# AWS API In this guide, you will learn how to connect Radiant to your AWS account using the AWS API connector. While Radiant already leverages [AWS CloudTrail](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/aws/aws-cloudtrail-and-guardduty) for logging and event history, CloudTrail has inherent limitations when it comes to answering real-time, resource-level questions during alert triage. For example, CloudTrail does not provide the **current state** of a resource's configuration - such as the active permissions on an S3 bucket or the current association of an ACL rule to a group, which may have been set years before any recent activity. The AWS API connector fills this gap by enabling Radiant to make direct HTTP queries to the AWS API, retrieving up-to-date access policies, user privileges, and resource configurations at investigation time - resulting in faster and more accurate threat analysis. {% hint style="info" %} **Note:** Enabling this connector requires creating an **IAM role** in your AWS environment. If your organization requires a change request approval process before modifying AWS configurations, we recommend initiating that process before proceeding with the steps below. {% endhint %} ### Add the credentials in Radiant Security 1. Log in to [Radiant Security](https://app.radiantsecurity.ai/). 2. From the navigation menu, select **Settings > Credentials** and click + **Add Credential**. 3. Select **Amazon Web Services API** from the list and click **Configure Credential**. 4. Under **Credential Name**, give the credential an identifiable name (e.g. `AWS API Credentials`). 5. Under **AWS Accounts**, you have two options for adding your accounts: * If you are using **AWS Organizations**, you can export a `.csv` file containing all your AWS Account IDs by following [these instructions](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_export.html). Once the file is generated, drag and drop it into the upload box. * If you prefer to add accounts individually, select **+ Add Manually** to enter each account ID one at a time. 6. Click **Add Credential** to save the changes. ### Add the AWS API data connector in Radiant Security 1. From the navigation menu, select **Settings > Data Connectors** and click **+ Add Connector**. 2. Search for and select the **Amazon Web Services API** option and then click **Data Feeds**. 3. Under Select your data feeds, select **AWS HTTP API** and click **Credentials**. 4. From the drop-down menu, select the **Amazon Web Services API** credential that you created in the previous section. 5. Click **Add Connector** to save the changes. 6. In the **Data Connectors** page, find the AWS API connector and click **View Details**. 7. Copy the **AWS External Role ID**. You'll use this value for the creation of the IAM role in the upcoming steps. {% hint style="info" %} **Note:** Below we are providing two ways to create an IAM Role on your AWS Accounts. If you’re using **AWS Organizations**, please follow the StackSet instructions {% endhint %} ### Configure the IAM Role manually 1. Sign in to the **AWS Management Console** on the main account. 2. Navigate to **IAM**. 3. Click **Policies > Create Policy**. 4. Under **Specify Permission**, select the JSON format and paste the JSON below: {% code overflow="wrap" %} ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "S3Api", "Effect": "Allow", "Action": [ "s3:GetBucketAcl", "s3:GetEncryptionConfiguration", "s3:GetBucketLogging", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketTagging", "s3:GetBucketWebsite", "s3:GetObjectAcl", "s3:GetObjectAttributes", "s3:GetAccountPublicAccessBlock", "s3:GetBucketPublicAccessBlock", "s3:GetObject", "s3:ListAllMyBuckets", "s3:ListBucket" ], "Resource": ["arn:aws:s3:::*", "arn:aws:s3:::*/*"] }, { "Sid": "EC2Api", "Effect": "Allow", "Action": [ "ec2:DescribeAddresses", "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeInstanceStatus", "ec2:DescribeInstances", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSecurityGroups", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumeStatus", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications" ], "Resource": ["*"] }, { "Sid": "GuarddutyApi", "Effect": "Allow", "Action": ["guardduty:ListFindings", "guardduty:GetFindings"], "Resource": ["arn:*:guardduty:*:*:*"] }, { "Sid": "IAMApi", "Effect": "Allow", "Action": [ "iam:GetAccessKeyLastUsed", "iam:GetAccountAuthorizationDetails", "iam:GetAccountSummary", "iam:GetGroup", "iam:GetGroupPolicy", "iam:GetInstanceProfile", "iam:GetLoginProfile", "iam:GetMFADevice", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetSAMLProvider", "iam:GetServiceLastAccessedDetails", "iam:GetServiceLastAccessedDetailsWithEntities", "iam:GetUser", "iam:GetUserPolicy", "iam:ListAccessKeys", "iam:ListAccountAliases", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies", "iam:ListAttachedUserPolicies", "iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroups", "iam:ListGroupsForUser", "iam:ListInstanceProfileTags", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:ListPolicies", "iam:ListPoliciesGrantingServiceAccess", "iam:ListPolicyVersions", "iam:ListRolePolicies", "iam:ListRoles", "iam:ListUserPolicies", "iam:ListUserTags", "iam:ListUsers", "iam:ListVirtualMFADevices" ], "Resource": [ "arn:aws:iam::*:role/*", "arn:aws:iam::*:saml-provider/*", "arn:aws:iam::*:instance-profile/*", "arn:aws:iam::*:user/*", "arn:aws:iam::*:group/*", "arn:aws:iam::*:policy/*" ] }, { "Sid": "AccountApi", "Effect": "Allow", "Action": [ "account:GetAccountInformation" ], "Resource": ["*"] } ] } ``` {% endcode %} 5. Enter a policy name, review the settings, and select **Create policy**. 6. Navigate to the **Roles** page and select **Create role**. 7. On the **Select trusted entity** page, configure the following: * For **Trusted entity type**, select **Custom trust policy** to allow Radiant to assume this role and access the account. * For **Custom trust policy**, paste the following JSON into the text box: {% code overflow="wrap" %} ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:sts::649384204969:assumed-role/tenant-aws-access-role/radiant-security" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "${RS_CREDENTIAL_ID}" } } } ] } ``` {% endcode %} {% hint style="info" %} **Note:** Replace **`{RS_CREDENTIAL_ID}`** with the **AWS External Role ID** generated during the Radiant [credential setup](#add-the-aws-api-data-connector-in-radiant-security). {% endhint %} 8. On the **Add permissions** page, find and select the policy you created for this role. 9. Set the role name as `radiant-aws-api-access-role`, review the settings, and select **Create role**. ### Configure the IAM Role using StackSets 1. In your main AWS Organization account, go to **Cloudformation** and click on **StackSets**. 2. Click on **Create StackSet**. 3. Download the cloudformation file: {% file src="" %} 4. Replace the `${RS_CREDENTIAL_ID}` variable by the **AWS External Role ID** you obtained when the credential was created. 5. In the **Permissions** section, select **Service-managed permissions**. 6. In the **Prerequisite - Prepare template** section, select **Template is ready**. 7. In the **Specify template** section, click on **Upload a template file**. Then upload the cloudformation file you've just edited. 8. In the **StackSet name** section, insert a name to identify the stackset we are creating. 9. In the **Capabilities** section, acknowledge that IAM resources are going to be created:
10. In the Deployment targets, there are two options: 1. if you want to deloy the StackSet to the entire organization, select **Deploy to organization** 2. if you want the StackSet to be deployed to specific accounts, select **Deploy to organizational units (OUS)**. Enter the **AWS OU IDs** for the accounts you want to deploy the StackSet, then select the **Insertsection** filter and add the account numbers you want to deploy the Stackset to.
11. In the **Specify regions** section, enter all the regions the StackSet must be deployed. 12. Review the application and click on **Submit**.