This page walks you through setting up readonly AWS Inspector credential for your Unified VRM, and ingesting AWS Inspector data inside Unified VRM.
Before you begin
To complete this quickstart you’ll need to have:
- Set up AWS Inspector in an AWS account
Step 1: Create IAM role in the AWS Account where Inspector is configured
The IAM role will have the following trust relationship, this will allow Unified VRM to assume into the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::490718849531:root"
},
"Action": "sts:AssumeRole"
}
]
}
The role will need the following permissions for the resources in your account(s):
- inspector2:ListFindings
- ec2:DescribeInstance
- resource-groups:ListGroupResources
- resource-groups:ListGroups
- cloudformation:DescribeStacks
- cloudformation:ListStackResources
- tag:GetResources
Or these AWS Managed policies
- AmazonInspector2ReadOnlyAccess
- AmazonEC2ReadOnlyAccess
- AWSResourceGroupsReadOnlyAccess
For all other accounts inside the organization that the inspector is configured for will need a role with the same name and every permission listed above except number 1.
Step 2: Provide Nopsec with the role information
Enter the role ARN (created in step 1) that has access to AWS Inspector and the region name (i.e. us-east-1) in the integrate dialog for AWS Inspector and select “CONNECT”.