AWS Account Management API
This topic includes the API exposed to add/update/delete AWS accounts from the application. You'll need basic auth with user/pass to execute the following APIs.
NOTE: In the 5.4.0 release, APIs are updated to fix the issue reported during the authentication setup process. As part of the fix, API responses are modified too. For more details, refer the responses documented for each API below.
Create a New AWS Instance and Add AWS accounts to that Instance
NOTE: As multi-instance is NOT supported for AWS, call the following API only once for the tenant if no instances are already created.
API: POST https://www.myshn.net/shndlpapi/v1/aws/provisionAccounts
Request: To create an instance with the name 'Default-AWS' and add 2 accounts.
NOTE: If the instance is already created with the same name, accounts will be added to it. If an instance is created with a different name and doesn't have any accounts, then these will be added to it. Otherwise, the API will throw an error. securityAuditType is optional. Possible values for securityAuditType are "CONTINUOUS_EVALUATION" and "SCHEDULED_SCAN".
{
"awsAccounts": [
{
"assumedRole": "arn:aws:iam::295207888133:role/config-audit-mvcloud-test",
"accountName": "Dev MVCloud AWS",
"awsBucketNames": "cloudtrail-1"
},
{
"assumedRole": "arn:aws:iam::295207888133:role/config-test",
"accountName": "QA MVCloud AWS",
"awsBucketNames": "cloudtrail-2"
}
],
"enableDLP": true,
"enableActivityMonitoring": true,
"enableSecurityAudit": true,
"securityAuditType": "CONTINUOUS_EVALUATION"
"enableVPCFlowLogs": true,
"enableVulnerabilities" : true,
"notificationEmails": "mvcloud_iaas@mcafee.com",
"instanceName": "Default-AWS",
"ignoreErrors": true
}
Response. On successful execution of the API, the user will see the below response.
{
"status": "SUCCESS",
"statusMessage": "The request is being processed. Please call this API https://www.myshn.net/shndlpapi/v1/aws/provisionStatus/{id} to get the status.",
"errors": null
}
|
Deprecated Response: Response: On successful execution of the API, If the number of accounts is <=10. If the role has permission issues (missing permissions) and the user has set ignoreErrors : true, the user will see the following response.
{
"statusMessage": "Successfully added the accounts: [assumedRole]",
"status": "SUCCESSFUL_WITH_ERRORS",
"errors": {
"assumedRole": "Role={assumedRole} does not have the following permissions={aws permissions}"
}
|
Remove AWS Accounts from an Instance
This API removes the AWS account(s) from the instance.
API: DELETE https://www.myshn.net/shndlpapi/v1/aws/deleteAccounts
Request:
{
"awsAccounts": [
{
"assumedRole": "arn:aws:iam::295207888133:role/config-audit-mvcloud-test",
"accountName": "Dev MVCloud AWS"
}
],
"instanceName": "Default-AWS"
}
Response:
{
"statusMessage": "The request is being processed. Please call this API /shndlpapi/v1/aws/provisionStatus/{id} to get the status",
"status": "SUCCESS",
"errors": null
}
|
Deprecated Response :
{
"statusMessage": "SUCCESS",
"status": "SUCCESS",
"errors": null
}
|
Add Accounts to the Existing AWS Instance
This API adds new AWS accounts to the existing instance.
API: PUT https://www.myshn.net/shndlpapi/v1/aws/addAccounts
Request:
{
"awsAccounts": [
{
"assumedRole": "arn:aws:iam::295207888133:role/config-audit-mvcloud-test",
"accountName": "Dev MVCloud AWS"
}
],
"ignoreErrors": true,
"instanceName": "Default-AWS"
}
Response: On successful execution of the API, the user will see the below response.
{
"status": "SUCCESS",
"statusMessage": "The request is being processed. Please call this API https://www.myshn.net/shndlpapi/v1/aws/provisionStatus/{id} to get the status.",
"errors": null
}
|
Deprecated Response : On successful execution of the API, If the number of accounts is <=10. If the role has permission issues (missing permissions) and the user has set ignoreErrors : true, the user will see the following response.
{
"statusMessage": "Successfully added the accounts: [assumedRole]",
"status": "SUCCESSFUL_WITH_ERRORS",
"errors": {
"assumedRole": "Role={assumedRole} does not have the following permissions={aws permissions}"
}
}
|
GET the Trust Details for a Tenant
The following command provides the account ID and External ID needed to establish trust.
