Skip to main content
All CollectionsCloud targetsCloud Security Scans
Cloud Security Scans on AWS

Cloud Security Scans on AWS

Get started with our Cloud Security Scans by setting up the correct permissions for us to be able to run scans against your AWS Assets

Updated over a week ago

Overview

Intruder's integration with AWS enables automated cloud security scans to identify vulnerabilities and misconfigurations within your AWS environment.

This guide provides step-by-step instructions to configure the integration using an AWS CloudFormation template, ensuring Intruder has the necessary permissions to perform these scans.

Setting Up Cloud Security Scans on Your AWS Account using a CloudFormation Template

Step 1: Initiate AWS Account Integration in Intruder

  1. Log in to your Intruder portal.

  2. Click on the Targets tab.

  3. Click Add target > Cloud asset sync > AWS > Add account.

  4. In the modal that appears, click on the Download CloudFormation template button, and save the file to your local machine.

User-uploaded Image

Step 2: Create an AWS Role Using the CloudFormation Template

  1. Log in to the AWS Management Console.

  2. In AWS, search for Stacks and select the CloudFormation feature.

    User-uploaded Image

  3. Click Create Stack.

    User-uploaded Image

  4. Under the 'Specify Template' option, select the 'Upload template file' and upload the CloudFormation template file downloaded in Step 1 and follow the on-screen instructions.

    User-uploaded Image

  5. Provide a stack name and click Next.

    User-uploaded Image

  6. Select the checkbox under the Capabilities section

    User-uploaded Image

  7. Review the setup, and click Submit

    User-uploaded Image

  8. In the next step, wait until the stack has been created (which will look like the below once complete). If it is not yet finished, click refresh until it's done

  9. Once the stack creation is complete, navigate to the Outputs tab and copy the Role ARN in the Value column

Step 3: Retrieve and Input the Role ARN in Intruder

  1. Go back to the Intruder portal.

  2. Paste the copied Role ARN into the Role ARN field.

    User-uploaded Image

  3. Click Add asset and configure scan settings, including the option to 'Run Cloud Security scans', and click 'Confirm Setup'

    User-uploaded Image

  4. If you selected the 'Add Cloud assets as targets' option then you will also need to confirm the setup you would like for this in the next step

    User-uploaded Image

Scans are now enabled! The first scan should kick off right away, and a new scan will be run once a day. We create a target that represents the cloud account, and you get redirected to its details page. Here, you can manage scan settings via the Settings tab:

Alternative Integration Methods

If you prefer not to use the CloudFormation template, you can manually create an IAM role and attach the following AWS-managed policies:

  • ReadOnlyAccess

  • SecurityAudit

  • AmazonBedrockReadOnly

We have outlined the instructions required to set up the correct permissions for your IAM Role in the video below:

Watch the video

Alternatively, you can integrate using AWS access keys with equivalent permissions. If choosing this option, you will need to make sure that the access keys have permissions equivalent to the 3 managed policies specified above.

Managing and Monitoring Scans

  • Scans will run automatically once per day.

  • You will be able to view scan results on the Scans page.

If during a scan we detect that the integration is missing permissions we need for scanning, you'll see an error as below. The scans will still run, but one or more checks won't be run successfully and some issues may not be found.

If we are unable to scan the account at all due to the credentials being invalid, you will see the following:

You can also see and manage the same settings in the Cloud asset details page, which you can access via the Discovery tab on the Targets page:

Plan Limits

  • Users on the Cloud or Pro plan can enable scans on up to three cloud accounts simultaneously.

  • To scan additional accounts, disable scans on your existing cloud accounts as needed.

  • Users on the Enterprise Plan can add and scan as many cloud accounts as needed.

Enterprise Feature: AWS Organizations Integration

If you are on the Enterprise plan, you will have the option to import your AWS Organisation (instead of having to import each individual account). The setup process will create the necessary roles and permissions automatically.

Existing Users with an AWS Organization integration should download the latest templates to ensure correct permissions.

Options to enable or disable the Cloud Security Scans for each imported account will be shown on the Discovery Tab, as per the screenshot below:

User-uploaded Image

Future Support for Other Cloud Providers

Currently, Intruder supports cloud security scans for AWS. Integration with additional cloud providers is planned for future updates to this feature.

Related Articles
AWS: Do I need permission before I start the scan?
AWS 'account' integration
πŸŽ₯ Video: How to add your AWS account to Intruder
AWS: Common integration issues/errors
AWS 'organization' integration
Did this answer your question?