HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Scan Amazon EBS for secrets

Beta feature

This feature is currently available as a beta release. Beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features with production workflows, as features may not function seamlessly and you may encounter unexpected issues.

Connect Amazon Elastic Block Store (EBS) as a data source to HCP Vault Radar to scan your Amazon EBS volumes for sensitive data and secrets.

If you are new to HCP Vault Radar, checkout the HCP Vault Radar quickstart tutorial series.

Note

Amazon EBS scanning requires a deployed Vault Radar agent. HCP-managed scanning is not supported for this data source type.

Prerequisites

To establish a connection, you need the following:

  • An AWS account with one or more Amazon EBS volumes in the available or in-use state.

  • A deployed Vault Radar agent.

  • An authentication method for Vault Radar to access your AWS account. You can use either of the following:

    • An IAM role that Vault Radar can assume (recommended).
    • AWS credentials (access key ID and secret access key) provided through environment variables.

  • An IAM policy attached to the role or user that grants the permissions Vault Radar needs to discover and scan Amazon EBS volumes.

    Vault Radar scans Amazon EBS volumes without modifying the source volume. For each volume, it creates a temporary snapshot, launches a temporary scanner instance, attaches a clone of the snapshot, and removes all temporary resources after the scan completes.

    The following EC2 and SSM permissions are required:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity",
                "ec2:DescribeRegions",
                "ec2:DescribeVolumes",
                "ec2:CreateSnapshot",
                "ec2:DescribeSnapshots",
                "ec2:DeleteSnapshot",
                "ec2:RunInstances",
                "ec2:DescribeInstances",
                "ec2:TerminateInstances",
                "ec2:CreateVolume",
                "ec2:AttachVolume",
                "ec2:DetachVolume",
                "ec2:DeleteVolume",
                "ssm:SendCommand",
                "ssm:GetCommandInvocation",
                "ssm:DescribeInstanceInformation",
                "ssm:GetParameter"
            ],
            "Resource": "*"
        }
    ]
}

    If you want Vault Radar to automatically create and manage the scanner IAM role and instance profile, add the following IAM permissions:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:GetInstanceProfile",
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile"
            ],
            "Resource": "*"
        }
    ]
}

    If you prefer to manage the scanner role yourself, create an instance profile with the arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore policy attached and provide the profile name during connection setup.

    Refer to AWS Authentication for more information about the available authentication methods.

Add an Amazon EBS data source

  1. Log into the HCP Portal with an HCP IAM user that has the HCP owner or admin role.

  2. Click Vault Radar.

  3. Click Settings.

  4. Click Data Sources.

  5. Select HCP Vault Radar Agent Scan.

  6. Click the AWS EBS button.

  7. Select an authentication method from the Select authentication method dropdown:

    • IAM Role (Recommended)
    • AWS Credentials from environment variable

  8. Provide the credentials for the selected authentication method:

    • If you selected IAM Role (Recommended), optionally enter an IAM role ARN in the Assume role ARN field for cross-account access or elevated permissions. For example, arn:aws:iam::123456789012:role/role-name.

    • If you selected AWS Credentials from environment variable, choose whether to use the default environment variables (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY). To use different variables, clear Use default environment variables and enter the environment variable references in the AWS Access Key ID and AWS Secret Access Key fields, for example, env://AWS_ACCESS_KEY_ID. Optionally, enter an Assume role ARN if Vault Radar should assume a role after authenticating with the provided credentials.

  9. Click Next.

  10. Select either All active volumes or Select volumes to monitor.

  11. Click Finish to start onboarding and scanning the selected volumes.

Assign a group to a resource

Once you add a data source, an HCP user with the admin role must assign a group to each of the monitored resources within each data source. You can assign each resource to only one group.

Note

Users with the HCP IAM admin role do not need to be a member of other groups. Accounts with the admin role have full access to Vault Radar.

If you do not already have a group, refer to the Identity and Access Management groups documentation to create a group.

  1. Navigate to the Project dashboard.

  2. Click Access control (IAM).

  3. Click Add new assignment.

  4. Search the name of the group in the Search for an assignee search field.

  5. Click the group name in the search results.

  6. Click the Select service pulldown menu and select Vault Radar.

  7. Click the Select role pulldown menu and select the Vault Radar Developer role.

  8. Click Save.

  9. Click Back to Dashboard.

  10. Click Vault Radar.

  11. Click Resources.

  12. Select the resource you want to assign to a group and click Assign groups.

  13. Click the Assign resoruce to group pulldown menu.

  14. Select the group that requires access to the resource.

  15. Select either the Viewer or Contributor role.

  16. Click OK.

Update data source

  1. Navigate to Settings.

  2. Click Data Sources

  3. Click the vertical ellipsis to the right of the data source..

  4. To update the monitored data sources, click Edit data sources.

  5. To update the token, click Edit data source host details.

  6. To delete the data source host, click Delete data source host.

Tutorials

Learn how to evaluate and implement HCP Vault Radar in your environment with our tutorials.

  • HCP Vault Radar quickstart - Follow HashiCups, a fictitious coffee company, as they onboard HCP Vault Radar and scan their data sources for secrets.
  • HCP Vault Radar operations - Learn how HashiCups operations team uses HCP Vault Radar advanced features to scan data sources with the Vault Radar agent, and correlates findings with HCP Vault to manage secrets.
  • HCP Vault Radar developer - Learn how HashiCups developers use HCP Vault Radar advanced features to understand secret exposure, identify potential risks, and prevent leaked secrets during the software development lifecycle.
Edit this page on GitHub