Enriching scans with EC2

Professional Community Platform

As part of a discovery scan, runZero will automatically enrich scanned assets with data from the AWS EC2 API when available. runZero assets will be updated with internal IP addresses, external IP addresses, hostnames, MAC addresses, and tags, along with other EC2-specific attributes, such as the account ID and instance type.

No additional configuration is needed in runZero to get this data enrichment. However, you may need to modify the permissions associated with the instance’s IAM role.

Find Explorers with EC2 enrichment capabilities

To use the EC2 enrichment capabilities, the runZero Explorer must be running on an instance with permissions to describe your EC2 instance list. This can be configured through an IAM role associated with the instance as well as by configuring the AWS credentials for the root user account.

To identify the Explorers with this capability, view your registered Explorers. Any Explorer with the cloud icon indicates that it can enumerate EC2 instances.

Scans run from these Explorers will merge any EC2 instance fields into the asset automatically for any in-scope targets matched against the instance list.

Add permissions to describe instances

To allow for EC2 instance data enrichment, you will need to add the EC2 ec2:DescribeInstances permission for the instance role configured for your instance. Visit the Amazon docs to learn how to create and update policies.

Basically, your policy will look like:

{
   "Version": "2012-10-17",
   "Statement": [{
     "Sid": "VisualEditor0", 
      "Effect": "Allow",
      "Action": [
         "ec2:DescribeInstances", 
      ],
      "Resource": "*"
   }
   ]
}

From the IAM UI, go to Roles > Permissions > Attach policies and search for the EC2 service. From the actions, select DescribeInstances, which is located under List.

You can also configure credentials on the instance by running aws configure as root, instead of using the IAM instance role.

After you save your policy, you’ll need to restart your Explorer. The easiest way to do this is to force an update from the Explorer menu.

Keep in mind if your configuration uses one region, but the instance is located in another, it will use the instance’s region instead for all API requests.

Attributes runZero gets from the EC2 API

When runZero determines that an IP address is also an EC2 instance, it will enrich the existing runZero data with EC2 metadata. runZero will be able to pull in more hostnames based on AWS asset tags, MAC addresses, internal and external IPs.

Some attributes that runZero is able to get from the EC2 API metadata:

  • aws.accountID
  • aws.architecture
  • aws.availabilityZone
  • aws.hypervisor
  • aws.imageID
  • aws.instanceID
  • aws.instanceType
  • aws.ipv4
  • aws.ipv6
  • aws.keyName
  • aws.launchTimeTS
  • aws.macs
  • aws.privateDNS
  • aws.privateIP
  • aws.publicDNS
  • aws.publicIP
  • aws.region
  • aws.rootDeviceName
  • aws.rootDeviceType
  • aws.scanner.instanceID
  • aws.scanner.instanceType
  • aws.state
  • aws.subnetID
  • aws.tags
  • aws.tenancy
  • aws.virtualizationType
  • aws.vpcID

Additionally, runZero will also report on other things that respond to the scan, but don’t match an EC2 entry. You may see things like Amazon RDS, temporary ELBs, and Lambdas in your inventory, but you will only see EC2 metadata on EC2 assets.

Updated