index aws-parameter-store
Beta feature
This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.
Note
You must have version 0.17.0 or higher of the Vault Radar CLI installed.
To check the current version of your CLI, use the version command.
The index aws-parameter-store
command is used for creating an index of secure strings in AWS Parameter Store.
Note
Only parameters of type SecureString
are indexed as they are secure by definition.
Authentication
The index aws-parameter-store
command needs permissions to read the parameter,
its history and tags, see the following simplified policy document.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:DescribeParameters", "ssm:GetParameterHistory", "ssm:GetParameter", "ssm:GetParameters", "ssm:ListTagsForResource" ], "Resource": "*" } ]}
See AWS Authentication for more information on how to authenticate with AWS.
Usage
Usage: vault-radar index aws-parameter-store [options]
Command options
--region, -r
: Specifies the region of AWS Parameter Store to scan (required)--outfile , -o
: Specifies the file to store information about found secrets (required)--offline
: Specifies that the scan should be run in offline mode, without connecting to HCP--disable-ui
: Specifies that the scan summary should not be logged to stdout
HCP connection indexing behavior
The default behavior of index commands is to require an HCP cloud connection to scan. This is to ensure that hashes are generated using a shared salt from the cloud keeping consistency across indexes. In order to populate the HCP connection information needed, refer to the HCP upload page.
To allow for scanning to continue working without the need for HCP cloud
connection you can use the new --offline
flag as such.
$ vault-radar index aws-parameter-store \ --offline \ -r <REGION CODE> \ -o <PATH TO OUTPUT>.csv
Generate an index file
Index files are generated in an "online mode" by default, meaning that the
secret hash produced is using a salt that is provided from HCP. This requires
the Project Service Principals to be configured for your system as outlined by
the HCP upload
page. If you do not want to use the index file for HCP upload and visualization
you can use the --offline
flag to use a local hashing salt and not error if
the Service Principals are not configured.
$ vault-radar index aws-parameter-store \ -r <REGION CODE> \ -o <PATH TO OUTPUT>.jsonl --offline
Generate index file using HCP provided salt
To generate an index file using the SecureString
parameters
$ vault-radar index aws-parameter-store \ -r <REGION CODE> \ -o <PATH TO OUTPUT>.jsonl
Consuming an index file
To consume the resulting index file use the index-file
flag when calling a
scan command. E.g.
$ vault-radar scan aws-s3 \ --bucket <BUCKET NAME> \ -r <REGION CODE> \ -o <PATH TO OUTPUT>.csv \ --index-file <PATH TO INDEX FILE>