Skip to main content
McAfee MVISION Cloud

AWS Account Management API

This topic includes the API exposed to add/update/delete AWS accounts from the application. You'll need basic auth with user/pass to execute the following APIs.

Create a new AWS instance and add AWS accounts to that instance

NOTE: As multi-instance is NOT supported for AWS, call the following API only once for the tenant if no instances are already created. 

API: POST https://www.myshn.net/shndlpapi/v1/aws/provisionAccounts

Request: To create an instance with the name 'Default-AWS' and add 2 accounts.

NOTE: If the instance is already created with the same name, accounts will be added to it. If an instance is created with a different name and doesn't have any accounts, then these will be added to it. Otherwise, the API will throw an error. securityAuditType is optional. Possible values for securityAuditType are  "CONTINUOUS_EVALUATION" and "SCHEDULED_SCAN".

{
    "awsAccounts": [
        {
            "assumedRole": "arn:aws:iam::295207888133:role/config-audit-mvcloud-test",
            "accountName": "Dev MVCloud AWS",
            "awsBucketNames": "cloudtrail-1"
        },
        {
            "assumedRole": "arn:aws:iam::295207888133:role/config-test",
            "accountName": "QA MVCloud AWS",
            "awsBucketNames": "cloudtrail-2"
        }
    ],
    "enableDLP": true,
    "enableActivityMonitoring": true,
    "enableSecurityAudit": true,
    "securityAuditType": "CONTINUOUS_EVALUATION"
    "enableVPCFlowLogs": true,
    "enableVulnerabilities" : true,
    "notificationEmails": "mvcloud_iaas@mcafee.com",
    "instanceName": "Default-AWS",
    "ignoreErrors": true
}

Response: On successful execution of the API, If the number of accounts is <=10. If the role has permission issues (missing permissions) and the user has set ignoreErrors : true, the user will see the following response.

{
    "statusMessage": "Successfully added the accounts: [assumedRole]",
    "status": "SUCCESSFUL_WITH_ERRORS",
    "errors": {
        "assumedRole": "Role={assumedRole} does not have the following permissions={aws permissions}"
}

 On successful execution of the API, If the number of accounts is >10. The user will see the following response.

{
    "status": "SUCCESS",
    "statusMessage": "The request is being processed. Please call this API https://www.myshn.net/shndlpapi/v1/aws/provisionStatus/{id} to get the status.",
    "errors": null
}

Remove AWS accounts from an instance

This API will remove the AWS account(s) from the instance.


API: DELETE https://www.myshn.net/shndlpapi/v1/aws/deleteAccounts

Request:    

{
    "awsAccounts": [
        {
            "assumedRole": "arn:aws:iam::295207888133:role/config-audit-mvcloud-test",
            "accountName": "Dev MVCloud AWS"
        }
    ],
    "instanceName": "Default-AWS"
}

Response:

{
    "statusMessage": "SUCCESS",
    "status": "SUCCESS",
    "errors": null
}

Add accounts to the existing AWS instance

This API adds new AWS accounts to the existing instance. 

API: PUT https://www.myshn.net/shndlpapi/v1/aws/addAccounts

Request:

{
    "awsAccounts": [
        {
            "assumedRole": "arn:aws:iam::295207888133:role/config-audit-mvcloud-test",
            "accountName": "Dev MVCloud AWS"
        }
    ],
    "ignoreErrors": true,
    "instanceName": "Default-AWS"
}

Response: On successful execution of the API, If the number of accounts is <=10. If the role has permission issues (missing permissions) and the user has set ignoreErrors : true, the user will see the following response.

{
    "statusMessage": "Successfully added the accounts: [assumedRole]",
    "status": "SUCCESSFUL_WITH_ERRORS",
    "errors": {
        "assumedRole": "Role={assumedRole} does not have the following permissions={aws permissions}"
    }
}

 Response: On successful execution of the API, If the number of accounts is >10, the user will see the following response.

{
    "status": "SUCCESS",
    "statusMessage": "The request is being processed. Please call this API https://www.myshn.net/shndlpapi/v1/aws/provisionStatus/{id} to get the status.",
    "errors": null
}

GET the trust details for a tenant

The following command provides the account ID and External ID needed to establish trust.

API: GET https://www.myshn.net/shndlpapi/v1/aws/trustDetails
 

Request: NA
 

Response:

{
    "MVISION Cloud AWS Account ID": "12345678901",
    "External ID": "123456"
}

GET the provisioning status if the number of accounts added is > 10

This API is needed as the operation is async if #accounts is >10.

API: GET https://www.myshn.net/shndlpapi/v1/a...ionStatus/{id}
 

Response if the request is being processed:

{
    "statusMessage": "The request is being processed",
    "status": "SUCCESS",
    "errors": null
}

Response if the request is successful:

{
    "statusMessage": "Success",
    "status": "SUCCESS",
    "errors": null
}

Response if the role has permission issues (missing permissions) and the user has set ignoreErrors : true, then the request is successful with errors.

{
    "statusMessage": "Successfully added the accounts: [assumedRole]",
    "status": "SUCCESSFUL_WITH_ERRORS",
    "errors": {
        "assumedRole": "Role={assumedRole} does not have the following permissions={aws permissions}"
    }
}

Provision Near Real-time Config Audit for AWS accounts

API: POST https://www.myshn.net/shndlpapi/v1/aws/provisionRealTime?instanceName=<instance_name>

Request: 

{
    "receiving_account": "713392536353",
    "regions": ["us-east-1", "us-east-2", "us-west-1"],
    "accounts": ["171358681854","295207888133"],
    "type": "aws_real_time_config_request"
}

Response:

{
    "type": "aws_real_time_config_response",
    "realTimeConfig": null,
    "message": "NRT configuration is being processed. Please call this endpoint /v1/aws/realTimeConfig/status for real-time configuration status",
    "status": "OK"
}

GET real-time configuration status

API: GET https://www.myshn.net/shndlpapi/v1/aws/realTimeConfig/status?instanceName=<instance_name>

Response: If errors occur:

{
    "type": "real_time_config_errors",
    "errors": [
        "Account={171358681854} Role={arn:aws:iam::171358681854:role/config-audit-qa-sowmya} does not have the following permissions={cloudformation:CreateStackInstances,cloudformation:CreateStackSet,cloudformation:DeleteStackInstances,cloudformation:DeleteStackSet,cloudformation:DescribeStackSet,cloudformation:DescribeStackSetOperation,cloudformation:DescribeStacks,cloudformation:ListStackInstances,cloudformation:ListStackSetOperationResults,cloudformation:UpdateStackInstances,cloudformation:UpdateStackSet,events:DescribeEventBus,events:DescribeRule,events:PutPermission,events:RemovePermission,sqs:AddPermission,sqs:CreateQueue,sqs:DeleteMessageBatch,sqs:ReceiveMessage}"
    ]
}

Response: 

{
    "type": "aws_real_time_config_response",
    "realTimeConfig": null,
    "message": "COMPLETED on Mar 07, 2019 07:13AM UTC",
    "status": "OK"
}

GET the provisioned accounts for an instance

API: GET https://www.myshn.net/shndlpapi/v1/aws/provisionedAccounts?instanceName=<instance_name> 

Response:

[
    "arn:aws:iam::171358681854:role/config-audit",
    "arn:aws:iam::295207888133:role/config-audit-1"
]
  • Was this article helpful?