Topics on this page
Set up cross region or cross account scans
One you have deployed your account scanner stack in an AWS region, you need to set up Amazon EventBridge to allow cross region scanner.
Your deployed account scanner stack must have the EnableCrossAccountScanning parameter set to 'true'.
Use the AWS web management console
For each region
Create a rule to send the S3 Object Created events to the EventBridge bus in the region where the account scanner stack deployed:
-
Open the Amazon EventBridge console.
-
Go to Rules and click Create rule.
-
Name the rule and select Rule with an event pattern type. Then click Next.
-
Select AWS events or EventBridge partner events in Event source.
-
Scroll down to the Event pattern panel. Select:
- AWS services in Event source
- Simple Storage Service (S3) in AWS service
- Amazon S3 Event Notification in Event type
- Specific event(s)
- Object Created event
-
Click Next.
-
Select EventBridge event bus in Target types, and select Event bus in a different account or Region in Target types. Enter the ARN of the default EventBridge bus in the region where the account scanner stack deployed.
-
Click Next.
-
(Optional) Configure the tags for this new rule and click Next.
-
Review the rule configuration and click Create rule.
For each bucket
Turn on the Send notifications to Amazon EventBridge for all events in this bucket feature to trigger the scanner Lambda function in the account scanner stack:
-
On the S3 bucket you want to add, go to the Properties tab, scroll to the Amazon EventBridge panel. Click Edit.
-
Turn the feature on and click Save changes.
-
Configure the bucket policy to allow the account scanner stack to scan and tag your objects.
If the S3 bucket is in the same AWS account as the account scanner stack, you can skip this step.
-
Go to the Permissions tab and click Edit in Bucket policy panel.
-
Paste the JSON below and fill the correct ARNs and the bucket name. Then click Save changes.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowScannerToScanFile",
"Effect": "Allow",
"Principal": {
"AWS": "<SCANNER_LAMBDA_EXECUTION_ROLE>"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::/*"
},
{
"Sid": "AllowPostScanActionLambdaToTagResult",
"Effect": "Allow",
"Principal": {
"AWS": "<POST_SCAN_ACTION_LAMBDA_EXECUTION_ROLE>"
},
"Action": "s3:PutObjectTagging",
"Resource": "arn:aws:s3:::/*"
},
{
"Sid": "PostScanActionLambdaQuarantineRequire-1",
"Effect": "Allow",
"Principal": {
"AWS": "<POST_SCAN_ACTION_LAMBDA_EXECUTION_ROLE>"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::/*"
},
{
"Sid": "PostScanActionLambdaQuarantineRequire-2",
"Effect": "Allow",
"Principal": {
"AWS": "<POST_SCAN_ACTION_LAMBDA_EXECUTION_ROLE>"
},
"Action": "s3:GetObjectTagging",
"Resource": "arn:aws:s3:::/*"
},
{
"Sid": "PostScanActionLambdaQuarantineRequire-3",
"Effect": "Allow",
"Principal": {
"AWS": "<POST_SCAN_ACTION_LAMBDA_EXECUTION_ROLE>"
},
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::/*"
}
]
}
Where:
- SCANNER_LAMBDA_EXECUTION_ROLE is replaced with the ARN of the scanner Lambda function in the account scanner stack.
- POST_SCAN_ACTION_LAMBDA_EXECUTION_ROLE is replaced with the ARN of the post-scan-action Lambda function in the account scanner stack. BUCKET_NAME is replaced with the name of the scan bucket.
You can now test the scanner by uploading some files and viewing the scan results.
Use the AWS CLI
For each region
You need to create an IAM role and a rule to send the S3 Object Created events to the EventBridge bus in the region where the account scanner stack deployed:
1. Create the IAM role that is used to invoke the rule:
aws iam create-role --role-name --assume-role-policy-document "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\": \"events.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}"
aws iam put-role-policy --role-name --policy-name --policy-document "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"events:PutEvents\"],\"Resource\":[\"\"]}]}"
Where:
- ROLE_FOR_EVENT_BRIDGE_RULE is replaced with the name of the new IAM role. You can use any name. Example:
eventbridge-bus-forward-to-another-default-bus-role
- POLICY_NAME is replaced with the name of the IAM policy. You can use any name. Example:
policy-allow-eventbridge-bus-put-events
- DEFAULT_EVENT_BRIDGE_BUS_ARN_IN_SCANNER_REGION is replaced with the ARN of the default bus in the region of account scanner stack.
