This page explains how to set up the Cloud Asset Discovery integration to inventory assets in AWS.

• The user who gives the Cloud Asset Discovery integration AWS permissions must be an AWS accountadmin.
• The Cloud Asset Discovery integration is available to all Elastic Cloud users. On-premise deployments require anappropriate subscription.
• The Cloud Asset Discovery integration supports only the AWS commercial cloud platform. AWS GovCloud is not supported. To request support,open a GitHub issue.

You can set up Cloud Asset Discovery for AWS either by enrolling a single cloud account, or by enrolling an organization containing multiple accounts. Either way, first you will add the integration, then enable cloud account access.

Two deployment technologies are available: agentless and agent-based.

• Agentless deployment allows you to collect cloud posture data without having to manage the deployment of Elastic Agent in your cloud.
• Agent-based deployment requires you to deploy and manage Elastic Agent in the cloud account you want to monitor.

1. FindIntegrations in the navigation menu or use theglobal search field.

2. Search for and selectCloud asset discovery.

3. ClickAdd Cloud Asset Discovery.

4. SelectAWS, then eitherAWS Organization to onboard multiple accounts, orSingle Account to onboard an individual account.

5. Give your integration a name that matches the purpose or team of the AWS account/organization you want to monitor, for example,dev-aws-account.

6. InDeployment options, selectAgentless.

7. Next, you’ll need to authenticate to AWS. The following methods are available:

   • Option 1:Cloud connector (recommended).

     • To use a pre-existing cloud connector for this deployment, selectExisting connection then the cloud connector's name.
     • To use a new cloud connector: underNew connection, enter aCloud Connector Name, then expand theSteps to assume role section. Complete the instructions to generate aRole ARN andExternal ID; enter them in Kibana.
     Important

     To use cloud connector authentication for an AWS integration, your Kibana instance must be hosted on AWS. In other words, you must have chosen AWS hosting during Kibana setup.

   • Option 2: Direct access keys/CloudFormation. ForPreferred method, selectDirect access keys. Expand theSteps to Generate AWS Account Credentials section, then follow the displayed instructions to automatically create the necessary credentials using CloudFormation.

     Note

     If you don’t want to monitor every account in your organization, specify which to monitor using theOrganizationalUnitIDs field that appears after you clickLaunch CloudFormation.

   • Option 3: Temporary keys. To authenticate using temporary keys, refer to the instructions fortemporary keys.

8. Once you’ve selected an authentication method and provided all necessary credentials, clickSave and continue to finish deployment. Your data should start to appear within a few minutes.

1. FindIntegrations in the navigation menu or use theglobal search field.
2. Search for and selectCloud asset discovery.
3. ClickAdd Cloud Asset Discovery.
4. SelectAWS, then eitherAWS Organization to onboard multiple accounts, orSingle Account to onboard an individual account.
5. Give your integration a name that matches the purpose or team of the AWS account/organization you want to monitor, for example,dev-aws-account.

Cloud Asset Discovery requires access to AWS’s built-inSecurityAudit IAM policy in order to discover resources in your cloud account. There are several ways to provide access.

For most use cases, the simplest option is to use AWS CloudFormation to automatically provision the necessary resources and permissions in your AWS account. This method, as well as several manual options, are described next on this page.

1. From theAdd Cloud Asset Discovery integration menu, inSetup Access, selectCloudFormation.
2. In a new browser tab or window, log in as an admin to the AWS account or organization you want to onboard.
3. Return to your Kibana tab. ClickSave and continue at the bottom of the page.
4. Review the information, then clickLaunch CloudFormation.
5. A CloudFormation template appears in a new browser tab.
6. For organization-level deployments only, you must enter the ID of the organizational units where you want to deploy into the CloudFormation template’sOrganizationalUnitIds field. You can find organizational unit IDs in the AWS console underAWS Organizations → AWS Accounts (under each organization’s name). You can also use this field to specify which accounts in your organization to monitor, and which to skip.
7. (Optional) Switch to the AWS region where you want to deploy using the controls in the upper right corner.
8. Tick the checkbox inCapabilities to authorize the creation of necessary resources.
9. At the bottom of the template, selectCreate stack.

When you return to Kibana, clickView assets to review the data being collected by your new integration.

When using manual authentication to onboard at the organization level, you need to configure the necessary permissions using the AWS console for the organization where you want to deploy:

• In the organization’s management account (root account), create an IAM role calledcloudbeat-asset-inventory-root (the name is important). The role needs several policies:

  • The following inline policy:

{    "Version": "2012-10-17",    "Statement": [        {            "Action": [                "organizations:List*",                "organizations:Describe*"            ],            "Resource": "*",            "Effect": "Allow"        },        {            "Action": [                "sts:AssumeRole"            ],            "Resource": "*",            "Effect": "Allow"        }    ]}

• The following trust policy:

{    "Version": "2012-10-17",    "Statement": [        {            "Effect": "Allow",            "Principal": {                "AWS": "arn:aws:iam::<Management Account ID>:root"            },            "Action": "sts:AssumeRole"        },        {            "Effect": "Allow",            "Principal": {                "Service": "ec2.amazonaws.com"            },            "Action": "sts:AssumeRole"        }    ]}

• The AWS-managedSecurityAudit policy.

