Add an AWS Adapter

Connect an AWS account to AttackLens for automatic resource discovery. This guide walks through creating a dedicated IAM user with the required permissions and configuring the adapter in AttackLens.

INFO

Requires Admin role or higher.

Prerequisites

Before you begin, ensure you have:

• AWS Management Console access with permissions to create IAM users and policies.
• Access to AttackLens with an Admin account.

Step 1: Create an IAM User in AWS

AttackLens authenticates to AWS using an IAM user's access key. Create a dedicated user with programmatic access only.

1. Sign in to the AWS Management Console.
2. Navigate to IAM > Users.
3. Click Create user.
4. Enter a user name (e.g., attacklens-discovery).
5. Do not enable console access -- this user only needs programmatic (API) access.
6. Click Next.

Create an Access Key

1. After the user is created, go to the user's detail page.
2. Navigate to the Security credentials tab.
3. Under Access keys, click Create access key.
4. Select Third-party service as the use case.
5. Click Create access key.
6. Copy both the Access Key ID and Secret Access Key immediately: the secret will not be shown again.

WARNING

Store the access key credentials securely. If you lose the Secret Access Key, you will need to create a new access key pair and update the adapter in AttackLens.

Step 2: Assign Permissions

AttackLens requires read-only access to discover resources across all AWS services. Attach the following managed policies to the IAM user.

Required IAM Policies

Policy	ARN	Purpose
ReadOnlyAccess	arn:aws:iam::aws:policy/ReadOnlyAccess	Read access to all AWS services and resources
SecurityAudit	arn:aws:iam::aws:policy/SecurityAudit	Additional security-specific read access (CloudTrail, Config, Security Hub)

To attach the policies:

1. In the IAM user detail, go to the Permissions tab.
2. Click Add permissions > Attach policies directly.
3. Search for ReadOnlyAccess and select it.
4. Search for SecurityAudit and select it.
5. Click Next, then Add permissions.

Minimum Custom Policy (Alternative)

If you prefer a narrower permission set instead of the broad ReadOnlyAccess, you can create a custom policy. At minimum, AttackLens needs the following actions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "s3:GetBucket*",
        "s3:ListBucket*",
        "s3:ListAllMyBuckets",
        "rds:Describe*",
        "iam:Get*",
        "iam:List*",
        "lambda:Get*",
        "lambda:List*",
        "ecs:Describe*",
        "ecs:List*",
        "eks:Describe*",
        "eks:List*",
        "elasticloadbalancing:Describe*",
        "cloudtrail:Describe*",
        "cloudtrail:Get*",
        "config:Describe*",
        "securityhub:Get*",
        "securityhub:List*",
        "guardduty:Get*",
        "guardduty:List*",
        "kms:Describe*",
        "kms:List*",
        "sns:Get*",
        "sns:List*",
        "sqs:Get*",
        "sqs:List*",
        "dynamodb:Describe*",
        "dynamodb:List*",
        "redshift:Describe*",
        "elasticache:Describe*",
        "organizations:Describe*",
        "organizations:List*",
        "sso:Describe*",
        "sso:List*",
        "cloudformation:Describe*",
        "cloudformation:List*",
        "cloudwatch:Describe*",
        "cloudwatch:List*",
        "waf:Get*",
        "waf:List*",
        "wafv2:Get*",
        "wafv2:List*"
      ],
      "Resource": "*"
    }
  ]
}

TIP

Using the managed ReadOnlyAccess policy is recommended. It ensures AttackLens can discover all supported resource types, including any new types added in future updates, without requiring policy changes.

Optional: Sensor Deployment Capability

If you want AttackLens to deploy sensors to EC2 instances via SSM Run Command, add:

Policy	ARN	Purpose
AmazonSSMFullAccess	arn:aws:iam::aws:policy/AmazonSSMFullAccess	Execute SSM Run Commands on EC2 instances

This is optional. If not granted, the adapter will still discover resources but will not be able to deploy sensors remotely.

