AWS proof types and permissions
Note
Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance in meeting the requirements to integrate with Hyperproof and collect the proof you need.
Hyperproof supports connecting to AWS via access keys or cross-account roles.
When you create a Hypersync between Hyperproof and AWS, you can automatically collect proof types based on the following services:
AWS notes on services and proof types
Note
RDS Encryption proof can be collected for all RDS instances.
Elastic Compute Cloud
Asset Inventory
If you receive a message indicating that the Hypersync is returning too many items for the Asset Inventory proof type, set the Asset filter criteria to Do not show terminated or stopped instances in the Hypersync settings.
List of Snapshots for Owner
This proof type can generate large amounts of data. If you receive a message indicating that the Hypersync is returning too many items, set the Storage Tier filter field to either Archive or Standard, instead of the default All Tiers.
EKS
To use AWS EKS proof types, add IAM users or roles to your Amazon EKS cluster with the following command:
eksctl create iamidentitymapping --cluster <clusterName> --region=<region> --arn arn:aws:iam::123456:role/your-role --group system:masters --username optional-name
For more information, please refer to the official AWS documentation.
Security Hub
When configuring the Hypersync for Security Hub proof, you must select the region where the AWS Security Hub is running for the Hypersync to return data. If the region isn't correct, the proof is generated but doesn't contain any data.
Kubernetes Engine
List of Pod Security Policies
Note
This proof type is compatible only with Kubernetes version 1.22 or higher. If you use a lower version of Kubernetes, the proof will not be generated.
Kubernetes has deprecated PodSecurityPolicies in version 1.21. See this Kubernetes article for information on migrating from PodSecurityPolicies to the built-in PodSecurity admission controller. Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller.
Additional documentation
Note
You only need to connect Hyperproof to the app once, and then you can create as many Hypersyncs as you need. Additionally, you can create multiple Hypersyncs for a single control or label.
The sections below provide additional information about connecting AWS to Hyperproof.
Connecting to AWS or AWS GovCloud via access keys
Below Access Key ID, enter your AWS Access Key ID.
Tip
IAM users have keys that provide access to proof stored in AWS. If you do not have IAM user credentials, a root user or an IAM administrator can create them. For steps on adding an AWS user with SecurityAudit access, see Creating a policy and adding an AWS Hypersync user.
If you use SSO, be sure to create an IAM user and not use the access keys provided for your SSO user, as those have session tokens associated with the keys that only allow access for a limited time.
For more information on creating an IAM user in your AWS account, see the official hypersyncs: aws-short documentation.
Below Secret Access Key, enter your AWS Secret Access Key.
Click Next.
Connecting via a cross-account role
Select the Cross Account Role radio button to connect to AWS via a cross-account role.
Note
To use the cross-account role option, your AWS administrator needs to set up an IAM role with the permissions needed to perform specific actions. For more information, see Creating a cross-account role in AWS.
Below ARN, enter your Role ARN.
Below External ID, enter your unique string ID.
Click Next.
Completing the connection process
The steps below apply to both access keys and cross-accounts.
Select the radio button that best suits how you want to identify AWS accounts.
For a single AWS account, select Use the current account. Hyperproof assumes only the role ARN provided in the step above to fetch data.
For a few AWS accounts, select Choose from a list of accounts , and then select the accounts to retrieve data from.
For many AWS accounts, select Specify tags to identify accounts. Hyperproof finds all accounts matching the tag criteria and retrieves data from each one.
Using multiple key-value pairs of tags finds accounts with all of the specified tags, using a logical AND operation.
Entering the same key with different values finds accounts matching any of the values provided for a given key, using a logical OR operation.
See TagFilters query object for more details on finding resources by tags.
Click Next.