Scan Amazon EC2 for secrets

Beta feature

This feature is currently available as a beta release. Beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features with production workflows, as features may not function seamlessly and you may encounter unexpected issues.

Connect Amazon Elastic Compute Cloud (EC2) as a data source to HCP Vault Radar to scan your Amazon EC2 instances for sensitive data and secrets.

If you are new to HCP Vault Radar, checkout the HCP Vault Radar quickstart tutorial series.

Note

Amazon EC2 scanning requires a deployed Vault Radar agent. HCP-managed scanning is not supported for this data source type.

Prerequisites

To establish a connection, you need the following:

An AWS account with one or more running Amazon EC2 instances.
An authentication method for Vault Radar to access your AWS account. You can use either of the following:
- An IAM role that Vault Radar can assume (recommended).
- AWS credentials (access key ID and secret access key) provided through environment variables.
Each Amazon EC2 instance you want to scan must have an IAM instance profile with the arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore policy attached, and the SSM agent must be installed and running. Vault Radar scans instances by creating a temporary AMI, launching a scanner instance using that AMI, and running scan commands on it via SSM.

An IAM policy attached to the role or user that grants the permissions Vault Radar needs to discover and scan Amazon EC2 instances:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity",
                "ec2:DescribeRegions",
                "ec2:DescribeInstances",
                "ec2:CreateImage",
                "ec2:DescribeImages",
                "ec2:DeregisterImage",
                "ec2:DeleteSnapshot",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "ssm:SendCommand",
                "ssm:GetCommandInvocation",
                "ssm:DescribeInstanceInformation",
                "ssm:PutParameter",
                "ssm:DeleteParameter"
            ],
            "Resource": "*"
        }
    ]
}

Refer to AWS Authentication for more information about the available authentication methods.

Connection limit

Vault Radar discovers Amazon EC2 instances in the running state across all enabled regions in your AWS account.

Add an AWS Amazon EC2 data source

Log into the HCP Portal with an HCP IAM user that has the HCP owner or admin role.
Click Vault Radar.
Click Settings.
Click Data Sources.
Select HCP Vault Radar Agent Scan.
Click on the AWS EC2 button.
Select an authentication method from the Select authentication method dropdown:
- IAM Role (Recommended)
- AWS Credentials from environment variable
Provide the credentials for the selected authentication method:
- If you selected IAM Role (Recommended), optionally enter an IAM role ARN in the Assume role ARN field for cross-account access or elevated permissions. For example, arn:aws:iam::123456789012:role/role-name.
- If you selected AWS Credentials from environment variable, choose whether to use the default environment variables (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY). To use different variables, clear Use default environment variables and enter the environment variable references in the AWS Access Key ID and AWS Secret Access Key fields, for example, env://AWS_ACCESS_KEY_ID. Optionally, enter an Assume role ARN if Vault Radar should assume a role after authenticating with the provided credentials.
Click Next.
Select either All active instances or Select instances to monitor.
Click Finish to start onboarding and scanning the selected instances.

Assign a group to a resource

Once you add a data source, an HCP user with the admin role must assign a group to each of the monitored resources within each data source. You can assign each resource to only one group.

Note

Users with the HCP IAM admin role do not need to be a member of other groups. Accounts with the admin role have full access to Vault Radar.

If you do not already have a group, refer to the Identity and Access Management groups documentation to create a group.

Navigate to the Project dashboard.
Click Access control (IAM).
Click Add new assignment.
Search the name of the group in the Search for an assignee search field.
Click the group name in the search results.
Click the Select service pulldown menu and select Vault Radar.
Click the Select role pulldown menu and select the Vault Radar Developer role.
Click Save.
Click Back to Dashboard.
Click Vault Radar.
Click Resources.
Select the resource you want to assign to a group and click Assign groups.
Click the Assign resoruce to group pulldown menu.
Select the group that requires access to the resource.
Select either the Viewer or Contributor role.
Click OK.

Update data source

Navigate to Settings.
Click Data Sources
Click the vertical ellipsis to the right of the data source..
To update the monitored data sources, click Edit data sources.
To update the token, click Edit data source host details.
To delete the data source host, click Delete data source host.

Tutorials

Learn how to evaluate and implement HCP Vault Radar in your environment with our tutorials.

HCP Vault Radar quickstart - Follow HashiCups, a fictitious coffee company, as they onboard HCP Vault Radar and scan their data sources for secrets.
HCP Vault Radar operations - Learn how HashiCups operations team uses HCP Vault Radar advanced features to scan data sources with the Vault Radar agent, and correlates findings with HCP Vault to manage secrets.
HCP Vault Radar developer - Learn how HashiCups developers use HCP Vault Radar advanced features to understand secret exposure, identify potential risks, and prevent leaked secrets during the software development lifecycle.