Red Canary AWS Resource Discovery Tool
    • 16 Aug 2024
    • 7 Minutes to read
    • PDF

    Red Canary AWS Resource Discovery Tool

    • PDF

    Article summary

    The Red Canary resource discovery tool scans your Amazon Web Services (AWS) environment (organization or account) to determine how many resources your company is using on AWS. This tool is intended to help all stakeholders understand the resources that Red Canary will monitor and protect in your AWS environment.

    Throughout this process you will:

    • Create a Red Canary resource discovery user in your environment

    • Create Red Canary resource discovery roles within your account or organization (and sub-accounts) via AWS CloudFormation

    • Run the Red Canary resource discovery tool

    • Delete the resource discovery user and roles

    Existing Setup Scan Attempt

    If you already have one AWS account and an administrator account on AWS, the discovery tool may already work without any additional setup as it will use the [default] profile for your AWS Command Line Interface (CLI).

    If you are using organizations or do not have an account with permissions this command will fail.

    From your terminal copy, paste and run the following command:

    docker run --rm -it \
        -v ~/.aws:/home/rc/.aws \
        -v $(pwd):/workdir \
        -e AWS_REGION=us-east-1 \
        redcanary/cloud-resource-discovery:latest

    Prerequisites

    Command Options

    If you would like to scan a different account, you can specify the profile name via the AWS_PROFILE environment variable.

    docker run --rm -it \
        -v ~/.aws:/home/rc/.aws \
        -v $(pwd):/workdir \
        -e AWS_PROFILE=other-profile \
        redcanary/cloud-resource-discovery:latest

    To scan multiple accounts in an AWS Organization, you must specify a role name to assume in each account via the AWS_ROLE_NAME environment variable.

    • For example, AWS_ROLE_NAME=rc-partner-access-control becomes:

      - arn:aws:iam::123456789012:role/rc-partner-access-control

      - arn:aws:iam::234567890123:role/rc-partner-access-control

    Optionally, you can specify an external ID to use when assuming the role for additional security. This is done via the AWS_EXTERNAL_ID environment variable.

    docker run --rm -it \
        -v ~/.aws:/home/rc/.aws \
        -v $(pwd):/workdir \
        -e AWS_PROFILE=other-profile \
        -e AWS_ROLE_NAME=rc-partner-access-control \
        -e AWS_EXTERNAL_ID=external-id-unique-value \
        redcanary/cloud-resource-discovery:latest

    Users can receive the above help information by specifying the --help flag.

    Note: Once this process is completed, continue on with Step 1: Setup a Discovery Tool

    Step 1: Setup a Discovery Tool

    Note: To make resource planning as easy as possible, Red Canary has provided a docker image to run the discovery script. The docker image can be found in the docker hub. Follow the steps below to pull the docker image and run the discovery script.

    The Red Canary Discovery User will list AWS regions, list accounts in your organization, and assume the Red Canary Discovery Roles in your organization’s accounts.

    Create this user by running AWS CloudFormation templates.

    1. Log into the AWS console for your Account, or if using Organizations, your Master Account.

    2. Navigate to CloudFormation.

      cloud

    3. Click Create stack.

      Create

    4. Click With new resources (standard).

      with

    5. Select Template is ready.

    6. Select Upload a template file.

    7. Click the Choose File button.

      Create

    8. Select the red-canary-resource-discovery-user.yaml you downloaded.

    9. Click Next.

      prepare

    10. Enter a Stack name.

      specify

    11. Enter a RedCanaryResourceDiscoveryUserName﹣we suggest leaving the default red-canary-resource-discovery-user.

    12. Click Next.

      advanced

    13. Leave all of the Configure Stack Options as their defaults.

    14. Click Next.

    15. Scroll to the bottom of the Review page.

    16. Click the agreement.

    17. Click Submit.

      I

    18. When the stack set creation is complete click the Outputs tab.

      Outputs

    19. Copy the User ARN from the outputs, you will need this in future steps.

      User

      Note: Once this process is completed, continue on with setting up a Discovery Role in the primary account.

    Step 2: Setup a Discovery Role in the Primary Account

    To scan your Account, or your primary account if you're using organizations, you'll need to add a role with resource discovery permissions.

    1. Navigate to CloudFormation.

      cloud

    2. Click Create stack.

      create

    3. Click With new resources (standard).

      with

    4. Select Template is ready.

    5. Select Upload a template file.

    6. Click the Choose file button

      Create

    7. Select the red-canary-resource-discovery-roles.yaml you downloaded.

    8. Click Next.

      advanced

    9. Enter the stack name.

    10. Enter the RedCanaryResourceDiscoveryRoleName ﹣ we suggest leaving it the default red-canary-resource-discovery-role

    11. Enter the RedCanaryResourceDiscoveryUserARN from the user created in the Setup Discovery User section.

    12. Click Next.

      Specify

    13. On the Configure stack options click Next.

      advanced

    14. Scroll to the bottom of the Review page.

    15. Click the agreement.

    16. Click Submit.

      I

    Note: Once this process is completed, continue on with setting up a Discovery Role in sub accounts (if using organizations).

    Step 3: Setup a Discovery Role in Sub Accounts (If Using Organizations)

    If your company uses AWS Organizations, you will need to deploy a stack set in each sub-account to build the Red Canary Resource Discovery Role.

