AWS proof types and permissions

Note

Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance in meeting the requirements to integrate with Hyperproof and collect the proof you need.

Hyperproof supports connecting to AWS via access keys or cross-account roles.

When you create a Hypersync between Hyperproof and AWS, you can automatically collect proof based on the following services:

Elastic Compute Cloud
- List of Running Instances
- List of Images for Owner
- List of Snapshots for Owner
  This proof type can generate large amounts of data. If you receive a message indicating that the Hypersync is returning too many items, set the Storage Tier filter field to either Archive or Standard, instead of the default All Tiers.
- List of Security Groups
- List of Volumes
- Details for Security Group
- Asset Inventory
  If you receive a message indicating that the Hypersync is returning too many items for the Asset Inventory proof type, set the Asset filter criteria to Do not show terminated or stopped instances in the Hypersync settings.
Identity and Access Management
- Account Password Policy
- List of Groups
- List of Roles
- List of SAML Providers
- List of Users
- List of Users with MFA Devices
- List of Users with MFA Settings
- Users, Groups, Roles, and Policies
Identity Center
- List of SSO Users
Relationship Database Service
- Including Aurora PostgreSQL, Aurora MySQL, MySQL, Maria DB, PostgreSQL, Oracle, Microsoft SQL Server
  - Backup Retention Period
  - Storage Encrypted
Simple Storage Service (S3)
- Bucket Encryption
- Bucket Versioning
- Bucket Replication
- Public S3 Buckets
- Bucket Lifecycle Configuration
- Bucket Object Lock
- Bucket Access Control List
Virtual Private Cloud (VPC)
- VPCs
- Network ACLs
- Client VPN Endpoints
- Subnets
Security Hub
When configuring the Hypersync for Security Hub proof, you must select the region where the AWS Security Hub is running for the Hypersync to return data. If the region isn't correct, the proof is generated but doesn't contain any data.
- Findings
- Integrations Providing Findings
Backup Service
- Backup Plans
- Backup Plan Details
- Backup Jobs
Kubernetes Engine
- List of Clusters
- List of Pod Security Policies
  Note
  This proof type is compatible only with Kubernetes version 1.22 or higher. If you use a lower version of Kubernetes, the proof will not be generated.
  Kubernetes has deprecated PodSecurityPolicies in version 1.21. See this Kubernetes article for information on migrating from PodSecurityPolicies to the built-in PodSecurity admission controller. Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller.
- List of Workloads

Note

RDS Encryption proof can be collected for all instances.

Using EKS proof types

To use AWS EKS proof types, add IAM users or roles to your Amazon EKS cluster with the following command:

eksctl create iamidentitymapping --cluster  <clusterName> --region=<region> --arn arn:aws:iam::123456:role/your-role --group system:masters --username optional-name

For more information, please refer to the official AWS documentation.

Additional documentation

Note

You only need to connect Hyperproof to the app once, and then you can create as many Hypersyncs as you need. Additionally, you can create multiple Hypersyncs for a single control or label.

The sections below provide additional information about connecting AWS to Hyperproof.

Connecting to AWS or AWS GovCloud via access keys

Below Access Key ID, enter your AWS Access Key ID.
Tip
IAM users have keys that provide access to proof stored in AWS. If you do not have IAM user credentials, a root user or an IAM administrator can create them. For steps on adding an AWS user with SecurityAudit access, see Creating a policy and adding an AWS Hypersync user.
If you use SSO, be sure to create an IAM user and not use the access keys provided for your SSO user, as those have session tokens associated with the keys that only allow access for a limited time.
For more information on creating an IAM user in your AWS account, see the official hypersyncs: aws-short documentation.
Below Secret Access Key, enter your AWS Secret Access Key.
Click Next.

Connecting via a cross-account role

Select the Cross Account Role radio button to connect to AWS via a cross-account role.
Note
To use the cross-account role option, your AWS administrator needs to set up an IAM role with the permissions needed to perform specific actions. For more information, see Creating a cross-account role in AWS.
Below ARN, enter your Role ARN.
Below External ID, enter your unique string ID.
Click Next.

Completing the connection process

The steps below apply to both access keys and cross-accounts.

Select the radio button that best suits how you want to identify AWS accounts.
- For a single AWS account, select Use the current account. Hyperproof assumes only the role ARN provided in the step above to fetch data.
- For a few AWS accounts, select Choose from a list of accounts , and then select the accounts to retrieve data from.
- For many AWS accounts, select Specify tags to identify accounts. Hyperproof finds all accounts matching the tag criteria and retrieves data from each one.
  - Using multiple key-value pairs of tags finds accounts with all of the specified tags, using a logical AND operation.
  - Entering the same key with different values finds accounts matching any of the values provided for a given key, using a logical OR operation.
  - See TagFilters query object for more details on finding resources by tags.
Click Next.

In this section:

AWS proof types and permissions

Note

Note

Note

Using EKS proof types

Additional documentation

Note

Connecting to AWS or AWS GovCloud via access keys

Tip

Connecting via a cross-account role

Note

Completing the connection process

Search results