Our next-gen architecture is built to help you make sense of your ever-growing data Watch a 4-min demo video!

Start Free Trial Request Demo
Back to All Docs

Cloud Security Posture Management (CSPM) – Amazon Web Services (AWS) Cloud Security Posture Management (CSPM) – Amazon Web Services (AWS)

Last Updated: Mar. 20, 2023

Cloud Security Posture Management (CSPM) helps to mitigate and minimize cloud data security breaches and to assess the overall posture of the entire cloud environment against best practices and compliance standards to help remediate issues.

CSPM tools verify that cloud configurations follow security best practices and compliance standards such as CIS, Azure, and GCP benchmarks as well as PCI and HIPAA frameworks. As companies are increasingly moving to the cloud, CSPM is becoming a necessary aspect of security insights.

The CSPM can be installed using the following methods:

  1. Docker container
  2. Kubernetes CronJob

Coralogix GRPC endpoints

Irelandng-api-grpc.coralogix.com
Stockholmng-api-grpc.eu2.coralogix.com
Singaporeng-api-grpc.coralogixsg.com
Mumbaing-api-grpc.app.coralogix.in
United Statesng-api-grpc.coralogix.us

For each installation method, we need to pass the following environment variables:

API_KEYUnder “Send your data” on your Coralogix account
APPLICATION_NAMESet the application name
SUBSYSTEM_NAMESet the subsystem name
COMPANY_IDThe company ID from the settings screen in your Coralogix account
CORALOGIX_ENDPOINT_HOSTCoralogix GRPC endpoint
CLOUD_PROVIDERThe Cloud Provider that CSPM will be deployed into in lowercase (e.g. aws, gcp, etc)
TESTER_LISTIf specified, will run the tests on the specified service, otherwise will run tests on all the AWS services. leave empty to run all testers, otherwise, comma separated per tester name without spaces
REGION_LISTIf specified, will check only the specified regions (For global services like AWS S3, IAM and Route53, make sure you add region “global”). Otherwise, the tests will be conducted in all regions. leave empty to run on all regions, otherwise, comma separated per region name without spaces
AWS_DEFAULT_REGIONAWS default region for authentication
ROLE_ARN_LISTAn additional role(s) that can be assumed from other AWS accounts to scan. leave empty to run on the current account, for additional accounts, add in a comma-separated manner per role ARN without spaces.
Note: please follow the instructions below for multi-account configuration
CORALOGIX_ALERT_API_KEY(Optional parameter) Under “Alerts, Rules and Tags API Key” on your Coralogix account.
When providing this variable, a custom enrichment for failed resources will be created in Coralogix’s account at the end of each run if specified

Installing as a Docker container

Prerequisites

  1. EC2 Instance
    • The minimum Instance Type should be “t3a.small
    • Internet connectivity (thorough Internet/NAT Gateway)
  2. IAM Role with the following policy attached to the instance
  3. Docker installed on the EC2 instance – refer to Docker documentation

Note that the instance type will affect the run time, so it’s up to a personal preference and is affected by the environment size.

Deploying

After prerequisites are met, download the docker image using the following command (if the following command hasn’t run, the image will still be downloaded automatically in the next step):

docker pull coralogixrepo/snowbit-cspm

In order to automate the process, use Crontab in the following manner:

Create the crontab using your favorite editor

sudo crontab -e

Inside the document, on the bottom, paste the following one-liner (note that the API_KEY and the CORALOGIX_ENDPOINT_HOST fields are mandatory)

*/10 * * * * docker rm snowbit-cspm ; docker rmi coralogixrepo/snowbit-cspm ; docker run --name snowbit-cspm -d -e PYTHONUNBUFFERED=1 -e CLOUD_PROVIDER="choose_the_cloud_provider - aws / gcp" -e AWS_DEFAULT_REGION="eu-west-1" -e CORALOGIX_ENDPOINT_HOST="coralogix_grpc_endpoint" -e APPLICATION_NAME="application_name" -e COMPANY_ID=<coralogix_company_ID> -e SUBSYSTEM_NAME="subsystem_name" -e TESTER_LIST="" -e API_KEY="send_your_data_api_key" -e REGION_LIST="" -e ROLE_ARN_LIST="" -e CORALOGIX_ALERT_API_KEY="" --network host -v ~/.aws:/root/.aws coralogixrepo/snowbit-cspm

The above command will run once a day, every day at 00:00, and consists of two commands:

  • docker rm snowbit-cspm – removes the last docker container if exists
  • docker run –name snowbit-cspm [Options…] – runs a new container sequence

Installing as a Kubernetes CronJob in EKS – via kubectl and eksctl

In order to deploy the image in a pod that follows the principle of least privileged, we should use a service account that assumes the needed role at the start of each job and doesn’t inherit its permission from his host node.