Step 3: Configure the Adapter in AttackLens

1. In AttackLens, navigate to Discovery > Adapters.
2. Click Add Adapter.

3. Select AWS as the provider.

4. Enter a descriptive Name (e.g., Production AWS Account).
5. Fill in the AWS credentials:

Field	Value	Example
Access Key ID	The IAM user's access key ID	AKIAIOSFODNN7EXAMPLE
Secret Access Key	The IAM user's secret access key	wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

6. Optionally select specific Regions to limit discovery. Leave empty to discover resources across all available regions.

TIP

AttackLens automatically discovers resources across all standard AWS regions. If your account only operates in specific regions, selecting them can significantly reduce discovery time.

Step 4: Test the Connection

1. Click Test Connection.
2. AttackLens will attempt to authenticate with the provided credentials and verify read access to key services.
3. The test result shows:
   • Whether the connection is valid.
   • Which permissions were detected.
   • Whether sensor deployment capability (SSM) is available.

WARNING

If the test fails, verify that:

• The Access Key ID and Secret Access Key are correct.
• The access key is active (not deactivated in IAM).
• The required policies are attached to the IAM user.
• The IAM user is not restricted by an SCP (Service Control Policy) at the Organization level.

Step 5: Save and Run Discovery

1. Click Save to create the adapter.
2. The first discovery run begins automatically after the adapter is saved.
3. You will be redirected to the adapter detail page where you can monitor the sync progress.

Discovery time depends on the number of regions and resources. A typical account with resources in 2-3 regions takes 3-10 minutes.

Discovered AWS Resource Types

AttackLens discovers 190+ AWS resource types across 22 service categories:

Category	Examples
EC2 & Compute	Instances, Auto Scaling Groups, AMIs, Snapshots, Volumes, Key Pairs, Placement Groups, Elastic IPs
VPC & Networking	VPCs, Subnets, Security Groups, Route Tables, Internet Gateways, NAT Gateways, VPC Endpoints, Network ACLs, Transit Gateways
Networking & CDN	API Gateways, CloudFront Distributions, Route 53, Global Accelerators
S3 Storage	Buckets (with encryption, versioning, public access, and lifecycle policies)
Database & Cache	RDS Instances, Aurora Clusters, DynamoDB Tables, Redshift Clusters, ElastiCache, DocumentDB, Neptune, Keyspaces, MemoryDB
IAM & Identity	Users, Groups, Roles, Policies, Access Keys, MFA Devices, SSO Instances, Organizations
Containers & Serverless	ECS Clusters, EKS Clusters, Lambda Functions, Step Functions, Fargate
Security	Security Hub, GuardDuty, ACM Certificates, KMS Keys, Secrets Manager, WAF, Network Firewall, Inspector
Monitoring	CloudWatch Alarms, CloudTrail Trails, Config Rules, SSM Parameters
Messaging	SNS Topics, SQS Queues, EventBridge, AmazonMQ, Kinesis
Analytics	Athena, Glue, EMR, Redshift, Elasticsearch/OpenSearch
AI/ML	SageMaker, Bedrock, Comprehend
DevOps	CodeBuild, CodePipeline, CloudFormation Stacks
Backup	Backup Plans, Backup Vaults

Security Best Practices

• Use a dedicated IAM user: Do not reuse credentials from an existing user or service.
• Never use root account credentials: Always create a dedicated IAM user.
• Enable MFA on the IAM user: While AttackLens uses access keys (not console), MFA adds an extra layer of protection if the credentials are compromised.
• Rotate access keys regularly: AWS recommends rotating access keys every 90 days. Update the adapter in AttackLens after rotation.
• Use the principle of least privilege: Start with ReadOnlyAccess and SecurityAudit. Only add AmazonSSMFullAccess if you need remote sensor deployment.

Next Steps

• View discovery snapshots to inspect the discovered resources.
• Manage adapters to edit, deactivate, or delete the adapter.
• Trigger a manual discovery if you make infrastructure changes.