![Hyperproof.Io [Test] Help Center](https://downloads.intercomcdn.com/i/o/xgk1dxp2/757668/427b255f2659cc7e0853d6a00ec1/628914ae2617199b7d999ba797a5305a.png)
π Note
Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance in meeting the requirements to integrate with Hyperproof and collect the proof you need.
Hyperproof supports connecting to AWS via access keys or cross-account roles.
β
When you create a Hypersync between Hyperproof and AWS, you can automatically collect proof types based on the following services:
AWS proof types and fields
Service | Proof type | Fields | Testable |
Backup | Backup Jobs | Account, Region, Backup Job ID, Status, Resource ID, Creation Time, Start By, Last Run Time | Yes |
Backup | Backup Plan Details | Account, Region, Backup Plan Name, Backup Plan ID, Version ID, Last Modified, Last Runtime Backup Rules: Backup Plan Name, Backup Vault, Destination Backup Vault Resource Assignments: Name, IAM Role ARN | No |
Backup | List of Backup Plans | Account, Region, Backup Plan Name, Last Runtime, Last Modified, Schedule, Frequency | Yes |
CloudTrail | List of Terminated Users | Account, User Name, Date/Time | Yes |
CloudTrail | List of Trails | Account, Region, Status, Trail Name, Trail ARN, Home Region, Is Multi-Region Trail, CloudWatch Logs Log Group ARN, S3 Bucket Name, Log File Validation Enabled, Include Global Service Events | Yes |
EC2 | Asset Inventory | Account, Region, Instance ID, Agent Type, Agent Version, Computer Name, Instance Status, IP Address, Platform, Platform Type, Platform Version | Yes |
EC2 | List of Images | AMI Name, AMI ID, Source, Visibility, Status, Platform, Root Device Type, Virtualization | Yes |
EC2 | List of Instance IPs | Region, Instance ID, State, Launch Time, State Transition Time, Private IP Address, Public IP Address, Private DNS Name, Publick DNS Name IPv6Address | Yes |
EC2 | List of Load Balancers | Region, Load Balancer Name, Load Balancer ARN, Availability Zones, Created Time, Security Groups, State, Type, VPC ID | Yes |
EC2 | List of Running Instances | Instance ID, Instance Type, Availability Zone, Public IPv4 DNS, Public IPv4 Address, Monitoring, Security Groups, Key Name, AMI | Yes |
EC2 | List of Security Groups | Security Group ID, Security Group Name, VPC ID, Description, Owner, Inbound Rules, Outbound Rules | Yes |
EC2 | List of Snapshots | Snapshot ID, Size, Volume, Description, Status, Started, Progress, Encryption | Yes |
EC2 | List of Volumes | Account, Region, Volume name, Volume ID, State, Status, Encryption | Yes |
EC2 | Security Group Details | Security Group Name, Security Group ID, Description, VPC, ID, Owner Inbound Rules: IP version, Protocol, Port, Range, Source, Description Outbound Rules: IP version, Protocol, Port, Range, Destination, Description | No |
ECS | List of Containers | Region, Container Instance ARN, Status, Version, Docker Version, Registered At | Yes |
EKS | List of Clusters | Account, Region, Name, Status, Kubernetes version, Provider | Yes |
EKS | List of Pod Security Policies | Name, Cluster, Run As User, Run As Group, Run As Non Root, FS Group, FS Group Change Policy, Privileged, Allow Privilege Escalation, Read Only Root FS Run as User: Rule, Ranges Run as Group: Rule, Ranges FS Group: Rule, Ranges | Yes |
EKS | List of Workloads | Name, Namespace, Type, Age, Pod Count, Status, Cluster | Yes |
IAM | Account Password Policy | Account, Policy, Minimum password length, Require symbols, Require numbers, Require uppercase characters, Require lowercase characters, Password expiration requires administrator reset, Users can change their own passwords, Password expiration, Count of passwords to remember to prevent reuse. | Yes |
IAM | List of Access Keys | Account, Access Key ID, User Name, Creation Time, Status, Last Used Date | Yes |
IAM | List of Groups | Account, Group Name, Users, Inline Policy, Creation Time | Yes |
IAM | List of Roles | Account, Role Name, Description, Trusted Entities, Creation Time, Session Duration | Yes |
IAM | List of SAML Providers | Account, Arn, Creation Time, Expiration Time | Yes |
