AWS Account Management API
This topic includes the API exposed to add/update/delete AWS accounts from the application. You'll need basic auth with user/pass to execute the following APIs.
Create a new AWS instance and add AWS accounts to that instance
NOTE: As multi-instance is NOT supported for AWS, call the following API only once for the tenant if no instances are already created.
API: POST https://www.myshn.net/shndlpapi/v1/aws/provisionAccounts
Request: To create an instance with the name 'Default-AWS' and add 2 accounts.
NOTE: If the instance is already created with the same name, accounts will be added to it. If an instance is created with a different name and doesn't have any accounts, then these will be added to it. Otherwise, the API will throw an error. securityAuditType is optional. Possible values for securityAuditType are "CONTINUOUS_EVALUATION" and "SCHEDULED_SCAN".
{ "awsAccounts": [ { "assumedRole": "arn:aws:iam::295207888133:role/config-audit-mvcloud-test", "accountName": "Dev MVCloud AWS", "awsBucketNames": "cloudtrail-1" }, { "assumedRole": "arn:aws:iam::295207888133:role/config-test", "accountName": "QA MVCloud AWS", "awsBucketNames": "cloudtrail-2" } ], "enableDLP": true, "enableActivityMonitoring": true, "enableSecurityAudit": true, "securityAuditType": "CONTINUOUS_EVALUATION" "enableVPCFlowLogs": true, "enableVulnerabilities" : true, "notificationEmails": "mvcloud_iaas@mcafee.com", "instanceName": "Default-AWS", "ignoreErrors": true }
Response: On successful execution of the API, If the number of accounts is <=10. If the role has permission issues (missing permissions) and the user has set ignoreErrors : true, the user will see the following response.
{ "statusMessage": "Successfully added the accounts: [assumedRole]", "status": "SUCCESSFUL_WITH_ERRORS", "errors": { "assumedRole": "Role={assumedRole} does not have the following permissions={aws permissions}" }
On successful execution of the API, If the number of accounts is >10. The user will see the following response.
{ "status": "SUCCESS", "statusMessage": "The request is being processed. Please call this API https://www.myshn.net/shndlpapi/v1/aws/provisionStatus/{id} to get the status.", "errors": null }
Remove AWS accounts from an instance
This API will remove the AWS account(s) from the instance.
API: DELETE https://www.myshn.net/shndlpapi/v1/aws/deleteAccounts
Request:
{ "awsAccounts": [ { "assumedRole": "arn:aws:iam::295207888133:role/config-audit-mvcloud-test", "accountName": "Dev MVCloud AWS" } ], "instanceName": "Default-AWS" }
Response:
{ "statusMessage": "SUCCESS", "status": "SUCCESS", "errors": null }
Add accounts to the existing AWS instance
This API adds new AWS accounts to the existing instance.
API: PUT https://www.myshn.net/shndlpapi/v1/aws/addAccounts
Request:
{ "awsAccounts": [ { "assumedRole": "arn:aws:iam::295207888133:role/config-audit-mvcloud-test", "accountName": "Dev MVCloud AWS" } ], "ignoreErrors": true, "instanceName": "Default-AWS" }
Response: On successful execution of the API, If the number of accounts is <=10. If the role has permission issues (missing permissions) and the user has set ignoreErrors : true, the user will see the following response.
{ "statusMessage": "Successfully added the accounts: [assumedRole]", "status": "SUCCESSFUL_WITH_ERRORS", "errors": { "assumedRole": "Role={assumedRole} does not have the following permissions={aws permissions}" } }
Response: On successful execution of the API, If the number of accounts is >10, the user will see the following response.
{ "status": "SUCCESS", "statusMessage": "The request is being processed. Please call this API https://www.myshn.net/shndlpapi/v1/aws/provisionStatus/{id} to get the status.", "errors": null }
GET the trust details for a tenant
The following command provides the account ID and External ID needed to establish trust.
API: GET https://www.myshn.net/shndlpapi/v1/aws/trustDetails
Request: NA
Response:
{ "MVISION Cloud AWS Account ID": "12345678901", "External ID": "123456" }
GET the provisioning status if the number of accounts added is > 10
This API is needed as the operation is async if #accounts is >10.
API: GET https://www.myshn.net/shndlpapi/v1/a...ionStatus/{id}
Response if the request is being processed:
{ "statusMessage": "The request is being processed", "status": "SUCCESS", "errors": null }
Response if the request is successful:
{ "statusMessage": "Success", "status": "SUCCESS", "errors": null }
Response if the role has permission issues (missing permissions) and the user has set ignoreErrors : true, then the request is successful with errors.
{ "statusMessage": "Successfully added the accounts: [assumedRole]", "status": "SUCCESSFUL_WITH_ERRORS", "errors": { "assumedRole": "Role={assumedRole} does not have the following permissions={aws permissions}" } }
Provision Near Real-time Config Audit for AWS accounts
API: POST https://www.myshn.net/shndlpapi/v1/aws/provisionRealTime?instanceName=<instance_name>
Request:
{ "receiving_account": "713392536353", "regions": ["us-east-1", "us-east-2", "us-west-1"], "accounts": ["171358681854","295207888133"], "type": "aws_real_time_config_request" }
Response:
{ "type": "aws_real_time_config_response", "realTimeConfig": null, "message": "NRT configuration is being processed. Please call this endpoint /v1/aws/realTimeConfig/status for real-time configuration status", "status": "OK" }
GET real-time configuration status
API: GET https://www.myshn.net/shndlpapi/v1/aws/realTimeConfig/status?instanceName=<instance_name>
Response: If errors occur:
{ "type": "real_time_config_errors", "errors": [ "Account={171358681854} Role={arn:aws:iam::171358681854:role/config-audit-qa-sowmya} does not have the following permissions={cloudformation:CreateStackInstances,cloudformation:CreateStackSet,cloudformation:DeleteStackInstances,cloudformation:DeleteStackSet,cloudformation:DescribeStackSet,cloudformation:DescribeStackSetOperation,cloudformation:DescribeStacks,cloudformation:ListStackInstances,cloudformation:ListStackSetOperationResults,cloudformation:UpdateStackInstances,cloudformation:UpdateStackSet,events:DescribeEventBus,events:DescribeRule,events:PutPermission,events:RemovePermission,sqs:AddPermission,sqs:CreateQueue,sqs:DeleteMessageBatch,sqs:ReceiveMessage}" ] }
Response:
{ "type": "aws_real_time_config_response", "realTimeConfig": null, "message": "COMPLETED on Mar 07, 2019 07:13AM UTC", "status": "OK" }
GET the provisioned accounts for an instance
API: GET https://www.myshn.net/shndlpapi/v1/aws/provisionedAccounts?instanceName=<instance_name>
Response:
[ "arn:aws:iam::171358681854:role/config-audit", "arn:aws:iam::295207888133:role/config-audit-1" ]