- 16 Aug 2024
- 7 Minutes to read
- PDF
Red Canary AWS Resource Discovery Tool
- Updated on 16 Aug 2024
- 7 Minutes to read
- PDF
The Red Canary resource discovery tool scans your Amazon Web Services (AWS) environment (organization or account) to determine how many resources your company is using on AWS. This tool is intended to help all stakeholders understand the resources that Red Canary will monitor and protect in your AWS environment.
Throughout this process you will:
Create a Red Canary resource discovery user in your environment
Create Red Canary resource discovery roles within your account or organization (and sub-accounts) via AWS CloudFormation
Run the Red Canary resource discovery tool
Delete the resource discovery user and roles
Existing Setup Scan Attempt
If you already have one AWS account and an administrator account on AWS, the discovery tool may already work without any additional setup as it will use the [default] profile for your AWS Command Line Interface (CLI).
If you are using organizations or do not have an account with permissions this command will fail.
From your terminal copy, paste and run the following command:
docker run --rm -it \
-v ~/.aws:/home/rc/.aws \
-v $(pwd):/workdir \
-e AWS_REGION=us-east-1 \
redcanary/cloud-resource-discovery:latest
Prerequisites
Administrative rights in AWS
Red-canary-resource-discovery-user.yaml CloudFormation template
Red-canary-resource-discovery-roles.yaml CloudFormation template
Command Options
If you would like to scan a different account, you can specify the profile name via the AWS_PROFILE
environment variable.
docker run --rm -it \
-v ~/.aws:/home/rc/.aws \
-v $(pwd):/workdir \
-e AWS_PROFILE=other-profile \
redcanary/cloud-resource-discovery:latest
To scan multiple accounts in an AWS Organization, you must specify a role name to assume in each account via the AWS_ROLE_NAME
environment variable.
For example, AWS_ROLE_NAME=rc-partner-access-control becomes:
- arn:aws:iam::123456789012:role/rc-partner-access-control
- arn:aws:iam::234567890123:role/rc-partner-access-control
Optionally, you can specify an external ID to use when assuming the role for additional security. This is done via the AWS_EXTERNAL_ID
environment variable.
docker run --rm -it \
-v ~/.aws:/home/rc/.aws \
-v $(pwd):/workdir \
-e AWS_PROFILE=other-profile \
-e AWS_ROLE_NAME=rc-partner-access-control \
-e AWS_EXTERNAL_ID=external-id-unique-value \
redcanary/cloud-resource-discovery:latest
Users can receive the above help information by specifying the --help
flag.
Note: Once this process is completed, continue on with Step 1: Setup a Discovery Tool
Step 1: Setup a Discovery Tool
Note: To make resource planning as easy as possible, Red Canary has provided a docker image to run the discovery script. The docker image can be found in the docker hub. Follow the steps below to pull the docker image and run the discovery script.
The Red Canary Discovery User will list AWS regions, list accounts in your organization, and assume the Red Canary Discovery Roles in your organization’s accounts.
Create this user by running AWS CloudFormation templates.
Log into the AWS console for your Account, or if using Organizations, your Master Account.
Navigate to CloudFormation.
Click Create stack.
Click With new resources (standard).
Select Template is ready.
Select Upload a template file.
Click the Choose File button.
Select the red-canary-resource-discovery-user.yaml you downloaded.
Click Next.
Enter a Stack name.
Enter a RedCanaryResourceDiscoveryUserName﹣we suggest leaving the default red-canary-resource-discovery-user.
Click Next.
Leave all of the Configure Stack Options as their defaults.
Click Next.
Scroll to the bottom of the Review page.
Click the agreement.
Click Submit.
When the stack set creation is complete click the Outputs tab.
Copy the User ARN from the outputs, you will need this in future steps.
Note: Once this process is completed, continue on with setting up a Discovery Role in the primary account.
Step 2: Setup a Discovery Role in the Primary Account
To scan your Account, or your primary account if you're using organizations, you'll need to add a role with resource discovery permissions.
Navigate to CloudFormation.
Click Create stack.
Click With new resources (standard).
Select Template is ready.
Select Upload a template file.
Click the Choose file button
Select the red-canary-resource-discovery-roles.yaml you downloaded.
Click Next.
Enter the stack name.
Enter the RedCanaryResourceDiscoveryRoleName ﹣ we suggest leaving it the default red-canary-resource-discovery-role
Enter the RedCanaryResourceDiscoveryUserARN from the user created in the Setup Discovery User section.
Click Next.
On the Configure stack options click Next.
Scroll to the bottom of the Review page.
Click the agreement.
Click Submit.
