Amazon Inspector is a vulnerability management service that detects and scans Amazon EC2 instances, container images, AWS Lambda functions, and code repositories. This guide walks you through the steps to gather the necessary information and configure your service for the purpose of creating an integration with Synqly's Application Security connector.
The operations executed by Synqly's Application Security connector will only return results that appear under the Code Security tab in the Amazon Inspector Console. This only includes resources that match the resource type of CODE_REPOSITORY.
Before you begin, ensure that you have:
- Activated Amazon Inspector
- Access to an AWS account with the ability to create IAM policies, roles, and users
Need to activate Amazon Inspector? See the Amazon Inspector Getting Started docs page
For more information on the policy actions required to access IAM resources see the Amazon IAM Permissions required to access IAM resources docs page
| Operation | Required Policy Action |
|---|---|
| Query Applications | inspector2:ListFindingAggregations |
| Query Application Findings | inspector2:ListFindings |
| Query findings across all applications | inspector2:ListFindings |
| Get Application Finding Details | inspector2:ListFindings inspector2:ListFindingAggregations |
Synqly supports two methods for authenticating with AWS: static credentials (IAM user access keys) and role-based access (IAM role assumption). Role-based access is recommended for production environments because it uses short-lived credentials and provides better auditability through CloudTrail.
Role-Based access is recommended and is considered an AWS best practice.
Role-based access uses AWS IAM roles to grant Synqly temporary credentials to access resources in your AWS account. This eliminates long-lived credentials and provides better security through the principle of least privilege.
Create a role in your AWS account with a name that starts with SynqlyAccess (for example, SynqlyAccessS3Reader). This naming convention is required.
- In the AWS IAM console, go to Roles and choose Create role.
- For trusted entity type, choose Custom trust policy.
- Enter the following trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::733459310821:role/SynqlyIntegrationAccess"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "YOUR_EXTERNAL_ID"
}
}
}
]
}Replace YOUR_EXTERNAL_ID with a unique identifier you generate (for example, a UUID). You will provide this External ID when configuring the integration.
- Name the role with a
SynqlyAccessprefix (for example,SynqlyAccessMyIntegration). - Attach the appropriate permissions policy for your use case.
- Create the role and note its ARN.
For more details, see:
The External ID is a security mechanism that prevents the confused deputy problem. It ensures that only authorized requests from Synqly can assume your role.
The External ID must contain only the following characters:
- Alphanumeric characters (a-z, A-Z, 0-9)
- Special characters:
+ = , . @ : / - - Must be between 2 and 1224 characters in length
When creating an AWS integration in Synqly, provide the following configuration values based on your chosen authentication method.
| Credential Parameter | Description |
|---|---|
| Role ARN | The ARN of the IAM role you created, for example arn:aws:iam::123456789012:role/SynqlyAccessMyIntegration. The role name must start with SynqlyAccess |
| External ID | The External ID you specified in the role's trust policy. This value must match exactly |
| Role Session Name | OPTIONAL: A name for the role session. If not specified, Synqly generates a default session name |
| Duration | OPTIONAL: The duration of the role session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration configured on your role (default is 1 hour) |
To configure a new Amazon Inspector integration in the Synqly system, provide each of the values as defined below:
| Integration Parameter | Description |
|---|---|
| Region | This is your Amazon Inspector region. This value is found by navigating to the Amazon Inspector console and extracting the region from the url. The url uses this format: {region}.console.aws.amazon.com |