    1. Navigate to CloudFormation.

      cloud

    2. Click StackSets in the left navigation menu.

      AWS

    3. Click Create StackSet.

      Create

    4. Select Service Managed Permissions.

    5. Select Template is Ready.

    6. Select Upload a template file.

    7. Select Choose file.

    8. Select the red-canary-resource-discovery-roles.yaml you downloaded.

      Choose

    9. Select Next.

      specify

    10. Enter a StackSet name.

    11. Enter the RedCanaryResourceDiscoveryRoleName ﹣ we suggest leaving it the default red-canary-resource-discovery-role.

      Note: If you changed it in the Setup Discovery Role in Master Account step you must use the same name.

    12. Enter the RedCanaryResourceDiscoveryUserARN which is the ARN of the user created in the Setup Discovery User section.

    13. Click Next.

      specify

    14. In the Configure StackSet Options leave the defaults.

      Configure

    15. Click Next.

    16. In the set deployment options select Deploy new stacks.

    17. Select Deploy to organization.

      set

    18. Under Specify regions, select US East (N. Virginia). Since roles are global, only one region is required.

      specify

    19. Click Next.

    20. Scroll to the bottom of the Review page.

    21. Click the agreement.

    22. Click Submit.

      I

    Note: Once this process is completed, continue on with creating credentials for a user.

    Step 4: Create Credentials for a User

    To run the resource discovery tool from your CLI, we will need to create CLI credentials for the user setup in the Setup Discovery User section.

    1. Navigate to the AWS IAM service.

    2. Click on Users.

    3. Click on Red Canary Resource Discovery User.

    4. Click the Security credentials tab

    5. Click Create access key.

    6. Select Command Line Interface (CLI).

    7. Check the box next to “I understand the above recommendation and want to proceed to create an access key.” 

    8. Click Next.

    9. Click Create access key.

    10. Click Show to reveal the secret access ke

    11. Copy the secret access key, you will need it later. You can not retrieve this secret again. Copy it now. 

    12. Click Done.

    Note: Once this process is completed, continue on with running the Docker Discovery Tool.

    Step 5: Run the Docker Discovery Tool

    The next step is to run the Resource Discovery Tool docker image, which will enumerate the resources in your environment that Red Canary will monitor.

    1. Open a terminal window.

    2. Change to a suitable directory where you can save your .csv file.

    3. Run the following command:

      • You will need to paste in your aws access key id

      • You will need to paste in your your aws secret access key

      • Enter the aws role name. If you left this as the default it is red-canary-resource-discovery-role

    docker run --rm -it \
        -v ~/.aws:/home/rc/.aws \
        -v $(pwd):/workdir \
        -e AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY_ID_HERE \
        -e AWS_SECRET_ACCESS_KEY=YOUR_SECRET_ACCESS_KEY_HERE \
        -e AWS_ROLE_NAME=red-canary-resource-discovery-role \
        -e AWS_REGION=us-east-1 \
        redcanary/cloud-resource-discovery:latest

    If you don't already have the resource discovery tool image installed, it will be downloaded and installed automatically. When you launch the tool, it will iterate through your environment, enumerating your resources.When the resource scan is finished, it will generate a list of your resources and save a.csv file to the directory you're currently working in.

    docker

    When the resource scan is finished, it will generate a list of your resources and save a.csv file to the directory you're currently working in.

    scanned

    resource_discovery.png

    The cloud-resource-discovery csv will help your sales engineer in identifying the resources Red Canary can monitor and defend.

    Note: Once this process is completed, continue on with tearing down and cleaning up your StackSet.

    Step 6: Tear Down and Clean Up Your Stackset

    Once you've finished enumerating the resources in your company's AWS account, best practices dictate that you should decommission the resources, users, and roles that you've created. We can quickly clean up the resources by deleting the CloudFormation stacks and StackSets.

    • Delete the individual stacks.

    • Delete the stacks within the StackSet. (You cannot delete the StackSet if it is managing stacks.)

    • Delete the StackSet.

    1. Select the Master Account Role creation stack.

      Stacks

    2. Click the Delete button.

      Stacks

    3. Confirm with the Delete button.

      delete

    4. Follow the same steps for the Red Canary Resource Discovery User stack.

      discoveryuserstack.png

    5. Confirm with the delete button.

      delete

    6. Click into the StackSets.

      StackSets.png

    7. Select the Resource Discovery Roles StackSet.

      resource

    8. Click the Actions dropdown.

      delegated

    9. Select Delete stacks from StackSet.

      Delete

    10. Enter the Organizational Unit id for your root account.

      organizational

      • This can be found in the organization's service.

        AWS

    11. Select the region where the StackSet deployed.

      specify

    12. Click Next.

      Region

    13. On the Review page click Submit.

      Review

    14. Once the operation has succeeded click on StackSets.

      Discovery

    15. Select the Resource Discovery Role StackSet.

      delegated

    16. Click the Actions dropdown and select Delete StackSet.

      Delete

    17. Confirm the Delete action.

      delete

    The stacks for the Resource Discovery User and the Resource Discovery Role on the master account are deleted. Additionally, the Resource Discovery Roles within each sub account, as well as the StackSet that managed them, have been removed.


    Was this article helpful?