IAM | List of Users | Account, User Name, User ID, Creation Time, Password Last Used | Yes |
IAM | List of Users with MFA Devices | Account, User Name, User ID, Creation Time, Password Last Used, MFA, MFA Devices | Yes |
IAM | List of Users with MFA Settings | Account, User Name, User ID, Creation Time, Password Last Used, MFA | Yes |
IAM | Users, Groups, Roles, and Policies | List of Users: User Name, Creation Time, Arn, Path, Groups, Permissions Boundary, Managed Policies, Inline Policies List of Groups: Group Name, Creation Time, Arn, Path, Managed Policies, Inline Policies List of Roles: Role Name, Creation Time, Role Last Used, Arn, Path, Managed Policies, Inline Policies | No |
Identity Center | List of SSO Users | GovCloud Account, Region, User Name, User ID, Identity Store ID | Yes |
KMS | List of Keys | Region, ID, ARN, Custom Key Store ID, Key State, Key Usage, Origin, Creation Date, Key Manager, Encryption Algorithms, Signing Algorithims | Yes |
Lambda | List of Configurations | Region, Function Name, Role ARN, Last Modified, Runtime, Timeout (Seconds), Memory Size (MB), Code SHA256 | Yes |
Lambda | Policies & Access Control | Region, Function Name, Function ARN, IAM Role, Encryption, AWS KMS Key, Location, Last Modified | Yes |
RDS | Instance Backup Retention Period | Account, Region, Instance Identifier, Instance Backup Retention Period | Yes |
RDS | Instance Storage Encrypted | Account, Region, Instance Identifier, Instance Storage Encrypted | Yes |
RDS | List of Instances | Account, Region, Database Type, Instance Status, Instance Identifier, Status, Engine, Size, VPC, Multi-AZ | Yes |
π Note The Relationship Database Service (RDS) includes Aurora PostgreSQL, Aurora MySQL, MySQL, Maria DB, PostgreSQL, Oracle, and Microsoft SQL Server. | |||
S3 | Bucket Access Control List | Account, Bucket, Grantee Name, Grantee Email, Grantee ID, Grantee Type, Permission | Yes |
S3 | Bucket Encryption | Account, Bucket, Encryption Key Type, AWS KMS Key, Bucket Key Enabled | Yes |
S3 | Bucket Lifecycle Configuration | Account, Bucket, Rule, Action, Applies To, Non-Current Versions Retained, Days to Transition, Transition Date, Status | Yes |
S3 | Bucket Object Lock | Account, Bucket, Object Lock Status, Retention Mode, Retention Period | Yes |
S3 | Bucket Policy Status | Account, Bucket, Policy Type | Yes |
S3 | Bucket Replication | Account, Bucket, Replication Rule Name, Status, Destination Bucket, Priority, Scope | Yes |
S3 | Bucket Versioning | Account, Bucket, Bucket Versioning, Multi-factor Authentication Delete | Yes |
Security Hub | Findings | Severity, Workflow status, Record State, Company, Product, Title, Resource type, Resource id, Status, Updated at, Created at | Yes |
Security Hub | Integrations Providing Findings | Account, Name, Company Name, Description | Yes |
VPC | List of Client ACLs | Account, Region, Network ACL ID, Associated With, Default, VPC ID, Owner Inbound Rules: Rule Number, Protocol, Port Range, Source, Allow/Deny Outbound Rules: Rule Number, Protocol, Port Range, Destination, Allow/Deny | No |
VPC | List of Client VPN Endpoints | Endpoint ID, State, Client CIDR, Description, DNS Name | Yes |
VPC | List of Subnets | Account, Region, Name, Subnet ID, State, VPC ID, IPv4 CIDR, IPv6 CIDR | Yes |
VPC | List of VPCs | Account, Region, VPC ID, State, IPv4 CIDR, IPv6 CIDR, IPv6 Pool, DHCP Options Set, Tenancy, Default, Owner | Yes |
WAF | List of ACLs | Region, Name, ACL ID, Resources, Default Action, Label Namespace | Yes |
WAF | List of Rule Groups | Region, Name, Rule Group ID, Rule Group ARN | Yes |
β
AWS notes on services and proof types
This Hypersync supports importing a user list for an access review. See Importing a list of application users with a Hypersync for more information.
π Note
RDS Encryption proof can be collected for all RDS instances.
Elastic Compute Cloud
Asset Inventory
If you receive a message indicating that the Hypersync is returning too many items for the Asset Inventory proof type, set the Asset filter criteria to Do not show terminated or stopped instances in the Hypersync settings.
