Support
Web Asset Discovery

Configuring AWS Connections

This document is for:
Invicti Enterprise On-Demand

Configuring an AWS Connection is a 4-step process:

  • Prepare a permissions policy for your IAM User to allow the connection to access relevant resources
  • Create an IAM user in your AWS account to use the user's credentials for the connection (Access Key ID and Secret Access Key), attaching the policy you created in the previous step
  • Create Access keys for your IAM user
  • Create the AWS Connection in Invicti Enterprise

AWS Connection is Cloud-Only

This feature is currently available only for the Cloud version of Invicti Enterprise.

Prepare a permissions policy for your IAM User

  • Navigate to the IAM -> Policies page in your AWS account

  • Click the Create policy button

  • In the Specify permissions page, click the JSON button and edit the policy in the Policy editor panel to read as follows:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "Statement1",

            "Effect": "Allow",

            "Action": [

                "ec2:DescribeInstances",

                "ec2:DescribeSecurityGroups"

            ],

                "Resource": "*"

        }

    ]

}

  • Click on the Next button

  • In the Policy details page, set the Policy name field and click the Create policy button

Create an IAM User in your AWS account

  • Navigate to the IAM -> Users page in your AWS account

  • click the Add users button

  • Set the User name field and click the Next button
  • In the Set permissions page

  • click the Attach policies directly option
  • identify the policy you created previously and select it
  • click the Next button

  • In the Review and create page, click the Create user button

Create Access keys for your IAM user

  • Navigate to the IAM -> Users -> InvictiExampleUser (substitute the user name for your own chosen user name) in your AWS account

  • Below the Summary panel, click on the Security credentials tab

  • Scroll down to the Access keys panel and click the Create access key button

  • In the Access key best practices & alternatives page:
  • select the Third-party service option
  • enable the checkbox labeled I understand the above recommendation and want to proceed to create an access key
  • Invicti Enterprise is currently able to connect to AWS using Access keys
  • you should be mindful of the warning panel, and contain your risk by:
  • using Access keys with a relatively short expiry period
  • rotating Access keys regularly to maintain security
  • never create Access keys for a root user
  • click the Next button

  • In the Set description tab page:
  • you may optionally add a tag value for the Access key
  • click the Create access key button

  • In the Retrieve access keys page:
  • take a copy of the Access key and the Secret access key; you will need this information when you create the AWS Connection in Invicti Enterprise
  • click the Done button

Create the AWS Connection in Invicti Enterprise

  • Log in to Invicti Enterprise

  • From the sidebar, select the Discovery -> Connections option

  • Click the New AWS Connection button

  • In the AWS Connection Settings page:
  • set the Name field to identify your AWS Connection
  • set the AWS Access Key ID field
  • set the AWS Secret Access Key field
  • set the AWS Region field by entering a list of regions (one region per line)
  • you can optionally instruct the Discovery Service to also capture websites that might be unreachable from outside of the AWS infrastructure
  • Click the Save and Recrawl button

  • Your newly-created AWS Connection is now listed
  • To see the results, navigate to the Discovery -> Discovered Websites from the sidebar
  • You can use the Edit and Delete buttons to make changes to your list of AWS Connections; remember to delete any unused AWS Access Keys from your AWS account

Discovery Service Query Interval

Discovery Service queries are queued, and results can take up to 24 hours before showing up on the Discovered Websites page.