Recommended Agent: On-Demand
Supported Agents: On-Demand or Self-Hosted
Is Auto-Discovered By: N/A
Can Auto-Discover: N/A
Parent/Child Type Inspector: No
Inspection via: API
Data Summary: Here
Video isn't playing? Click here.
Sign into Amazon Web Services
Log into AWS
Complete Multi-factor Authentication
Select Services in the Menu
Select IAM under the Security, Identity, & Compliance heading
LiongardWorkspacesReadOnly (Custom Access, optional)
- If you would like to record Workspaces information, then you can add a read-only permission for Workspaces like this.
On the left-hand menu select Policies, and then select Create Policy
Locate the Workspaces service
Select on Workspace, then select the checkboxes next to the List and Read permissions
Expand Resources and select the checkbox to the left of Any in this account next to workspacebundle
Select Review policy at the bottom right
Name the policy "LiongardWorkspacesReadOnly," then select Create Policy
On the left-hand menu select Groups
Select Create New Group
Name the Group APIReaderAccess
Click Next Step at the bottom right
Add the following Policies:
- LiongardWorkspacesReadOnly (Optional from step 2 above)
If you encounter an issue during an Inspection, you can review the logs to determine which AWS Service it may be failing on. You will need to attach additional ReadOnlyAccess policies to the Group. For example, if a customer utilizes Lambda, the AWSLambdaReadOnlyAccess Policy should be added.
Click Next Step at the bottom right
Review the policies attached, and select Create Group at the bottom to proceed
The confirmation screen should show the list of Groups and there should be zero (0) users attached to the group. Now, select the Users menu item.
Select Add user
Please refer to your organization's naming convention policies when creating usernames. Usernames we state in the documentation are suggestions only.
Name the User account and select Programmatic access
We recommend using the convention "liongard-awsapi-MMDD" or a random string at the end
Add the User created to the Group made in the prior steps
Add the API Reader Access Group and select Create User
Download the Access key ID and the Secret access key and save to a vault.
In Liongard, navigate to Admin > Inspectors > Navigate to the Amazon Web Services Inspector > Select Add System.
Fill in the following information:
- Environment: Select the Environment this System Inspector should be associated to
- Friendly Name: Suggested "AWS [Environment Name]"
- Agent: On-Demand
- Inspector Version: Latest
- Access Key ID: The ID of the account you created in the steps above
- Secret Access Key: The Key should reside in the CSV document downloaded from the prior step
- Region: Specify the region(s) that the customer AWS stack resides. You may select more than one region
- Scheduling: The Inspector will default to run once a day at the time the Inspector is set up. Here you can adjust the schedule
Select Save. The Inspector will now be triggered to run within the minute.
If you would like this Inspector's data to be sent to ConnectWise and/or IT Glue, turn on Flexible Assets/Configurations for this Inspector:
- ConnectWise: Admin > Integrations > ConnectWise > Configuration Types > Confirm the "Configuration Auto-Updating" toggle is enabled
- IT Glue: Admin > Integrations > IT Glue > Flexible Assets > Confirm the "Flexible Asset Auto-Updating" toggle is enabled
For more information, please watch our How To video
To import Amazon Web Services Inspectors via CSV Import, navigate to Admin > Inspectors > Amazon Web Services > Select the down arrow icon in the top right-hand to Download CSV Import Template.
In the CSV Template, each row, starting on row three, will represent an Inspector. Fill in the following information for each Inspector you want to roll out:
- Agent.Name: Enter "On-Demand Agent"
- Inspector.Name: Enter "aws-inspector"
- Environment.Name: This column is case sensitive. Copy and paste the associated Environment name from the Dashboard screen
- Alias: Enter the Desired Friendly Name
- SecureConfig.AWS_ACCESS_KEY_ID: Enter the ID of the account you created in the Inspector Setup Preparation
- SecureConfig.AWS_SECRET_ACCESS_KEY: Enter the Key from the CSV document downloaded in the Inspector Setup Preparation
- Config.AWS_REGION: Enter the region where the customer's AWS stack resides. If you would like to inspect multiple regions, you will need to add a column to the left called "Config.AWS_REGION", "Config.AWS_REGION", etc., and in each column enter the additional region that you would like to inspect
- FreqType: Enter "days"
- FreqInterval: Enter "1"
When ready to Import the CSV Template of Inspectors, navigate to Admin > Inspectors > Amazon Web Services > Select the up arrow icon in the top right-hand to Import CSV > Select your saved template.
After the successful import notification, reload your browser to find your imported Inspectors.
These Inspectors will automatically trigger themselves to run within a minute.
Often an AWS failure will be due to the API key no longer being valid. This usually means the API key has been deleted.
Updated about a month ago