Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

AWS Account Management API

The AWS Account Management API includes the API exposed to add, update, and delete AWS accounts from Skyhigh Security Service Edge. You need basic authentication with user/pass permissions to execute the following APIs.

NOTE: In the 5.4.0 release, APIs are updated to fix the issue reported during the authentication setup process. As part of the fix, API responses are modified too. For more details, refer the responses documented for each API below.

Create a New AWS Instance and Add AWS accounts to that Instance

NOTE: As multi-instance is NOT supported for AWS, call the following API only once for the tenant if no instances are already created. 

API: POST https://www.myshn.net/shndlpapi/v1/aws/provisionAccounts

Request: To create an instance with the name 'Default-AWS' and add 2 accounts.

NOTE: If the instance is already created with the same name, accounts will be added to it. If an instance is created with a different name and doesn't have any accounts, then these will be added to it. Otherwise, the API will throw an error. securityAuditType is optional. Possible values for securityAuditType are  "CONTINUOUS_EVALUATION" and "SCHEDULED_SCAN".

{
    "awsAccounts": [
        {
            "assumedRole": "arn:aws:iam::295207888133:role/config-audit-mvcloud-test",
            "accountName": "Dev MVCloud AWS",
            "awsBucketNames": "cloudtrail-1"
        },
        {
            "assumedRole": "arn:aws:iam::295207888133:role/config-test",
            "accountName": "QA MVCloud AWS",
            "awsBucketNames": "cloudtrail-2"
        }
    ],
    "enableDLP": true,
    "enableActivityMonitoring": true,
    "enableSecurityAudit": true,
    "securityAuditType": "CONTINUOUS_EVALUATION"
    "enableVPCFlowLogs": true,
    "enableVulnerabilities" : true,
    "notificationEmails": "mvcloud_iaas@mcafee.com",
    "instanceName": "Default-AWS",
    "ignoreErrors": true
}

Response. On successful execution of the API, the user will see the below response.

{
    "status": "SUCCESS",
    "statusMessage": "The request is being processed. Please call this API https://www.myshn.net/shndlpapi/v1/aws/provisionStatus/{id} to get the status.",
    "errors": null
}

Deprecated Response:

Response: On successful execution of the API, If the number of accounts is <=10. If the role has permission issues (missing permissions) and the user has set ignoreErrors : true, the user will see the following response.

{
    "statusMessage": "Successfully added the accounts: [assumedRole]",
    "status": "SUCCESSFUL_WITH_ERRORS",
    "errors": {
        "assumedRole": "Role={assumedRole} does not have the following permissions={aws permissions}"
}

Remove AWS Accounts from an Instance

This API removes the AWS account(s) from the instance.


API: DELETE https://www.myshn.net/shndlpapi/v1/aws/deleteAccounts

Request:    

{
    "awsAccounts": [
        {
            "assumedRole": "arn:aws:iam::295207888133:role/config-audit-mvcloud-test",
            "accountName": "Dev MVCloud AWS"
        }
    ],
    "instanceName": "Default-AWS"
}

Response:

{
    "statusMessage": "The request is being processed. Please call this API /shndlpapi/v1/aws/provisionStatus/{id} to get the status",
    "status": "SUCCESS",
    "errors": null
}

Deprecated Response

{
    "statusMessage": "SUCCESS",
    "status": "SUCCESS",
    "errors": null
}

Add Accounts to the Existing AWS Instance

This API adds new AWS accounts to the existing instance. 

API: PUT https://www.myshn.net/shndlpapi/v1/aws/addAccounts

Request:

{
    "awsAccounts": [
        {
            "assumedRole": "arn:aws:iam::295207888133:role/config-audit-mvcloud-test",
            "accountName": "Dev MVCloud AWS"
        }
    ],
    "ignoreErrors": true,
    "instanceName": "Default-AWS"
}

Response: On successful execution of the API, the user will see the below response.

{
    "status": "SUCCESS",
    "statusMessage": "The request is being processed. Please call this API https://www.myshn.net/shndlpapi/v1/aws/provisionStatus/{id} to get the status.",
    "errors": null
}

Deprecated Response

On successful execution of the API, If the number of accounts is <=10. If the role has permission issues (missing permissions) and the user has set ignoreErrors : true, the user will see the following response.

{
    "statusMessage": "Successfully added the accounts: [assumedRole]",
    "status": "SUCCESSFUL_WITH_ERRORS",
    "errors": {
        "assumedRole": "Role={assumedRole} does not have the following permissions={aws permissions}"
    }
}

GET the Trust Details for a Tenant

The following command provides the account ID and External ID needed to establish trust.

