AWS Integration
Integration guide for Resmo AWS Integration.

Resmo integrates with Amazon Web Services to ensure that your cloud environment is secure and compliant.

  • Collect all your AWS assets in place (really!)
  • Ability to query your AWS IAM roles, VPC security groups, Lambda functions, and 100+ other resources.
  • Track changes across your entire AWS organization.
  • Set up rule notifications based on AWS resource configurations and their changes.
  • Use GitHub Best Practices packs to check your GitHub security and compliance posture.

Resmo has an AWS integration that you can install securely once you sign up for a Resmo account.
Our application uses API to make the initial polling and receive existing resources.
  • API polling
  • Webhook (Coming soon via CloudTrail!)

Resmo AWS integration collects Autoscaling groups, IAM roles, DynamoDB tables, KMS keys, EC2 instances, and much more.
See the full list:
Amazon Web Services Resources
Resources

  • List SQS queues
  • Detect EC2 instances with public IPs
  • Identify Lambda functions with timeout/memory values
  • Find S3 buckets with public read access
  • See permissions of a specific IAM user
  • Find DynamoDB Tables with KMS encryption disabled
  • TBA

You have to create a customer-managed IAM Policy and IAM Role to let Resmo access your AWS resources. There are several options for creating policy and role; you can choose the best fitting option from the above list;
  1. 1.
    CloudFormation
  2. 2.
    Manually using AWS CLI
  3. 3.
    Manually using AWS Console
  4. 4.
    Terraform(Coming Soon)

The installation steps in this section present a general route you'll follow. To see the individual methods you can use to create the required IAM Policy and IAM Role for your Resmo AWS integration, navigate to each related heading below.
Watch a 2-min video to learn how to install the AWS integration using CloudFormation.

  1. 1.
    Login to Resmo and navigate to Integrations.
2. Click the Add Integration button on the top right.
3. Add the Amazon Web Services integration.
4. Give the integration a name and description.
5. Optionally, you can add tags to query and refer resources coming from this integration using these tags.
6. To install the integration using CloudFormation, hit the Launch Stack button. Or you can install it manually by clicking the Connect Manually button.
The following steps are for manual installation.
7. Enter your 12-digit AWS account ID into the Account ID field.
8. Then, enter a Role Name (a valid IAM Role in your AWS account, which Resmo can assume to fetch resources).
9. Next, paste your External ID into the related field. (This step is required for extra authentication.)
10. Select either Yes or No depending on whether you will collect all the accounts under the organization. Note that the given role must be available in each account.
11. Hit the Create button, and your AWS integration is ready to roll.

  1. 1.
    On your Resmo Integrations page, click Add Integration>AWS. You'll see the Create page for a new AWS integration. Then, click on the 'Need Help?' button next to the "Amazon Web Services Integration" title.
  2. 2.
    Hit the LaunchStack button to open the CloudFormation Quick create stack page.
If you are using AWS Organizations, please ensure;
to apply the CloudFormation template to the management (root) account and both sub-accounts or create required policies and roles at the management (root) account and both sub-accounts.
3. Create the stack by clicking Create Stack button.
4. After Stack completion, return to Resmo Integration Create Page, enter your AWS Account ID, and update Role Name and External ID if you update CloudFormation Stack parameters.
5. Create the integration.

  1. 1.
    Create a policy with the name ResmoDataCollection
aws iam create-policy --policy-name ResmoDataCollection --policy-document file://policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"backup:Describe*",
"backup:Get*",
"backup:List*",
"sns:GetSubscriptionAttributes",
"tag:GetComplianceSummary"
]
}
]
}
2. Create a role with the name resmo-data-collect Note: Update <EXTERNAL_ID> with a proper secret of your choice, or you can use what Resmo has generated for you in Create Integration Page
aws iam create-role --role-name resmo-data-collect --assume-role-policy-document file://assume-role-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::512995177166:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<EXTERNAL_ID>"
}
}
}
]
}
​You can use the Resmo-generated External ID or the secret of your choice.
3. Attach policies to the role resmo-data-collect aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/SecurityAudit --role-name resmo-data-collect
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AWSSSOReadOnly --role-name resmo-data-collect
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonOpenSearchServiceReadOnlyAccess --role-name resmo-data-collect
aws iam attach-role-policy --policy-arn arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:policy/ResmoDataCollection --role-name resmo-data-collect
4. After completing all steps, return to Resmo Integration Create Page, set your AWS Account ID, and update Role Name if you create the role with a different name. Set External ID the same as what you have set on assume-role-policy.json.

  1. 1.
    Create a policy with the name ResmoDataCollection and following document.
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Resource": "*",
    "Action": [
    "backup:Describe*",
    "backup:Get*",
    "backup:List*",
    "sns:GetSubscriptionAttributes",
    "tag:GetComplianceSummary"
    ]
    }
    ]
    }
  2. 2.
    Create a role with the name resmo-data-collect and attach the following policies to the role.
    1. 1.
      SecurityAudit
    2. 2.
      AWSSSOReadOnly
    3. 3.
      AmazonOpenSearchServiceReadOnlyAccess
    4. 4.
      ResmoDataCollection(Newly created customer-managed Policy)
  3. 3.
    Set Trust Policy of resmo-data-collect role with the following policy. Update <EXTERNAL_ID> with a proper secret of your choice or use Resmo Generated External ID.
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:iam::512995177166:root"
    },
    "Action": "sts:AssumeRole",
    "Condition": {
    "StringEquals": {
    "sts:ExternalId": "<EXTERNAL_ID>"
    }
    }
    }
    ]
    }
  4. 4.
    After the steps are completed, return to Resmo Integration Create Page, set your AWS Account ID, and update Role Name if you create the role with a different name. Set External ID the same as what you have set on Trust Policy of resmo-data-collect.

  • Login to your Resmo account.
  • Navigate to the Integrations page and click your AWS integration.
  • Click the Delete button to uninstall or Disable to stop polling AWS resources temporarily.

Delete CloudFormation Stack, this will delete resources that the stack has created.

  1. 1.
    Delete the role resmo-data-collect
aws iam delete-role --role-name resmo-data-collect
2. Delete the policy ResmoDataCollection
aws iam delete-policy --policy-arn arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:policy/ResmoDataCollection

  1. 1.
    Delete the role resmo-data-collect
  2. 2.
    Delete the policy ResmoDataCollection

What should I check if an integration fails to install?
What would happen if I delete required role used by integration?
Can I update my existing integration so that the integration will look at another AWS account?
I have entered the wrong Account ID, Role Name, or External ID, what should I do?
I have created my integration without selecting Organization true for my organization root account. Can I update that as the organization after the integration creation?
How do you identify the account name field?

Copy link
On this page
Resmo + AWS Integration Fundamentals
What does Resmo offer Amazon Web Services users?
How does the integration work?
Available resources
Common queries and rules
Integration Walkthrough
How to install
Install Using CloudFormation
Manually Install Using AWS CLI
Manually Using AWS Console
How to uninstall
FAQ
Related Documents and Links