AWS proof types and permissions

Note

Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance in meeting the requirements to integrate with Hyperproof and collect the proof you need.

Hyperproof supports connecting to AWS via access keys or cross-account roles.

When you create a Hypersync between Hyperproof and AWS, you can automatically collect proof types based on the following services:

Table 87. AWS proof types and fields

Service	Proof type	Fields	Testable
Backup	Backup Jobs	Account, Region, Backup Job ID, Status, Resource ID, Creation Time, Start By	Yes
Backup	Backup Plan Details	Account, Region, Backup Plan Name, Backup Plan ID, Version ID, Last Modified, Last Runtime Backup Rules: Backup Plan Name, Backup Vault, Destination Backup Vault Resource Assignments: Name, IAM Role ARN	No
Backup	List of Backup Plans	Account, Region, Backup Plan Name, Last Runtime, Last Modified	Yes
EC2	Asset Inventory	Account, Region, Instance ID, Agent Type, Agent Version, Computer Name, Instance Status, IP Address, Platform, Platform Type, Platform Version	Yes
EC2	List of Images	AMI Name, AMI ID, Source, Visibility, Status, Platform, Root Device Type, Virtualization	Yes
EC2	List of Running Instances	Instance ID, Instance Type, Availability Zone, Public IPv4 DNS, Public IPv4 Address, Monitoring, Security Groups, Key Name	Yes
EC2	Security Group Details	Security Group Name, Security Group ID, Description, VPC, ID, Owner Inbound Rules: IP version, Protocol, Port, Range, Source, Description Outbound Rules: IP version, Protocol, Port, Range, Destination, Description	No
EC2	List of Security Groups	Security Group ID, Security Group Name, VPC ID, Description, Owner, Inbound Rules, Outbound Rules	Yes
EC2	List of Snapshots	Snapshot ID, Size, Volume, Description, Status, Started, Progress, Encryption	Yes
EC2	List of Volumes	Account, Region, Volume name, Volume ID, State, Status, Encryption	Yes
EKS	List of Clusters	Account, Region, Name, Status, Kubernetes version, Provider	Yes
EKS	List of Pod Security Policies	Name, Cluster, Run As User, Run As Group, Run As Non Root, FS Group, FS Group Change Policy, Privileged, Allow Privilege Escalation, Read Only Root FS Run as User: Rule, Ranges Run as Group: Rule, Ranges FS Group: Rule, Ranges	Yes
EKS	List of Workloads	Name, Namespace, Type, Age, Pod Count, Status, Cluster	Yes
IAM	Account Password Policy	Account, Policy, Minimum password length, Require symbols, Require numbers, Require uppercase characters, Require lowercase characters, Password expiration requires administrator reset, Users can change their own passwords, Password expiration, Count of passwords to remember to prevent reuse	Yes
IAM	List of Groups	Account, Group Name, Users, Inline Policy, Creation Time	Yes
IAM	List of Roles	Account, Role Name, Description, Trusted Entities, Creation Time, Session Duration	Yes
IAM	List of SAML Providers	Account, Arn, Creation Time, Expiration Time	Yes
IAM	List of Users	Account, User Name, User ID, Creation Time, Password Last Used	Yes
IAM	List of Users with MFA Devices	Account, User Name, User ID, Creation Time, Password Last Used, MFA, MFA Devices	Yes
IAM	List of Users with MFA Settings	Account, User Name, User ID, Creation Time, Password Last Used, MFA	Yes
IAM	Users, Groups, Roles, and Policies	List of Users: User Name, Creation Time, Arn, Path, Groups, Permissions Boundary, Managed Policies, Inline Policies List of Groups: Group Name, Creation Time, Arn, Path, Managed Policies, Inline Policies List of Roles: Role Name, Creation Time, Role Last Used, Arn, Path, Managed Policies, Inline Policies	No
Identity Center	List of SSO Users	GovCloud Account, Region, User Name, User ID, Identity Store ID	Yes
RDS	Instance Backup Retention Period	Account, Region, Instance Identifier, Instance Backup Retention Period	Yes
RDS	Instance Storage Encrypted	Account, Region, Instance Identifier, Instance Storage Encrypted	Yes
Note The Relationship Database Service (RDS) includes Aurora PostgreSQL, Aurora MySQL, MySQL, Maria DB, PostgreSQL, Oracle, and Microsoft SQL Server.
S3	Bucket Access Control List	Account, Bucket, Grantee Name, Grantee Email, Grantee ID, Grantee Type, Permission	Yes
S3	Bucket Encryption	Account, Bucket, Encryption Key Type, AWS KMS Key, Bucket Key Enabled	Yes
S3	Bucket Lifecycle Configuration	Account, Bucket, Rule, Action, Applies To, Non-Current Versions Retained, Days to Transition, Transition Date, Status	Yes
S3	Bucket Object Lock	Account, Bucket, Object Lock Status, Retention Mode, Retention Period	Yes
S3	Bucket Policy Status	Account, Bucket, Policy Type	Yes
S3	Bucket Replication	Account, Bucket, Replication Rule Name, Status, Destination Bucket, Priority, Scope	Yes
S3	Bucket Versioning	Account, Bucket, Bucket Versioning, Multi-factor Authentication Delete	Yes
Security Hub	Findings	Severity, Workflow status, Record State, Company, Product, Title, Resource type, Resource id, Status, Updated at	Yes
Security Hub	Integrations Providing Findings	Account, Name, Company Name, Description	Yes
VPC	List of Client ACLs	Account, Region, Network ACL ID, Associated With, Default, VPC ID, Owner Inbound Rules: Rule Number, Protocol, Port Range, Source, Allow/Deny Outbound Rules: Rule Number, Protocol, Port Range, Destination, Allow/Deny	No
VPC	List of Client VPN Endpoints	Endpoint ID, State, Client CIDR, Description, Dns Name	Yes
VPC	List of Subnets	Account, Region, Name, Subnet ID, State, VPC ID, IPv4 CIDR, IPv6 CIDR	Yes
VPC	List of VPCs	Account, Region, VPC ID, State, IPv4 CIDR, IPv6 CIDR, IPv6 Pool, DHCP Options Set, Tenancy, Default, Owner	Yes