API: GET https://www.myshn.net/shndlpapi/v1/aws/trustDetails
Request: NA
Response:
{
"MVISION Cloud AWS Account ID": "12345678901",
"External ID": "123456"
}
GET the Provisioning Status
API: GET https://www.myshn.net/shndlpapi/v1/aws/provisionStatus/{id}
Response: If the request is being processed:
{
"statusMessage": "The request is being processed",
"status": "SUCCESS",
"errors": null
}
Response: If the request is successful:
{
"statusMessage": "Success",
"status": "SUCCESS",
"errors": null
}
Response: If the role has permission issues (missing permissions) and the user has set ignoreErrors : true, then the request is successful with errors.
{
"statusMessage": "Successfully added the accounts: [assumedRole]",
"status": "SUCCESSFUL_WITH_ERRORS",
"errors": {
"assumedRole": "Role={assumedRole} does not have the following permissions={aws permissions}"
}
}
Response: If the role has permission issues (missing permissions) and the user has set ignoreErrors : false, then the request is failed.
{
"statusMessage": "Accounts with Failed Authentication: [arn:aws:iam::295207889199:role/role-all-features-permission]",
"status": "FAILURE",
"errors": {
"arn:aws:iam::295207889199:role/role-all-features-permission": "{User: arn:aws:iam::522462218264:user/SkyHigh_81374 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::295207889199:role/role-by-sowmya-all-features-permission (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 2cc59d4e-4884-42eb-9b8d-4b142bfb8cff)}.
Permissions required on this role={[autoscaling:DescribeAutoScalingGroups, cloudfront:ListDistributions, cloudfront:ListStreamingDistributions, cloudfront:ListTagsForResource, cloudtrail:DescribeTrails, cloudtrail:GetEventSelectors, cloudtrail:GetTrailStatus, cloudtrail:ListTags, config:DescribeConfigurationRecorderStatus, config:DescribeConfigurationRecorders,
ec2:DescribeAccountAttributes, ec2:DescribeAddresses, ec2:DescribeCustomerGateways, ec2:DescribeFlowLogs, ec2:DescribeImages, ecs:ListTasks, eks:DescribeCluster, elasticache:ListTagsForResource, elasticloadbalancing:DescribeListenerCertificates]}"
}
}
Provision Near Real-time Config Audit for AWS Accounts
API: POST https://www.myshn.net/shndlpapi/v1/aws/provisionRealTime?instanceName=<instance_name>
Request:
{
"receiving_account": "713392536353",
"regions": ["us-east-1", "us-east-2", "us-west-1"],
"accounts": ["171358681854","295207888133"],
"type": "aws_real_time_config_request"
}
Response:
{
"type": "aws_real_time_config_response",
"realTimeConfig": null,
"message": "NRT configuration is being processed. Please call this endpoint /v1/aws/realTimeConfig/status for real-time configuration status",
"status": "OK"
}
GET Real-time Configuration Status
API: GET https://www.myshn.net/shndlpapi/v1/aws/realTimeConfig/status?instanceName=<instance_name>
Response: If errors occur:
{
"type": "real_time_config_errors",
"errors": [
"Account={171358681854} Role={arn:aws:iam::171358681854:role/config-audit-qa-sowmya} does not have the following permissions={cloudformation:CreateStackInstances,cloudformation:CreateStackSet,cloudformation:DeleteStackInstances,cloudformation:DeleteStackSet,cloudformation:DescribeStackSet,cloudformation:DescribeStackSetOperation,cloudformation:DescribeStacks,cloudformation:ListStackInstances,cloudformation:ListStackSetOperationResults,cloudformation:UpdateStackInstances,cloudformation:UpdateStackSet,events:DescribeEventBus,events:DescribeRule,events:PutPermission,events:RemovePermission,sqs:AddPermission,sqs:CreateQueue,sqs:DeleteMessageBatch,sqs:ReceiveMessage}"
]
}
Response:
{
"type": "aws_real_time_config_response",
"realTimeConfig": null,
"message": "COMPLETED on Mar 07, 2019 07:13AM UTC",
"status": "OK"
}
GET the Provisioned Accounts for an Instance
API: GET https://www.myshn.net/shndlpapi/v1/aws/provisionedAccounts?instanceName=<instance_name>
Response:
[
"arn:aws:iam::171358681854:role/config-audit",
"arn:aws:iam::295207888133:role/config-audit-1"
]