Amazon Web Services (AWS)
Overview
To onboard your AWS public accounts on Upwind in order to monitor and analyze your assets deployed on AWS, use one of the following workflows. The Upwind platform leverages a cross account IAM role to access your AWS account.
Setup
Use one of the following methods to integrate your AWS account/s with Upwind.
Automatic
AWS IAM Permissions
The policies attached to the Upwind role is the AWS-managed Security Audit policy and utilizes an externalID for secure access. This setup is designed to enable comprehensive security assessments while ensuring the highest standards of security and compliance.
Role Configuration
Role: upwind-readonly-cloud-permissions (by default)
The role is configured to grant only the necessary permissions for security assessment tasks, aligning with the principle of least privilege. The SecurityAudit managed policy comprises a set of permissions that AWS has identified as essential for security auditing tasks. This includes read-only access to various AWS services and resources.
Being AWS-managed, this policy is regularly updated by AWS to include permissions for new services and to reflect changes in existing services, ensuring that security assessments remain relevant and comprehensive.
The externalID is a unique identifier used in the trust relationship of the IAM role. It acts as an additional authentication factor, preventing other AWS accounts from assuming the role without the specific ID. This measure mitigates the risk of the 'confused deputy' problem, where a malicious entity could potentially trick an intermediary into accessing resources unauthorizedly.
While our standard integration using the upwind-readonly-cloud-permissions role with the AWS-managed SecurityAudit policy offers a combination of security and maintenance efficiency, we recognize that some customers may require more narrowly scoped permissions due to specific compliance requirements or internal security policies. In these instances, Upwind is committed to working collaboratively with our customers to develop a set of permissions that align more closely with their individual needs.