Authentication Settings
AWS Integration
By configuring authentication settings for AWS, you can add the following features to FutureVuls:
- On-demand scan execution
- Updating packages for EC2
- Scanning for vulnerabilities in container images
- Integration with EC2 tags
Only one group per one set of AWS authentication information can be registered with FutureVuls. If you have multiple AWS environments, please register them in separate groups.
With the April 8, 2021 release, you can now set up one AWS account for multiple groups.
Starting from the March 29, 2023 release, when using Amazon ECR scan enhanced scanning, you will need inspector2:ListCoverage and inspector2:ListFindings as new Actions in the IAM policy for FutureVulsAssumeRole. Please see the policy used by FutureVuls for more information.
Integration Procedure
There are two ways to configure AWS authentication information, but we recommend using IAM roles for more secure and easy setup.
Using IAM Roles for Authentication
Configure IAM role integration with the following steps:
Open the external settings for FutureVuls and click “Add” in AWS.
Select authentication with IAM roles, enter the AWS Account ID and Region, and proceed to the next step.
Click the link to configure CloudFormation and execute CloudFormation.
- If integration has already been completed for another group, select
FutureVulsAssumeRolefromCloudFormation>Stackson AWS to obtain the value ofFutureVulsExternalID.
After the execution is complete, return to the FutureVuls configuration screen and proceed to the next step.
Once the execution is complete, return to the FutureVuls configuration screen and proceed to the next step.
At this point, the authentication information is automatically checked for validity, and if it is valid, the settings are saved.
Once the authentication information is displayed as shown below, the authentication configuration is complete.
Authentication method using API key
We recommend using the IAM role authentication method over this method. Use this method only if the IAM role authentication method is not available.
To authenticate using AccessKey and SecretKey, open the FutureVuls external settings and click “Add” in the AWS card.
Select authentication using an API key and execute CloudFormation. Issue an API key with the IAM created, enter the access key, secret key, and region, and proceed to the next step. At this point, the authentication information is automatically checked for validity, and if it is valid, it is saved.
If the authentication information is displayed as shown below, the setup is complete.
Configuration Deletion
Click the trash can button in the authentication information section.
If you want to delete authentication information related to FutureVuls AWS from your AWS environment, delete the CloudFormation executed during authentication setup.
Policies used by FutureVuls
The AWS policies used by FutureVuls AWS integration are as follows. There is a possibility of changing them in the future to enhance integration.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ssm:DescribeInstanceInformation",
"ssm:ListDocuments",
"ssm:ListCommandInvocations",
"ecr:GetAuthorizationToken",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:DescribeImageScanFindings",
"ecr:GetRepositoryPolicy",
"inspector2:ListFindings",
"inspector2:ListCoverage"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssm:DescribeDocument",
"ssm:SendCommand"
],
"Resource": "arn:aws:ssm:*:*:document/FutureVuls*",
"Effect": "Allow"
},
{
"Action": [
"ssm:SendCommand"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Effect": "Allow"
}
]
}