Connecting Amazon Web Services (aka "AWS") to Drata allows for the automated, continuous monitoring and evidence collection of the dozens of infrastructure security controls required for compliance.
Prerequisites
AWS Account Access:
You must have sufficient permissions to create new roles in your company's AWS account. Typically, this requires admin access or appropriate IAM permissions to create and manage roles.
Service Control Policies (SCP) with region restrictions:
If the AWS account you are connecting to has a Service Control Policy (SCP) with region restrictions, be prepared to configure the allowed region details for the connection to avoid test errors.
Access AWS connection within Drata
Go to Drata.
Select Connections on the side navigation menu.
Select the Available connections tab and then search for and select 'AWS'.
On the AWS connection drawer, follow the instructions to setup the connection, enter the Role ARN, and select the Allowed Regions options. Learn more about these configurations in the following section.
Tips: Use the copy button to quickly copy the long important strings of characters.
Create and enter the role ARN into Drata
In the following steps, learn how to create a role and attach a policy to that role with defined permissions. This role will enable Drata to perform read-only audits of your AWS infrastructure for compliance purposes.
Create the role:
Log in to the AWS Console with an account that has access to create a new role.
Navigate to the IAM service.
Select the Roles in the sidebar.
Select the Create role button, then the Another AWS account button.
Use the following values to fill out the form:
Account ID:
269135526815
Require external ID: Check this box and enter the Drata External ID (found in the AWS connection drawer in Drata) in the External ID field.
Note: Do not check the Require MFA checkbox.
Select the Next: Permissions button.
In the Attach permissions policies section, search for SecurityAudit (this provides the Read Only Access permissions for Security Audits). Scroll and select the SecurityAudit.
Select the Next: Tags button. Optionally add tags if your company uses them.
Select the Next: Review button.
Copy and paste the fields below into the form, then select the Create role button. Ensure that the value for Role Name is copied exactly as listed below.
Role Name:
DrataAutopilotRole
Role Description:
Cross-account read-only access for Drata Autopilot
Enter the role into Drata:
Select the role you just created. The role should be named
DrataAutopilotRole
.Copy the Role ARN from the role's summary page.
Configure allowed region for SCP
If the AWS account you are connecting to has a Service Control Policy (SCP) with region restrictions:
Within the Drata's AWS connection drawer, select Specific regions under Allowed regions
Then, choose the appropriate regions.
If it does not have restrictions, you can select All active regions.
Verify SCP Region Restrictions for the Account
You can verify the appropriate regions through the AWS console:
Navigate to the AWS Console.
In the services menu, search for and select Organizations.
In the Accounts section, find and select the account you are connecting to Drata.
Under the account details, go to the Policies tab and search for the Service Control Policies (SCPs) section to view all policies attached to the account.
Select each SCP to view its policy document and view the
Condition
element that specifiesaws:RequestedRegion
.In the array, you will find a list of all the allowed regions. Select those regions in the AWS connection drawer in Drata.
Alternatively, you can use the AWS CLI to find these details:
List the policies attached to the account:
aws organizations list-policies-for-target --target-id <account-id> --filter SERVICE_CONTROL_POLICY
By using the
PolicyId
from the previous command, get the details of each policy.aws organizations describe-policy --policy-id <policy-id>
In the output, inspect the
Condition
elements foraws:RequestedRegion
to find a list of the allowed regions.
π You have just successfully setup proper read-only access for Drata π
Monitoring tests covered
Test 4: SSL/TLS on Admin Page of Infrastructure Console
Test 30: Availability Zones Used
Test 68: Customer Data is Encrypted at Rest
Test 69: Customer Data in Cloud Storage is Encrypted at Rest
Test 88: MFA on Infrastructure Console
Test 95: Infrastructure Accounts Properly Removed
Test 98: Employees have Unique Infrastructure Accounts
Test 102: Public SSH Denied
Test 104: Cloud Data Storage Exposure
Test 105: AWS Guard Duty
Test 107: Daily Database Backups
Test 108: Storage Data Versioned or Retained
Test 112: Database CPU Monitored
Test 113: Database Free Storage Space Monitored
Test 114: Database Read I/O Monitored
Test 115: Messaging Queue Message Age Monitored
Test 117: NoSQL Cluster Storage Utilization Monitored
Test 118: Infrastructure Instance CPU Monitored
Test 119: Firewall Default Disallows Traffic
Test 122: Web Application Firewall in Place
Test 124: Root Infrastructure Account Unused
Test 130: Load Balancer Used