2. Create the rule to forward S3 event notifications in this region to the region where the account scanner stack is deployed.
aws events put-rule --name <EVENT_BRIDGE_RULE_NAME> --event-pattern "{\"source\":[\"aws.s3\"],\"detail-type\":[\"Object Created\"]}"
aws events put-targets --rule <EVENT_BRIDGE_RULE_NAME> --targets "Id"="1","Arn"="<DEFAULT_EVENT_BRIDGE_BUS_ARN_IN_SCANNER_REGION>","RoleArn"="<ROLE_ARN_FOR_EVENT_BRIDGE_RULE>"
Where:
-
EVENT_BRIDGE_RULE_NAME is replaced with the name of the new EventBridge rule. You can use any name. Example: rule-to-forward-events-to-another-region
-
DEFAULT_EVENT_BRIDGE_BUS_ARN_IN_SCANNER_REGION is replaced with the ARN of the default bus in the region of account scanner stack.
-
ROLE_FOR_EVENT_BRIDGE_RULE is replaced with the name of the IAM role you just created in the previous step.
For each bucket
1. Turn on the Send notifications to Amazon EventBridge for all events in this bucket feature to trigger the scanner Lambda function in the account scanner stack.
aws s3api create-bucket --bucket <SCAN_BUCKET_NAME> --create-bucket-configuration LocationConstraint=<BUCKET_REGION>
aws s3api put-bucket-notification-configuration --bucket <SCAN_BUCKET_NAME> --notification-configuration='{ "EventBridgeConfiguration": {} }'
Where:
-
SCAN_BUCKET_NAME is replaced with the name of the new scan bucket. You can use any name. Example: scan-bucket-in-us-east-1
-
BUCKET_REGION is replaced with the name of the AWS region. Example: us-east-2
2. Configure the bucket policy to allow the account scanner stack to scan and tag your objects.
If your S3 buckets are in the same AWS account as the account scanner stack, you can skip this step.
aws s3api put-bucket-policy --bucket <SCAN_BUCKET_NAME> --policy "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\": \"AllowScannerToScanFile\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"<SCANNER_LAMBDA_EXECUTION_ROLE>\"},\"Action\": \"s3:GetObject\",\"Resource\": \"arn:aws:s3:::<BUCKET_NAME>/*\"},{\"Sid\": \"AllowPostScanActionLambdaToTagResult\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"<POST_SCAN_ACTION_LAMBDA_EXECUTION_ROLE>\"},\"Action\": \"s3:PutObjectTagging\",\"Resource\": \"arn:aws:s3:::<BUCKET_NAME>/*\"},{\"Sid\": \"PostScanActionLambdaQuarantineRequire-1\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"<POST_SCAN_ACTION_LAMBDA_EXECUTION_ROLE>\"},\"Action\": \"s3:GetObject\",\"Resource\": \"arn:aws:s3:::<BUCKET_NAME>/*\"},{\"Sid\": \"PostScanActionLambdaQuarantineRequire-2\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"<POST_SCAN_ACTION_LAMBDA_EXECUTION_ROLE>\"},\"Action\": \"s3:GetObjectTagging\",\"Resource\": \"arn:aws:s3:::<BUCKET_NAME>/*\"},{\"Sid\": \"PostScanActionLambdaQuarantineRequire-3\",\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"<POST_SCAN_ACTION_LAMBDA_EXECUTION_ROLE>\"},\"Action\": \"s3:DeleteObject\",\"Resource\": \"arn:aws:s3:::<BUCKET_NAME>/*\"}]}"
Where:
- SCAN_BUCKET_NAME is replaced with the name of the scan bucket you just created in the previous step.
- SCANNER_LAMBDA_EXECUTION_ROLE is replaced with the ARN of the scanner Lambda function in the account scanner stack.
- POST_SCAN_ACTION_LAMBDA_EXECUTION_ROLE is replaced with the ARN of the post-scan-action Lambda function in the account scanner stack.