Prerequisites

  1. An existing Amazon EKS cluster
  2. Version 2.7.21 or later or 1.25.46 or later of the AWS CLI installed and configured on your device or AWS CloudShell
  3. The kubectl command line tool is installed on your device or AWS CloudShell
  4. The eksctl command line tool is installed on your device or AWS CloudShell
  5. An existing kubectl config file that contains your cluster configuration
  6. IAM policy with the following permissions

Before Deploying

Determine whether you have an existing IAM OIDC provider for your cluster:

  • Retrieve your cluster’s OIDC provider ID and store it in a variable:
oidc_id=$(aws eks describe-cluster --name my-cluster --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)
  • Determine whether an IAM OIDC provider with your cluster’s ID is already in your account
aws iam list-open-id-connect-providers | grep $oidc_id

Note: If the output is returned from the previous command, then you already have a provider for your cluster and you can skip the next step. If no output is returned, then you must create an IAM OIDC provider for your cluster

Deploying

If the output from the above test is blank, create an IAM OIDC identity provider for your cluster with the following command. Replace “my-cluster” with your own value

eksctl utils associate-iam-oidc-provider --cluster my-cluster --approve

Configuring a Kubernetes service account to assume an IAM role (the policy ARN is the policy created in section 6 of the above prerequisites)

eksctl create iamserviceaccount --name my-service-account --namespace default --cluster my-cluster --role-name "my-role" --attach-policy-arn arn:aws:iam::111111111111:policy/my-policy --approve

Use the following CronJob configurations:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: snowbit-cspm-cronjob
  namespace: <optional - when using the default, remove entire row>
spec:
  schedule: "*/10 * * * *"
  successfulJobsHistoryLimit: 1
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: <my-service-account>
          hostNetwork: true
          containers:
          - image: coralogixrepo/snowbit-cspm
            name: snowbit-cspm-cronjob
            command: ["python3"]
            args: ["lambda_function.py"]
            env:
              - name: API_KEY
                value: "send_your_data_api_key" 
              - name: CORALOGIX_ENDPOINT_HOST
                value: "coralogix_endpoint"
              - name: CLOUD_PROVIDER
                value: "choose_the_cloud_provider - aws / gcp"
              - name: APPLICATION_NAME
                value: "application_name"
              - name: SUBSYSTEM_NAME
                value: "subsystem_name"
              - name: TESTER_LIST
                value: ""
              - name: REGION_LIST
                value: ""
              - name: ROLE_ARN_LIST
                value: ""
              - name: COMPANY_ID
                value: "<coralogix_company_ID>"
              - name: PYTHONUNBUFFERED
                value: "1"
              - name: AWS_DEFAULT_REGION
                value: "eu-west-1"
              - name: CORALOGIX_ALERT_API_KEY
                value: ""
          restartPolicy: OnFailure

Save the above content into a .yaml file and execute the following command:

kubectl create -f Cronjob.yaml

Configuring the scan settings

Inside the security tab in your Coralogix account, you will find the SCAN SETTINGS button:

  1. Scan Now will start the scan of the selected environment(s) in up to 10 minutes from pressing (according to the configured cronjob)
  2. Scan Schedule allows choosing the frequency of the scans, and the start time of each scan. the default is every 24 hours

Multi-Account Configuration

Definitions

  • Primary Account – the account that the CSPM is initially was deployed at
  • Additional Account – an account that you wish to be scanned on top of the Primary Account

For each Additional Account

  1. go to IAM > Roles and click “Create role”
  2. choose “AWS account”
  3. Below, choose “Another AWS account” and paste the account ID of the primary account
  4. for permissions, create and add the following policy
  5. Give the Role a name and Click “Create role”
  6. Go to the role and copy his ARN

For Primary Account

  1. Add the following policy to the existing CSPM Role (done in the initial deployment)
  2. For more than one additional account, add the ARN to the resource key in an array

Example for one additional account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CSPMMultiAccountAccess",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<additional_account>:role/<role_name_from_additional_account>"
        }
    ]
}

Example for more than one additional account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CSPMMultiAccountAccess",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::<additional_account_1>:role/<role_name_from_additional_account_1>",
                "arn:aws:iam::<additional_account_2>:role/<role_name_from_additional_account_2>",
                ...
            ]
        }
    ]
}

Add the Environmental Variable to the Docker\Kubernetes command

  1. use the ROLE_ARN_LIST environmental variable as listed above to point each run to use the role ARN in all the additional accounts.
  2. when using more than one account, use comma-separated strings without spaces.

On this page