• Next, for each account you want to scan in the organization, create an IAM role namedcloudbeat-asset-inventory-securityaudit with the following policies:

  • The AWS-managedSecurityAudit policy.
  • The following trust policy:

{    "Version": "2012-10-17",    "Statement": [        {            "Effect": "Allow",            "Principal": {                "AWS": "arn:aws:iam::<Management Account ID>:role/cloudbeat-asset-inventory-root"            },            "Action": "sts:AssumeRole"        }    ]}

After creating the necessary roles, authenticate using one of the manual authentication methods.

• Default instance role (recommended)
• Direct access keys
• Temporary security credentials
• Shared credentials file
• IAM role Amazon Resource Name (ARN)

Follow AWS’sIAM roles for Amazon EC2 documentation to create an IAM role using the IAM console, which automatically generates an instance profile.

1. Create an IAM role:

   1. In AWS, go to your IAM dashboard. ClickRoles, thenCreate role.
   2. On theSelect trusted entity page, inTrusted entity type, selectAWS service.
   3. InUse case, selectEC2. ClickNext.
   4. On theAdd permissions page, search for and selectSecurityAudit. ClickNext.
   5. On theName, review, and create page, name your role, then clickCreate role.

2. Attach your new IAM role to an EC2 instance:

   1. In AWS, select an EC2 instance.
   2. SelectActions > Security > Modify IAM role.
   3. On theModify IAM role page, search for and select your new IAM role.
   4. ClickUpdate IAM role.
   5. Return to Kibana andfinish manual setup.

Access keys are long-term credentials for an IAM user or AWS account root user. To use access keys as credentials, you must provide theAccess key ID and theSecret Access Key. After you provide credentials,finish manual setup.

For more details, refer toAccess Keys and Secret Access Keys.

You can configure temporary security credentials in AWS to last for a specified duration. They consist of an access key ID, a secret access key, and a session token, which is typically found usingGetSessionToken.

Because temporary security credentials are short term, once they expire, you will need to generate new ones and manually update the integration’s configuration to continue collecting cloud posture data. Update the credentials before they expire to avoid data loss.

You can use the AWS CLI to generate temporary credentials. For example, you could use the following command if you have MFA enabled:

sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456

The output from this command includes the following fields, which you should provide when configuring the integration:

• Access key ID: The first part of the access key.
• Secret Access Key: The second part of the access key.
• Session Token: The required token when using temporary security credentials.

After you provide credentials,finish manual setup.

If you use different AWS credentials for different tools or applications, you can use profiles to define multiple access keys in the same configuration file. For more details, refer to AWS'Shared Credentials Files documentation.

Instead of providing theAccess key ID andSecret Access Key to the integration, provide the information required to locate the access keys within the shared credentials file:

• Credential Profile Name: The profile name in the shared credentials file.
• Shared Credential File: The directory of the shared credentials file.

If you don’t provide values for all configuration fields, the integration will use these defaults:

• IfAccess key ID,Secret Access Key, andARN Role are not provided, then the integration will check forCredential Profile Name.
• If there is noCredential Profile Name, the default profile will be used.
• IfShared Credential File is empty, the default directory will be used.
• For Linux or Unix, the shared credentials file is located at~/.aws/credentials.

After providing credentials,finish manual setup.

An IAM role Amazon Resource Name (ARN) is an IAM identity that you can create in your AWS account. You define the role’s permissions. Roles do not have standard long-term credentials such as passwords or access keys. Instead, when you assume a role, it provides temporary security credentials for your session.

To use an IAM role ARN, selectAssume role forPreferred manual method, enter the ARN, and continue to Finish manual setup.

Once you’ve provided AWS credentials, proceed toWhere to add this integration:

If you want to monitor an AWS account or organization where you have not yet deployed Elastic Agent:

• SelectNew Hosts.
• Name the Elastic Agent policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example,dev-aws-account.
• ClickSave and continue, thenAdd Elastic Agent to your hosts. TheAdd agent wizard appears and provides Elastic Agent binaries, which you can download and deploy to your AWS account.

If you want to monitor an AWS account or organization where you have already deployed Elastic Agent:

• SelectExisting hosts.
• Select an Elastic Agent policy that applies the AWS account you want to monitor.
• ClickSave and continue.