API: GET https://www.myshn.net/shndlpapi/v1/aws/trustDetails
 

Request: NA
 

Response:

{
    "Skyhigh CASB AWS Account ID": "12345678901",
    "External ID": "123456"
}

GET the Provisioning Status

API: GET https://www.myshn.net/shndlpapi/v1/aws/provisionStatus/{id}

Response: If the request is being processed:

{
    "statusMessage": "The request is being processed",
    "status": "SUCCESS",
    "errors": null
}

Response:  If the request is successful:

{
    "statusMessage": "Success",
    "status": "SUCCESS",
    "errors": null
 }

Response: If the role has permission issues (missing permissions) and the user has set ignoreErrors : true, then the request is successful with errors.

{
    "statusMessage": "Successfully added the accounts: [assumedRole]",
    "status": "SUCCESSFUL_WITH_ERRORS",
    "errors": {
        "assumedRole": "Role={assumedRole} does not have the following permissions={aws permissions}"
    }
}

Response: If the role has permission issues (missing permissions) and the user has set ignoreErrors : false, then the request is failed.

{
    "statusMessage": "Accounts with Failed Authentication: [arn:aws:iam::295207889199:role/role-all-features-permission]",
    "status": "FAILURE",
    "errors": {
        "arn:aws:iam::295207889199:role/role-all-features-permission": "{User: arn:aws:iam::522462218264:user/SkyHigh_81374 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::295207889199:role/role-by-sowmya-all-features-permission (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 2cc59d4e-4884-42eb-9b8d-4b142bfb8cff)}. 
         Permissions required on this role={[autoscaling:DescribeAutoScalingGroups, cloudfront:ListDistributions, cloudfront:ListStreamingDistributions, cloudfront:ListTagsForResource, cloudtrail:DescribeTrails, cloudtrail:GetEventSelectors, cloudtrail:GetTrailStatus, cloudtrail:ListTags, config:DescribeConfigurationRecorderStatus, config:DescribeConfigurationRecorders, 
         ec2:DescribeAccountAttributes, ec2:DescribeAddresses, ec2:DescribeCustomerGateways, ec2:DescribeFlowLogs, ec2:DescribeImages, ecs:ListTasks, eks:DescribeCluster, elasticache:ListTagsForResource, elasticloadbalancing:DescribeListenerCertificates]}"
    }
}

Provision Near Real-time Config Audit for AWS Accounts

API: POST https://www.myshn.net/shndlpapi/v1/aws/provisionRealTime?instanceName=<instance_name>

Request: 

{
    "receiving_account": "713392536353",
    "regions": ["us-east-1", "us-east-2", "us-west-1"],
    "accounts": ["171358681854","295207888133"],
    "type": "aws_real_time_config_request"
}

Response:

{
    "type": "aws_real_time_config_response",
    "realTimeConfig": null,
    "message": "NRT configuration is being processed. Please call this endpoint /v1/aws/realTimeConfig/status for real-time configuration status",
    "status": "OK"
}

GET Real-time Configuration Status

API: GET https://www.myshn.net/shndlpapi/v1/aws/realTimeConfig/status?instanceName=<instance_name>

Response: If errors occur:

{
    "type": "real_time_config_errors",
    "errors": [
        "Account={171358681854} Role={arn:aws:iam::171358681854:role/config-audit-qa-sowmya} does not have the following permissions={cloudformation:CreateStackInstances,cloudformation:CreateStackSet,cloudformation:DeleteStackInstances,cloudformation:DeleteStackSet,cloudformation:DescribeStackSet,cloudformation:DescribeStackSetOperation,cloudformation:DescribeStacks,cloudformation:ListStackInstances,cloudformation:ListStackSetOperationResults,cloudformation:UpdateStackInstances,cloudformation:UpdateStackSet,events:DescribeEventBus,events:DescribeRule,events:PutPermission,events:RemovePermission,sqs:AddPermission,sqs:CreateQueue,sqs:DeleteMessageBatch,sqs:ReceiveMessage}"
    ]
}

Response: 

{
    "type": "aws_real_time_config_response",
    "realTimeConfig": null,
    "message": "COMPLETED on Mar 07, 2019 07:13AM UTC",
    "status": "OK"
}

GET the Provisioned Accounts for an Instance

API: GET https://www.myshn.net/shndlpapi/v1/aws/provisionedAccounts?instanceName=<instance_name> 

Response:

[
    "arn:aws:iam::171358681854:role/config-audit",
    "arn:aws:iam::295207888133:role/config-audit-1"
]
  • Was this article helpful?