credentials for scanning and auditing your cloud resources.

To create an AWSAzure segment:

  1. In the left navigation sidebar, choose Network.

  2. In the Network section, click on the Segments tile.

  3. Click the + New Segment button.

  4. Select the AWSAzure icon and click Next to open the new segment's configuration parameters.

  5. In the Select or install Audit Service section, click the down arrow and choose a previously deployed Audit Service instance.

    TIP: If none of the registered services apply, click Download Alloy Audit Service to download a new Audit Service, and then run the installation package on a computer with internet access. Once the Alloy Audit Service is successfully installed, it will appear in the list above, so you can select it and proceed with the configuration.

  6. Expand the AWSAzure section.

  7. The Name of the new segment is assigned automatically, but you can edit it if necessary.

  8. Under Available resources, select the cloud resources you want to scan.

  9. Expand the Credentials section and enter the AWSAzure credentials for the IAM user or roleservice principal used for the audit:

    • Tenant ID: Enter your the tenant ID.

      TIP: Your tenant ID is a globally unique identifier (GUID) that is different than your organization name or domain. You can find your tenant ID in the Microsoft Entra (former Azure AD) admin center, on the Properties page.

    • Client ID: Enter the client ID for the service principal.

    • Client secret: Enter and confirm the client secret for the service principal.

    • Access key ID: Enter the access key ID for the IAM user or role.

    • Secret access key: Enter and confirm the secret access key for the same IAM user or role.

    You can obtain these credentials from the AWS Management Console when creating the IAM user or role.

    You can obtain these credentials from Microsoft Entra ID (Azure AD) inside the App Registration that the service principal belongs to.

    INFO: For details, refer to Segment audit credentials.

  10. Creating a Scan schedule is entirely optional at this stage. You can opt to continue without setting a schedule by clicking Continue without a schedule. Alternatively, if you prefer to establish a schedule, you can choose the scan frequency from options like Daily, Weekly, or Monthly and specify the details accordingly.

  11. The final Let's get started! Discover where to find the results step shows where you can find discovered resources.

    After creating the segment, it will appear in the Network section and can be scanned either automatically or on demand.

    The first scan performs discovery only, listing resources by name. To collect detailed information about a resource, you must run an audit. Audited resources are automatically added to the Inventory section.

    IMPORTANT: Scanning lists only resource names and does not count toward your licensed nodes. Auditing collects detailed information and does count. For details and best practices, see Scanning and auditing

  12. To finalize the process, click Create.