Red Canary AWS Resource Discovery Tool

Note: To make resource planning as easy as possible, Red Canary has provided a docker image to run the discovery script. The docker image can be found in the docker hub. Follow the steps below to pull the docker image and run the discovery script.

The Red Canary Discovery User will list AWS regions, list accounts in your organization, and assume the Red Canary Discovery Roles in your organization’s accounts.

Create this user by running AWS CloudFormation templates.

1. Log into the AWS console for your Account, or if using Organizations, your Master Account.

2. Navigate to CloudFormation.

   

3. Click Create stack.

   

4. Click With new resources (standard).

   

5. Select Template is ready.

6. Select Upload a template file.

7. Click the Choose File button.

   

8. Select the red-canary-resource-discovery-user.yaml you downloaded.

9. Click Next.

   

10. Enter a Stack name.

    

11. Enter a RedCanaryResourceDiscoveryUserName﹣we suggest leaving the default red-canary-resource-discovery-user.

12. Click Next.

    

13. Leave all of the Configure Stack Options as their defaults.

14. Click Next.

15. Scroll to the bottom of the Review page.

16. Click the agreement.

17. Click Submit.

    

18. When the stack set creation is complete click the Outputs tab.

    

19. Copy the User ARN from the outputs, you will need this in future steps.

    

    Note: Once this process is completed, continue on with setting up a Discovery Role in the primary account.

To scan your Account, or your primary account if you're using organizations, you'll need to add a role with resource discovery permissions.

1. Navigate to CloudFormation.

   

2. Click Create stack.

   

3. Click With new resources (standard).

   

4. Select Template is ready.

5. Select Upload a template file.

6. Click the Choose file button

   

7. Select the red-canary-resource-discovery-roles.yaml you downloaded.

8. Click Next.

   

9. Enter the stack name.

10. Enter the RedCanaryResourceDiscoveryRoleName ﹣ we suggest leaving it the default red-canary-resource-discovery-role

11. Enter the RedCanaryResourceDiscoveryUserARN from the user created in the Setup Discovery User section.

12. Click Next.

    

13. On the Configure stack options click Next.

    

14. Scroll to the bottom of the Review page.

15. Click the agreement.

16. Click Submit.

    

Note: Once this process is completed, continue on with setting up a Discovery Role in sub accounts (if using organizations).

If your company uses AWS Organizations, you will need to deploy a stack set in each sub-account to build the Red Canary Resource Discovery Role.

1. Navigate to CloudFormation.

   

2. Click StackSets in the left navigation menu.

   

3. Click Create StackSet.

   

4. Select Service Managed Permissions.

5. Select Template is Ready.

6. Select Upload a template file.

7. Select Choose file.

8. Select the red-canary-resource-discovery-roles.yaml you downloaded.

   

9. Select Next.

   

10. Enter a StackSet name.

11. Enter the RedCanaryResourceDiscoveryRoleName ﹣ we suggest leaving it the default red-canary-resource-discovery-role.

    Note: If you changed it in the Setup Discovery Role in Master Account step you must use the same name.

12. Enter the RedCanaryResourceDiscoveryUserARN which is the ARN of the user created in the Setup Discovery User section.

13. Click Next.

    

14. In the Configure StackSet Options leave the defaults.

    

15. Click Next.

16. In the set deployment options select Deploy new stacks.

17. Select Deploy to organization.

    

18. Under Specify regions, select US East (N. Virginia). Since roles are global, only one region is required.

    

19. Click Next.

20. Scroll to the bottom of the Review page.

21. Click the agreement.

22. Click Submit.

    

Note: Once this process is completed, continue on with creating credentials for a user.

To run the resource discovery tool from your CLI, we will need to create CLI credentials for the user setup in the Setup Discovery User section.

1. Navigate to the AWS IAM service.

2. Click on Users.

   

3. Click on Red Canary Resource Discovery User.

   

4. Click the Security credentials tab

   

5. Click Create access key.

   

6. Select Command Line Interface (CLI).

7. Check the box next to “I understand the above recommendation and want to proceed to create an access key.” 

8. Click Next.

   

9. Click Create access key.

   

10. Click Show to reveal the secret access ke

    

11. Copy the secret access key, you will need it later. You can not retrieve this secret again. Copy it now. 

    

12. Click Done.

    

Note: Once this process is completed, continue on with running the Docker Discovery Tool.

The next step is to run the Resource Discovery Tool docker image, which will enumerate the resources in your environment that Red Canary will monitor.

1. Open a terminal window.

2. Change to a suitable directory where you can save your .csv file.

3. Run the following command:

   • You will need to paste in your aws access key id

   • You will need to paste in your your aws secret access key

   • Enter the aws role name. If you left this as the default it is red-canary-resource-discovery-role

docker run --rm -it \
    -v ~/.aws:/home/rc/.aws \
    -v $(pwd):/workdir \
    -e AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY_ID_HERE \
    -e AWS_SECRET_ACCESS_KEY=YOUR_SECRET_ACCESS_KEY_HERE \
    -e AWS_ROLE_NAME=red-canary-resource-discovery-role \
    -e AWS_REGION=us-east-1 \
    redcanary/cloud-resource-discovery:latest

If you don't already have the resource discovery tool image installed, it will be downloaded and installed automatically. When you launch the tool, it will iterate through your environment, enumerating your resources.When the resource scan is finished, it will generate a list of your resources and save a.csv file to the directory you're currently working in.

When the resource scan is finished, it will generate a list of your resources and save a.csv file to the directory you're currently working in.

The cloud-resource-discovery csv will help your sales engineer in identifying the resources Red Canary can monitor and defend.

Note: Once this process is completed, continue on with tearing down and cleaning up your StackSet.

Once you've finished enumerating the resources in your company's AWS account, best practices dictate that you should decommission the resources, users, and roles that you've created. We can quickly clean up the resources by deleting the CloudFormation stacks and StackSets.

• Delete the individual stacks.

• Delete the stacks within the StackSet. (You cannot delete the StackSet if it is managing stacks.)

• Delete the StackSet.

1. Select the Master Account Role creation stack.

   

2. Click the Delete button.

   

3. Confirm with the Delete button.

   

4. Follow the same steps for the Red Canary Resource Discovery User stack.

   

5. Confirm with the delete button.

   

6. Click into the StackSets.

   

7. Select the Resource Discovery Roles StackSet.

   

8. Click the Actions dropdown.

   

9. Select Delete stacks from StackSet.

   

10. Enter the Organizational Unit id for your root account.

    

    • This can be found in the organization's service.

      

11. Select the region where the StackSet deployed.

    

12. Click Next.

    

13. On the Review page click Submit.

    

14. Once the operation has succeeded click on StackSets.

    

15. Select the Resource Discovery Role StackSet.

    

16. Click the Actions dropdown and select Delete StackSet.

    

17. Confirm the Delete action.

    

The stacks for the Resource Discovery User and the Resource Discovery Role on the master account are deleted. Additionally, the Resource Discovery Roles within each sub account, as well as the StackSet that managed them, have been removed.