Skip to content

Continuous Monitoring with Aegis

Aegis provides powerful capabilities for continuous monitoring of your cloud service provider (CSP) environments. By integrating Aegis with your cloud accounts, you can automate the detection of misconfigurations, policy violations, and security risks in real time.

This guide provides instructions on how to extract all resources from AWS, Azure, and Google Cloud, and then evaluate them against an Aegis policy.

General Workflow

The process for each cloud provider follows these general steps:

  1. List Resources: Use the cloud provider's command-line interface (CLI) to list all resources in your account and save the output to a JSON file.
  2. Evaluate Resources: Use a curl command to send the JSON file to the Aegis eval API to check the resources against a specified policy.

AWS Integration

Prerequisites

  • AWS CLI: Ensure the AWS CLI is installed and configured with credentials.
  • Permissions: Your IAM user or role must have the resource-group-tagging-api:GetResources permission.

1. List All AWS Resources

First, use the AWS CLI to query all resources in your account and save them to a file named aws-resources.json. The resourcegroupstaggingapi provides a way to get resources across all regions.

aws resourcegroupstaggingapi get-resources --output json > aws-resources.json

This command retrieves a list of all taggable resources and saves their configuration details into the JSON file.

2. Evaluate Against an Aegis Policy

Next, use the Aegis API to evaluate these resources against a policy, such as one that checks for security best practices.

curl -X POST "https://<your-instance>.aegis.pegasys.cloud/api/eval/policies/aws-best-practices" \
  -H "Authorization: Bearer <your_token>" \
  -H "Content-Type: application/json" \
  -d @- <<EOF
{
  "inputData": $(cat aws-resources.json)
}
EOF

This command reads the aws-resources.json file and sends its content to the Aegis eval endpoint. Aegis will then process the list of resources and return a report indicating which ones are non-compliant.

Azure Integration

Prerequisites

  • Azure CLI: Ensure the Azure CLI is installed and you are logged in (az login).
  • Permissions: You need at least the Reader role on your subscription to list resources.

1. List All Azure Resources

Use the Azure CLI to list all resources within your subscription and save the output to azure-resources.json.

az resource list --output json > azure-resources.json

This command queries your Azure account and exports the configuration of all resources into the specified file.

2. Evaluate Against an Aegis Policy

Now, send the exported data to Aegis for evaluation against a relevant policy, for example, one that enforces networking rules.

curl -X POST "https://<your-instance>.aegis.pegasys.cloud/api/eval/policies/azure-network-security" \
  -H "Authorization: Bearer <your_token>" \
  -H "Content-Type: application/json" \
  -d @- <<EOF
{
  "inputData": $(cat azure-resources.json)
}
EOF

Google Cloud (GCP) Integration

Prerequisites

  • Google Cloud SDK: Ensure the Google Cloud SDK is installed and configured (gcloud auth login, gcloud config set project <your-project-id>).
  • API Enabled: The Cloud Asset API must be enabled for your project. You can enable it with gcloud services enable cloudasset.googleapis.com.
  • Permissions: You need the cloudasset.assets.searchAllResources permission, which is included in the Cloud Asset Viewer role.

1. List All GCP Resources

For Google Cloud, you can use the gcloud CLI with the Asset Inventory API to list all resources. Ensure the API is enabled for your project first.

gcloud asset search-all-resources --scope=projects/<your-project-id> --format=json > gcp-resources.json

Replace <your-project-id> with your actual GCP project ID. This command will save all resource metadata into gcp-resources.json.

2. Evaluate Against an Aegis Policy

Finally, evaluate the GCP resources against a policy, such as one designed to check IAM configurations.

curl -X POST "https://<your-instance>.aegis.pegasys.cloud/api/eval/policies/gcp-iam-rules" \
  -H "Authorization: Bearer <your_token>" \
  -H "Content-Type: application/json" \
  -d @- <<EOF
{
  "inputData": $(cat gcp-resources.json)
}
EOF