Modify or disable AWS settings for vulnerabilities

After you connect Security Command Center to Amazon Web Services (AWS) for vulnerability management, you can modify the following:

• AWS connection settings

• Vulnerability Assessment for AWS scan settings.

Before you begin

Complete these tasks before you complete the remaining tasks on this page.

Set up permissions

To get the permissions that you need to use the AWS connector, ask your administrator to grant you the Cloud Asset Owner (roles/cloudasset.owner) IAM role. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create AWS accounts

Ensure that you have created the following AWS resources:

• An AWS IAM user with AWS IAM access for the delegate and collector AWS account consoles.

• The AWS account ID for an AWS account that you can use as the delegated account. If you want Security Command Center to automatically discover AWS accounts to find resources, the delegated account must be attached to an AWS organization and be one of the following:

  • An AWS management account.

  • An AWS delegated administrator.

  • An AWS account with a resource-based delegation policy that provides organization and list permissions. For an example policy, see Example: View organization, OUs, accounts, and policies.

Modify the AWS connection

Modify an existing AWS connection when your AWS environment configuration changes. For example, you want to monitor different AWS regions, or change the list of AWS accounts that Security Command Center uses. You can't modify the names of the delegated role and the collector role. If you need to change these role names, you must delete your AWS connector and set up a new connection.

1. In the Google Cloud console, go to the Security Command Center page.

   Go to Security Command Center

2. Select the organization that you activated Security Command Center Enterprise on.

3. Click settings Settings.

4. Click the Connectors tab.

5. Click Edit beside the connection that you want to update.

6. In the Edit Amazon Web Services connector page, make your changes. The following table describes the options.

   Option	Description
   Add AWS connector accounts	Select the Add accounts automatically (recommended) field, to let Security Command Center discover the AWS accounts automatically, or select Add accounts individually and provide a list of AWS accounts that Security Command Center can use to find resources.
   Exclude AWS connector accounts	If you selected the Add accounts individually field under the Add AWS connector accounts section, provide a list of AWS accounts that Security Command Center should not use to find resources.
   Select regions to collect data	Select one or more AWS regions for Security Command Center to collect data from. Leave the AWS regions field empty to collect data from all regions.
   Maximum queries per second (QPS) for AWS services	You can change the QPS to control the quota limit for Security Command Center. Set the override to a value that is less than the default value for that service, and greater than or equal to 1. The default value is the maximum value. If you do change the QPS, Security Command Center might encounter issues fetching data. Therefore, we don't recommend changing this value.
   Endpoint for AWS Security Token Service	You can specify a specific endpoint for the AWS Security Token Service (for example, https://sts.us-east-2.amazonaws.com). Leave the AWS Security Token Service field empty to use the default global endpoint (https://sts.amazonaws.com).

7. If you changed the delegated account ID or the list of AWS accounts to include or exclude, you must update your AWS environment. A change to the delegated account ID requires that you set up your AWS configuration again. A change to the list of AWS accounts requires that you add or remove collector roles. Removing AWS accounts from the exclude list, because you want to include them, requires you to add the collector roles to those accounts. Complete the following:

   1. Click Continue.

   2. In the Create connection with AWS page, complete one of the following:

      • Download the CloudFormation templates for the delegated role and the collector role. For instructions on using the templates, see Use CloudFormation templates to set up your AWS environment.

      • If you want to change the AWS configuration manually, select Use the AWS console. Copy the service agent ID, delegated role name, and the collector role name. For instructions on updating AWS manually, see Configure AWS accounts manually.

8. If you added an AWS account to the list of AWS accounts to exclude, we recommend that you remove the collector role from the account.

9. Click Test connector to verify that Security Command Center can connect to your AWS environment. If the connection is successful, the Google Cloud service agent can assume the delegated role and the delegated role has all the required permissions to assume the collector role. If the connection isn't successful, see Troubleshooting errors when testing the connection.

10. Click Save.

Modify an existing Vulnerability Assessment for AWS scan

The following section describes how to modify the configuration for a Vulnerability Assessment for AWS scan.

1. Make sure that you have the permissions and roles defined in Enable and use Vulnerability Assessment for AWS.

2. Go to the Settings page in Security Command Center:

   Go to Settings

3. Select the organization in which you need to modify Vulnerability Assessment for AWS. The Services tab of the Settings page opens.

4. Select Settings.

5. In the Vulnerability Assessment service card, click Manage Settings. The Vulnerability Assessment page opens.

6. Select the Amazon Web Services tab.

7. Under the Scan settings for AWS compute and storage section, click Edit scan settings to modify the scope of resources that are scanned.

   You can define a maximum of 50 AWS tags and Amazon EC2 instance IDs. Changes to scan settings don't affect the AWS CloudFormation template. You don't need to redeploy the template. If a tag or instance ID value is not correct (for example, the value is misspelled) and the resource specified does not exist, the value is ignored during the scan.

   Option	Description
   Scan interval	Define the number of hours between each scan. Enter a value from 6 through 24. The default value is 6. The maximum value is 24. More frequent scans may cause an increase in resource usage and possibly an increase in billing charges.
   AWS regions	Choose a subset of regions to include in vulnerability assessment scanning. Only instances from the selected regions are scanned. Select one or more AWS regions to be included in the scan. If you configured specific regions in the Amazon Web Services (AWS) connector, make sure the regions selected here are the same, or a subset of, those defined when you configured the connection to AWS.
   AWS tags	Specify tags that identify the subset of instances that are scanned. Only instances with these tags are scanned. Enter the key-value pair for each tag. If an invalid tag is specified, it will be ignored. You can specify a maximum of 50 tags. For more information about tags, see Tag your Amazon EC2 resources and Add and remove tags for Amazon EC2 resources.
   Exclude by Instance ID	Exclude EC2 instances from each scan by specifying the EC2 instance ID. You can specify a maximum of 50 instance IDs. If invalid values are specified, they will be ignored. If you define multiple instance IDs, they are combined using the AND operator. If you select Exclude instance by ID, enter each instance ID manually by clicking Add AWS EC2 instance, and then typing the value. If you select Copy and paste a list of instance IDs to exclude in JSON format, do one of the following: Enter an array of instance IDs. For example: [ "instance-id-1", "instance-id-2" ] Upload a file with the list of instance IDs. The content of the file should be an array of instance IDs, for example: [ "instance-id-1", "instance-id-2" ]
   Scan SC1 instance	Select Scan SC1 instance to include these instances. SC1 instances are excluded by default. Learn more about SC1 instances.
   Scan ST1 instance	Select Scan ST1 instance to include these instances. ST1 instances are excluded by default. Learn more about ST1 instances.

8. Click Save.

Disable Vulnerability Assessment for AWS scan

To disable the Vulnerability Assessment for AWS service, you need to disable it in Security Command Center and then delete the stack that contains the CloudFormation template in AWS. If the stack isn't deleted, it will continue to incur costs in AWS.

Complete the following steps to disable Vulnerability Assessment for AWS:

1. Go to the Settings page in Security Command Center:

   Go to Settings

2. Select the organization in which you need to disable Vulnerability Assessment for AWS. The Services tab of the Settings page opens.

3. In the Vulnerability Assessment service card, click Manage Settings.

4. Select the Amazon Web Services tab.

5. In the Status field under Service enablement, select Disable.

6. Go to the AWS CloudFormation Template page in the AWS Management Console.

7. Delete the stack that contains the CloudFormation template for Vulnerability Assessment for AWS.

   If you don't delete the template, you might incur unnecessary costs.

What's next

• For troubleshooting information, see Connect Security Command Center to AWS.