List of Snapshots for Owner
This proof type can generate large amounts of data. If you receive a message indicating that the Hypersync is returning too many items, set the Storage Tier filter field to either Archive or Standard, instead of the default All Tiers.
EKS
To use AWS EKS proof types, add IAM users or roles to your Amazon EKS cluster with the following command:
eksctl create iamidentitymapping --cluster <clusterName> --region=<region> --arn arn:aws:iam::123456:role/your-role --group system:masters --username optional-name
For more information, please refer to the official AWS documentation.
Security Hub
When configuring the Hypersync for Security Hub proof, you must select the region where the AWS Security Hub is running for the Hypersync to return data. If the region isn't correct, the proof is generated but doesn't contain any data.
Kubernetes Engine
List of Pod Security Policies
π Note
This proof type is compatible only with Kubernetes version 1.22 or higher. If you use a lower version of Kubernetes, the proof will not be generated.
Kubernetes has deprecated PodSecurityPolicies in version 1.21. See this Kubernetes article for information on migrating from PodSecurityPolicies to the built-in PodSecurity admission controller. Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller.
Additional documentation
π Note
You only need to connect Hyperproof to the app once, and then you can create as many Hypersyncs as you need.
β
Additionally, you can create multiple Hypersyncs for a single control or label.
Certain cloud services offer specialized options for IP filtering in their cloud consoles to lock down specific cloud API endpoints for security and compliance purposes. You can use the Hyperproof static IP addresses to allow communication between Hyperproof Hypersyncs and your cloud service.
π Note
IP addresses for the Hyperproof Gov will be deprecated and replaced, as shown in the following table:
Service | Current IP address | New IP address |
Main app | 4.154.201.6 | 4.155.77.155 |
Integrations | 4.246.104.90 | 4.155.78.5 |
To prevent connectivity issues, it is recommended that you include all four IP addresses in your allowlists.
Hyperproof US IP addresses - 20.184.128.53, 52.9.169.38, 52.159.252.1
π Note
IP address 52.9.169.38 will be deprecated and replaced with 52.159.252.1 in the future. To prevent connectivity issues, it is recommended that you include all three IP addresses in your allowlists.
Hyperproof EU IP addresses - 9.141.172.46, 4.185.45.100
Hyperproof Gov IP addresses - 4.154.201.6, 4.246.104.90
See Hyperproof instances for more information.
The sections below provide additional information about connecting AWS to Hyperproof.
Connecting to AWS or AWS GovCloud via access keys
Authentication type: Custom
β
Custom authentication parameters: Access Key, Secret Access Key
Below Access Key ID, enter your AWS Access Key ID.
π‘ Tip
IAM users have keys that provide access to proof stored in AWS. If you do not have IAM user credentials, a root user or an IAM administrator can create them. For steps on adding an AWS user with SecurityAudit access, see Creating a policy and adding an AWS Hypersync user.
If you use SSO, be sure to create an IAM user and not use the access keys provided for your SSO user, as those have session tokens associated with the keys that only allow access for a limited time.
For more information on creating an IAM user in your AWS account, see the official hypersyncs: aws-short documentation.
Below Secret Access Key, enter your AWS Secret Access Key.
Click Next.
Connecting via a cross-account role
Authentication type: Custom
β
Custom authentication parameters: Role ARN, External ID
Select the Cross Account Role radio button to connect to AWS via a cross-account role.
π Note
To use the cross-account role option, your AWS administrator needs to set up an IAM role with the permissions needed to perform specific actions. For more information, see Creating a cross-account role in AWS.
Below ARN, enter your Role ARN.
Below External ID, enter your unique string ID.
Click Next.
Completing the connection process
The steps below apply to both access keys and cross-accounts.
Select the radio button that best suits how you want to identify AWS accounts.
For a single AWS account, select Use the current account. Hyperproof assumes only the role ARN provided in the step above to fetch data.
For a few AWS accounts, select Choose from a list of accounts , and then select the accounts to retrieve data from.
For many AWS accounts, select Specify tags to identify accounts. Hyperproof finds all accounts matching the tag criteria and retrieves data from each one.
Using multiple key-value pairs of tags finds accounts that have all of the specified tags, using a logical AND operation.
Entering the same key with different values finds accounts that match any of the values provided for a given key, using a logical OR operation.
See TagFilters query object for more details on finding resources by tags.
Click Next.