Note: Once this process is completed, continue on with setting up a Discovery Role in sub accounts (if using organizations).
Step 3: Setup a Discovery Role in Sub Accounts (If Using Organizations)
If your company uses AWS Organizations, you will need to deploy a stack set in each sub-account to build the Red Canary Resource Discovery Role.
Navigate to CloudFormation.
Click StackSets in the left navigation menu.
Click Create StackSet.
Select Service Managed Permissions.
Select Template is Ready.
Select Upload a template file.
Select Choose file.
Select the red-canary-resource-discovery-roles.yaml you downloaded.
Select Next.
Enter a StackSet name.
Enter the RedCanaryResourceDiscoveryRoleName ﹣ we suggest leaving it the default red-canary-resource-discovery-role.
Note: If you changed it in the Setup Discovery Role in Master Account step you must use the same name.
Enter the RedCanaryResourceDiscoveryUserARN which is the ARN of the user created in the Setup Discovery User section.
Click Next.
In the Configure StackSet Options leave the defaults.
Click Next.
In the set deployment options select Deploy new stacks.
Select Deploy to organization.
Under Specify regions, select US East (N. Virginia). Since roles are global, only one region is required.
Click Next.
Scroll to the bottom of the Review page.
Click the agreement.
Click Submit.
Note: Once this process is completed, continue on with creating credentials for a user.
Step 4: Create Credentials for a User
To run the resource discovery tool from your CLI, we will need to create CLI credentials for the user setup in the Setup Discovery User section.
Navigate to the AWS IAM service.
Click on Users.
Click on Red Canary Resource Discovery User.
Click the Security credentials tab
Click Create access key.
Select Command Line Interface (CLI).
Check the box next to “I understand the above recommendation and want to proceed to create an access key.”
Click Next.
Click Create access key.
Click Show to reveal the secret access ke
Copy the secret access key, you will need it later. You can not retrieve this secret again. Copy it now.
Click Done.
Note: Once this process is completed, continue on with running the Docker Discovery Tool.
Step 5: Run the Docker Discovery Tool
The next step is to run the Resource Discovery Tool docker image, which will enumerate the resources in your environment that Red Canary will monitor.
Open a terminal window.
Change to a suitable directory where you can save your .csv file.
Run the following command:
You will need to paste in your aws access key id
You will need to paste in your your aws secret access key
Enter the aws role name. If you left this as the default it is red-canary-resource-discovery-role
docker run --rm -it \
-v ~/.aws:/home/rc/.aws \
-v $(pwd):/workdir \
-e AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY_ID_HERE \
-e AWS_SECRET_ACCESS_KEY=YOUR_SECRET_ACCESS_KEY_HERE \
-e AWS_ROLE_NAME=red-canary-resource-discovery-role \
-e AWS_REGION=us-east-1 \
redcanary/cloud-resource-discovery:latest
If you don't already have the resource discovery tool image installed, it will be downloaded and installed automatically. When you launch the tool, it will iterate through your environment, enumerating your resources.When the resource scan is finished, it will generate a list of your resources and save a.csv file to the directory you're currently working in.
When the resource scan is finished, it will generate a list of your resources and save a.csv file to the directory you're currently working in.
The cloud-resource-discovery csv will help your sales engineer in identifying the resources Red Canary can monitor and defend.
Note: Once this process is completed, continue on with tearing down and cleaning up your StackSet.
Step 6: Tear Down and Clean Up Your Stackset
Once you've finished enumerating the resources in your company's AWS account, best practices dictate that you should decommission the resources, users, and roles that you've created. We can quickly clean up the resources by deleting the CloudFormation stacks and StackSets.
Delete the individual stacks.
Delete the stacks within the StackSet. (You cannot delete the StackSet if it is managing stacks.)
Delete the StackSet.
Select the Master Account Role creation stack.
Click the Delete button.
Confirm with the Delete button.
Follow the same steps for the Red Canary Resource Discovery User stack.
Confirm with the delete button.
Click into the StackSets.
Select the Resource Discovery Roles StackSet.
Click the Actions dropdown.
Select Delete stacks from StackSet.
Enter the Organizational Unit id for your root account.
This can be found in the organization's service.
Select the region where the StackSet deployed.
Click Next.
On the Review page click Submit.
Once the operation has succeeded click on StackSets.
Select the Resource Discovery Role StackSet.
Click the Actions dropdown and select Delete StackSet.
Confirm the Delete action.
The stacks for the Resource Discovery User and the Resource Discovery Role on the master account are deleted. Additionally, the Resource Discovery Roles within each sub account, as well as the StackSet that managed them, have been removed.