AWS notes on services and proof types

Note

RDS Encryption proof can be collected for all RDS instances.

Elastic Compute Cloud
- Asset Inventory
  If you receive a message indicating that the Hypersync is returning too many items for the Asset Inventory proof type, set the Asset filter criteria to Do not show terminated or stopped instances in the Hypersync settings.
- List of Snapshots for Owner
  This proof type can generate large amounts of data. If you receive a message indicating that the Hypersync is returning too many items, set the Storage Tier filter field to either Archive or Standard, instead of the default All Tiers.
EKS
To use AWS EKS proof types, add IAM users or roles to your Amazon EKS cluster with the following command:
```
eksctl create iamidentitymapping --cluster  <clusterName> --region=<region> --arn arn:aws:iam::123456:role/your-role --group system:masters --username optional-name
```
For more information, please refer to the official AWS documentation.
Security Hub
When configuring the Hypersync for Security Hub proof, you must select the region where the AWS Security Hub is running for the Hypersync to return data. If the region isn't correct, the proof is generated but doesn't contain any data.
Kubernetes Engine
- List of Pod Security Policies
  Note
  This proof type is compatible only with Kubernetes version 1.22 or higher. If you use a lower version of Kubernetes, the proof will not be generated.
  Kubernetes has deprecated PodSecurityPolicies in version 1.21. See this Kubernetes article for information on migrating from PodSecurityPolicies to the built-in PodSecurity admission controller. Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller.

Additional documentation

Note

You only need to connect Hyperproof to the app once, and then you can create as many Hypersyncs as you need. Additionally, you can create multiple Hypersyncs for a single control or label.

The sections below provide additional information about connecting AWS to Hyperproof.

Connecting to AWS or AWS GovCloud via access keys

Below Access Key ID, enter your AWS Access Key ID.
Tip
IAM users have keys that provide access to proof stored in AWS. If you do not have IAM user credentials, a root user or an IAM administrator can create them. For steps on adding an AWS user with SecurityAudit access, see Creating a policy and adding an AWS Hypersync user.
If you use SSO, be sure to create an IAM user and not use the access keys provided for your SSO user, as those have session tokens associated with the keys that only allow access for a limited time.
For more information on creating an IAM user in your AWS account, see the official hypersyncs: aws-short documentation.
Below Secret Access Key, enter your AWS Secret Access Key.
Click Next.

Connecting via a cross-account role

Select the Cross Account Role radio button to connect to AWS via a cross-account role.
Note
To use the cross-account role option, your AWS administrator needs to set up an IAM role with the permissions needed to perform specific actions. For more information, see Creating a cross-account role in AWS.
Below ARN, enter your Role ARN.
Below External ID, enter your unique string ID.
Click Next.

Completing the connection process

The steps below apply to both access keys and cross-accounts.

Select the radio button that best suits how you want to identify AWS accounts.
- For a single AWS account, select Use the current account. Hyperproof assumes only the role ARN provided in the step above to fetch data.
- For a few AWS accounts, select Choose from a list of accounts , and then select the accounts to retrieve data from.
- For many AWS accounts, select Specify tags to identify accounts. Hyperproof finds all accounts matching the tag criteria and retrieves data from each one.
  - Using multiple key-value pairs of tags finds accounts with all of the specified tags, using a logical AND operation.
  - Entering the same key with different values finds accounts matching any of the values provided for a given key, using a logical OR operation.
  - See TagFilters query object for more details on finding resources by tags.
Click Next.

In this section:

AWS proof types and permissions

Note

Note

AWS notes on services and proof types

Note

Note

Additional documentation

Note

Connecting to AWS or AWS GovCloud via access keys

Tip

Connecting via a cross-account role

Note

Completing the connection process

Search results