CSPM in AWS China
Aqua supports CSPM in Amazon Web Services (AWS) China accounts to help ensure the security and compliance of AWS resources specific to Amazon Web Services China (Beijing) Region and Amazon Web Services China (Ningxia) Region.
TABLE OF CONTENTS
Getting Started
Connecting the Aqua to your AWS China account is simple and straightforward, and takes about 5 minutes. CSPM connects to your account through the IAM user credentials. Refer to the AWS China setup guide for complete installation steps.
To use AWS services in AWS China (Beijing) Region and AWS China (Ningxia) Region, you need an account and credentials specific to the AWS services in mainland China. Accounts created for other AWS global regions cannot be used for accessing AWS services in mainland China. Similarly, AWS services for Chinese accounts cannot work in AWS regions outside the Beijing and Ningxia Regions.
The Scanning Process
Once connected, CSPM will query various read-only APIs in your account to obtain information about the configuration of your infrastructure services. This information will be processed and analyzed by Aqua's security control plugins to produce a security report.
How does this differ?
- The domain for AWS China Regions is www.amazonaws.cn.
- In AWS China Regions, the Amazon Resource Name (ARN) syntax includes a cn. For example: arn:aws-cn:iam::123456789012:user/division_abc/subdivision_xyz/Bob.
- To use services in AWS China, you need an account and credentials specific to the Beijing and Ningxia Regions.
- There is no concept of root or account user or credentials. All users are IAM users, including the user who created the account.
Limitations
- AWS free tier is not available in AWS China as of now.
- EC2- Classic platform is not supported.
For a detailed list of services that are available in AWS available in the Amazon Web Services China (Beijing) Region and Amazon Web Services China (Ningxia) Region, please visit AWS Region Table.
Example Findings
CSPM has hundreds of plugins, representing a variety of cloud security controls. Some example findings include:
- Misconfigured S3 buckets exposed publicly
- RDS databases, EBS volumes, and other services that are not encrypted
- IAM role policies that allow extensive service or wildcard access to the account
Next Steps
To begin auditing your AWS China accounts, simply register for an Aqua account and follow the connection process.
Did you find it helpful? Yes No
Send feedback