AWS

Connect your AWS infrastructure to Ciphrix using IAM user credentials for automated compliance monitoring.

Capabilities

The AWS integration provides the following capabilities:

✅ Compliance Checks

Automatically verify security configurations and compliance controls across your AWS infrastructure including:

🔄 Import Asset (Coming Soon)

Automatically import and track AWS resources as assets in your Ciphrix inventory.

How to Connect AWS

Prerequisites

Before connecting AWS, ensure you have:

• AWS account with administrative access
• Permissions to create IAM users and policies
• Access to AWS Management Console

Connection Instructions

Step 1: Create an IAM User in AWS

1. Log in to AWS Console

   • Go to https://console.aws.amazon.com
   • Sign in with your AWS account credentials

2. Navigate to IAM Service

   • In the AWS Console, search for "IAM" in the search bar
   • Click on IAM (Identity and Access Management)

3. Create a New User

   • In the left sidebar, click Users
   • Click the Create user button
   • Enter a username (e.g., ciphrix-integration)
   • Click Next

4. Set Permissions

   • Select Attach policies directly
   • Search for and select the following policies:
     • ReadOnlyAccess (recommended for read operations for compliance checks)
     • Custom Deny Policy (See below)
   • Click Next

5. Review and Create

   • Review the user configuration
   • Click Create user

Step 2: Generate Access Keys

1. Access the User Details

   • After creating the user, click on the username to view details
   • Or navigate to IAM > Users and click on the user you just created

2. Create Access Keys

   • Click on the Security credentials tab
   • Scroll down to Access keys section
   • Click Create access key

3. Select Use Case

   • Choose Third-party service
   • Check the confirmation box
   • Click Next

4. Add Description (Optional)

   • Add a description tag (e.g., "Ciphrix Integration")
   • Click Create access key

5. Save Your Credentials

   • Access Key ID: Copy and save this value
   • Secret Access Key: Copy and save this value
   • ⚠️ Important: This is the only time you can view the secret access key. Store it securely.
   • Click Download .csv file (recommended for backup)
   • Click Done

Step 3: Add AWS Integration in Ciphrix

You have two options to create the AWS connection in Ciphrix:

Option A: From Integration Library (Recommended)

1. Navigate to Integration Library

   • Log in to ciphrix.app
   • Go to Integrations in the sidebar
   • Go to the Integration Library tab
   • Click on the Cloud Infrastructure category

2. Connect AWS

   • Click the Connect button on the AWS integration tile

3. Fill Integration Form

   • Connection Name: Enter a name for this connection (e.g., "Production AWS Account")
   • Connection Identifier: Enter the 12 digit AWS Account Number (e.g. 123456789123)
   • Credential Identifier: Enter the name of the IAM User (e.g. 'ciphrix-integration')
   • Access Key: Paste the Access Key ID from Step 2
   • Secret Key: Paste the Secret Access Key from Step 2
   • Region: Select the AWS regions you want to monitor
   • Select Items: Select the AWS capabilities in Ciphrix you want to enable. Compliance checks are enabled by default

4. Create Connection

   • Click Create Connection
   • Wait for the connection to be validated

Option B: From Create Connection

1. Navigate to Create Connection

   • Log in to ciphrix.app
   • Go to Integrations in the sidebar
   • Click Create Connection

2. Select AWS

   • From the connection provider dropdown, select Amazon Web Services

3. Fill Integration Form

   • Connection Name: Enter a name for this connection (e.g., "Production AWS Account")
   • Connection Identifier: Enter the 12 digit AWS Account Number (e.g. 123456789123)
   • Credential Identifier: Enter the name of the IAM User (e.g. 'ciphrix-integration')
   • Access Key: Paste the Access Key ID from Step 2
   • Secret Key: Paste the Secret Access Key from Step 2
   • Region: Select the AWS regions you want to monitor
   • Select Items: Select the AWS capabilities in Ciphrix you want to enable. Compliance checks are enabled by default

4. Create Connection

   • Click Create or Save
   • Wait for the connection to be validated

Step 4: Verify Connection

1. Check Connection Status

   • After creating the connection, you'll see the integration status
   • Status should show Connected or Active

2. Initial Scan

   • Ciphrix will automatically begin scanning your AWS infrastructure
   • Ciphrix scans your environment once a week
   • You can contact support@ciphrix.com to know your next scan date
   • Compliance checks will run automatically

3. View Results

   • Navigate to Monitoring
   • View compliance check results and findings

IAM Policies Applied

Ciphrix applies the following policies to the IAM user for compliance monitoring. Feel free to add statements to deny certain services based on your requirements:

Managed Policy

• ReadOnlyAccess - AWS managed policy providing read-only access to AWS services

Custom Deny Policy

To ensure data security, Ciphrix also applies a custom policy that explicitly denies access to sensitive data plane operations:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyS3GetAndList",
            "Effect": "Deny",
            "Action": ["s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket", "s3:GetBucketLocation"],
            "Resource": "*"
        },
        {
            "Sid": "DenyDynamoDBRead",
            "Effect": "Deny",
            "Action": ["dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan"],
            "Resource": "*"
        },
        {
            "Sid": "DenySecretsManagerView",
            "Effect": "Deny",
            "Action": ["secretsmanager:GetSecretValue"],
            "Resource": "*"
        },
        {
            "Sid": "DenyKMSDecrypt",
            "Effect": "Deny",
            "Action": ["kms:Decrypt"],
            "Resource": "*"
        },
        {
            "Sid": "DenyLogsRead",
            "Effect": "Deny",
            "Action": ["logs:GetLogEvents", "logs:FilterLogEvents"],
            "Resource": "*"
        }
    ]
}

This policy ensures that Ciphrix:

• ✅ Can read resource configurations and metadata for compliance checks
• ❌ Cannot access actual data stored in S3 buckets
• ❌ Cannot read data from DynamoDB tables
• ❌ Cannot view secrets from Secrets Manager
• ❌ Cannot decrypt KMS-encrypted data
• ❌ Cannot read CloudWatch log contents

Troubleshooting

Connection Failed

Issue: Integration connected but showing permission errors

• Verify the Access Key ID and Secret Access Key are correct
• Ensure there are no extra spaces when copying credentials
• Check that the IAM user has the required policies attached
• Verify the IAM user is active and not disabled
• Ensure no Service Control Policies (SCPs) are restricting access

No Data Appearing

Issue: Integration connected but no compliance data showing for more than 7 days

• Contact Ciphrix Support support@ciphrix.com

Access Key Deactivated

Issue: Integration was working but now fails

• Check if the access key was deactivated in AWS
• Verify the IAM user still exists and is active
• Regenerate access keys if needed and update in Ciphrix

Support

Need help with AWS integration?

• Email: support@ciphrix.com
• See also: AWS Role Based Integration for non IAM User based connection