What access do you have to my account?
If you’re considering adding a third party tool to your account it’s a good idea to understand the level of access that tool has to your AWS accounts and your data. In the case of Corrected Cloud, we do everything we can to minimise the level of access we have to your environment.
In order for Corrected Cloud to produce useful findings, we need metadata about your environment. We need to know what resources you have in your account, and how they are configured. This would include items such as the existence of a database instance, the name of that database instance, the IP address used by the instance and the tags associated with it. We do not have any access at all to the data contained in the database.
Below, we have tried to include as full details as possible on what permissions we have. For the most complete technical details on how we implement this, please see a sample template.
Account data
We use two methods to discover the resources in your accounts, which can be categorized as push and pull.
Pull is when we make calls to the AWS APIs requesting information about the resources in your account. We do this when a new account is added to Corrected Cloud, and then infrequently afterwards. To do this, we use the AWS prescribed method of having a role in your account which we can assume. This role is configured with an ‘External ID’ which is specified by us and unique to each customer. We are very careful to ensure we not only do not look at any data in your account, but that we do not have access permissions to do so.
Push is when your account sends details of configuration updates to our API. Amazon provide logging of all configuration events via a service they call CloudTrail. We use another service, AWS EventBridge, to send all CloudTrail events relating to configuration updates to our API via HTTPS in real time. This is our primary mechanism for evaluating your infrastructure, and allows us to generate alerts within seconds of a problem being introduced.
For customers who are particularly sensitive about even metadata leaving their environments, we are able to provide a solution fully deployed inside your own AWS environment. For further details, please speak to our enterprise sales team.
Corrected Cloud Provisioning
In order to configure the role for us to assume, and appropriate AWS EventBridge rules to forward change events to our API, we provide a CloudFormation template which we generate based on your usage scenario.
You provision this template using your credentials - this avoids the requirement for Corrected Cloud to have any sort of ability to create resources in your account.
Because CloudTrail events are regional we need to configure EventBridge rules in each AWS region. To facilitate this, the CloudFormation template we provide creates a CloudFormation Stack Set, which then deploys a further CloudFormation template in each region. Depending on the type of deployment being used, the first template may include roles to deploy these further CloudFormation templates. These roles are used only by the CloudFormation Stack Set, and are not accessible by Corrected Cloud.
An organisation wide template can be generated - in this case the template should be deployed to the AWS Organizations root account, which will then deploy this to either all accounts, or all accounts under the specified Organizational Units. This has the advantage of ensuring that newly created AWS accounts are automatically protected by Corrected Cloud.