Enable server-side encryption
You only need these steps if you are deploying the AWS KMS keys in a different AWS account from the account scanner stack.
For SQS queues
To enable server-side encryption for SQS queues in the account scanner stack, you must update the key policy of the KMS key using for SQS queues encryption in the AWS console:
1. Get the ARNs of the execution roles of the scanner, scanner dead-letter, and post-scan-action dead-letter Lambda functions.
aws cloudformation describe-stacks --stack-name <ACCOUNT_SCANNER_STACK_NAME> --query 'Stacks[*].Outputs[?OutputKey==
ScannerExecutionRoleARN].OutputValue[]'
aws cloudformation describe-stacks --stack-name <ACCOUNT_SCANNER_STACK_NAME> --query 'Stacks[*].Outputs[?OutputKey==
ScannerDeadLetterExecutionRoleARN].OutputValue[]'
aws cloudformation describe-stacks --stack-name <ACCOUNT_SCANNER_STACK_NAME> --query 'Stacks[*].Outputs[?OutputKey==
PostScanActionDeadLetterExecutionRoleARN].OutputValue[]'
2. Add two Statement objects in the key policy.
{ "Sid": "Grant encrypt permission", "Effect": "Allow", "Principal": { "AWS": <ScannerExecutionRoleARN> }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" }
{ "Sid": "Grant decrypt permission", "Effect": "Allow", "Principal": { "AWS": [ <ScannerDeadLetterExecutionRoleARN>, <PostScanActionDeadLetterExecutionRoleARN> ] }, "Action": [ "kms:Decrypt" ], "Resource": "*" }
3. Update the key policy.
aws kms put-key-policy --policy-name key-policy --key-id <KMS_KEY_ID> --policy file://key_policy.json
For the SNS topic
To enable server-side encryption for the SNS topic in the account scanner stack, you must update the key policy of the KMS key using for SNS topic encryption in AWS console:
1. Get the ARNs of the execution roles of scanner, scanner dead-letter, and post-scan-action Lambda functions.
aws cloudformation describe-stacks --stack-name <ACCOUNT_SCANNER_STACK_NAME> --query 'Stacks[*].Outputs[?OutputKey==
ScannerExecutionRoleARN].OutputValue[]'
aws cloudformation describe-stacks --stack-name <ACCOUNT_SCANNER_STACK_NAME> --query 'Stacks[*].Outputs[?OutputKey==
ScannerDeadLetterExecutionRoleARN].OutputValue[]'
aws cloudformation describe-stacks --stack-name <ACCOUNT_SCANNER_STACK_NAME> --query 'Stacks[*].Outputs[?OutputKey==
PostScanActionExecutionRoleARN].OutputValue[]'
2. Add one Statement object in the key policy.
{ "Sid": "Grant encrypt permission", "Effect": "Allow", "Principal": { "AWS": [ <ScannerExecutionRoleARN>, <ScannerDeadLetterExecutionRoleARN>, <PostScanActionExecutionRoleARN> ] }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" }
3. Update the key policy.
aws kms put-key-policy --policy-name key-policy --key-id <KMS_KEY_ID> --policy file://key_policy.json
For your buckets
To enable server-side encryption for your buckets, you must update the key policy of the KMS key using for buckets encryption in AWS console.
1. Get the ARNs of the execution roles of the scanner, scanner dead-letter, and post-scan-action Lambda functions.
aws cloudformation describe-stacks --stack-name <ACCOUNT_SCANNER_STACK_NAME> --query 'Stacks[*].Outputs[?OutputKey==
ScannerExecutionRoleARN].OutputValue[]'
aws cloudformation describe-stacks --stack-name <ACCOUNT_SCANNER_STACK_NAME> --query 'Stacks[*].Outputs[?OutputKey==
PostScanActionExecutionRoleARN].OutputValue[]'
2. Add one Statement object in the key policy.
{ "Sid": "Grant encrypt permission", "Effect": "Allow", "Principal": { "AWS": [
3. Update the key policy.
aws kms put-key-policy --policy-name key-policy --key-id <KMS_KEY_ID> --policy file://key_policy.json