AWS EC2 Discovery

Privileged Access Manager Discovery Queries for Amazon EC2 Instances.

As more businesses begin or continue to move critical infrastructure to cloud systems like AWS, the security to find, access and manipulate these services becomes ever increasing and vital.

Using Privileged Access Manager, administrators can discover these instances, secure access to them, rotate their SSH keys and enable auditing and recording to ensure only trusted users can access these critical, cloud based systems.

In addition, the Auto-Import option will create Records for newly discovered hosts.

In this article, the Discovery process to allow authorized Administrators the ability to automatically detect these instances will be described.

 

Configure Privileged Asset Discovery for AWS EC2 Instances:

  1. Login to the System using a System Administrator account.
  2. Navigate to Administration > Discovery.
  3. Create a new Discovery query by clicking the Add Query button and then select Add Amazon EC2 Query.
  4. FAQ-AWS-Discovery-Query-Options

  5. A new Amazon EC2 Discovery configuration page will appear with the following options:

    1. Name: The name of the discovery query.

    2. Access Key: Enter the Access Key to be used for connecting to AWS.

    3. Secret Key: Enter the Secret Key associated to the Access Key, to be used for connecting to AWS.

    4. Host Field: Select the value that will be displayed in the Host Field when compiling the Discovery Report.

    5. Name Field: Select the value that will be displayed in the Name Field when compiling the Discovery Report.

    6. Regions: Check all the regions that are to be included in the discovery scan. At least one region must be checked.

    7. Use PowerShell: Check the box to enable the use of PowerShell for the scan (for Windows endpoints). Only PowerShell or SSH can be selected per query. If you would like to use both Protocols, then a second query must be created.

    8. Use SSH: Check the box to enable the use of SSH for the scan (for Unix or Linux based endpoints). Only PowerShell or SSH can be selected per query. If you would like to use both Protocols, then a second query must be created.

    9. Non-Standard Ports: Comma-separated list of non-standard ports to try during host discovery. If not specified the discovery process will attempt to connect to a remote host using port 22 for the SSH protocol and to the WS-Management port 5985 for the PowerShell protocol.

    10. Accounts: Enter the account(s) that will be used to attempt communication with the found endpoints. You may add one or more accounts for each discovery query and can specify either a Password or Private Key.

    11. Enable Auto-Import: Check this box to enable the results of this query to be automatically imported and created as managed records. This applies to newly discovered hosts only.

    12. Record Type for Auto-Import: Select the Record Type that will be used when creating the auto-imported hosts. This record type will be applied to all auto-imported hosts.

    13. Folder for Auto-Import: Select the container where the hosts will be automatically imported into. If left empty, all discovered hosts will be imported into the System Root Folder.

    14. Auto-Import Filter: The auto-import process will only import records that contain either the Windows Service or Service Account (Log On As or Run As…) that is selected by this provided filter.

    15. Account Type for Auto-Import: (All) This parameter defines which account will be associated with the discovered record during the auto-import process. The following options are available:

      • Use connected account: Auto-import process will use the account successfully connected to the destination host during discovery process as an account on record.
      • Use referenced account: Auto-import process will use the specified referenced record as an account on record. Use this option when several discovered and imported records reference the same account.
      • Use provided account: Auto-import process will use the specified account as an account on record. Use this option to associate specific account with the newly imported records. Typically, a record type shadow account is used to set password for the imported record.
    16. Reference Record for Auto-Import: (Use referenced account) Auto-import process will use the specified record as a referenced record for all imported records. Typically, this option is used when several imported records should reference the same account (such as Windows domain Administrator).

    17. Account for Auto-Import: (Use provided account) Auto-import process will use the specified account as an account on record for all imported records (for example, Windows local Administrator). Typically, record type shadow account will be used to set password for the specified account upon record creation.

    18. Enable Query: Check this box to enable the query. Uncheck to disable the query.

  6. Click the Save button when finished.

FAQ-AWS-Discovery-Query-View-Option