Unified Scanner for AWS

Usage Instructions

Installation Steps

  1. Create a Lineaje Account using Create an account

  2. Get the Device Code for the AMI

  3. Subscribe and Select Launch configuration

    1. From AWS Marketplace i.e. https://aws.amazon.com/marketplace

      1. Subscribe to the Product

      2. After successful subscription, Click on continue to configuration

    2. From AWS Console i.e. console.aws.amazon.com/marketplace

      1. Select the product

      2. Click on Action and select Launch Cloudformation Stack

  4. Select the Cloudformation template, its version to deploy and aws region for the stack to be deployed

  5. Select Action - Launch Cloudformation

  6. Click Next for providing Stack details

  7. Provide the following stack details in the form, and Click Next

    1. Stack Name

    2. Lineaje Device Code

    3. Instance Type

    4. VPC Id

    5. Subnet Id

    6. CIDR IP Range

    7. Key Pair

  8. Provide Stack Options (Optional) and Click Next

  9. Review the Cloudformation Stack. Approve the IAM Role Creation. And Launch Stack

  10. After the sucessful, creation of stack. Check the stack output. The Installation status should be successful.

  11. If Installation Status is not successful, the error should be self explainatory. If not, forward the error to support.

Customer's Data Usage

  1. Lineaje does not ask or store any customer's personal data for AMI Deployment

  2. Device Code is ephemeral entity and expires after 5 minutes.

  3. AWS ECR Image layers are analysed inside the EC2 Instance Only.

  4. Generated SBOMs are only uploaded to Lineaje SaaS.

Cloudformation Resources

Following resources are created in Customers AWS Account

1. AWSResourceAccessRole

Type: AWS::IAM::Role Description: This role is created for EC2 instances to assume and perform specific actions. The AssumeRolePolicyDocument allows the EC2 service (ec2.amazonaws.com) to assume this role. The role grants permissions for actions such as managing SSM parameters, accessing ECR repositories, and logging actions.

Usage:

  • ssm:PutParameter: This allows the EC2 instance to store parameters related to the unified scanner under a specific SSM parameter path.

  • ECR Permissions: Grants the instance access to ECR to describe repositories and scan image findings. This is useful for working with container images, scanning them, and retrieving data.

  • Metering Usage: The policy also includes permission to meter usage in AWS Marketplace. Ir is necessary to bill for the usage.

  • Logging Permissions: The role grants permissions for creating and managing CloudWatch logs to monitor the instance's actions.

2. LineajeInstanceProfile

Type: AWS::IAM::InstanceProfile Description: This resource creates an instance profile that associates the AWSResourceAccessRole with EC2 instances. An instance profile allows the EC2 instance to assume the IAM role and execute the defined policies.

Usage:

  • Provides the EC2 instance with the permissions defined in AWSResourceAccessRole, enabling it to access services such as SSM, ECR, and CloudWatch.

3. LineajeSecurityGroup

Type: AWS::EC2::SecurityGroup Description: The security group is configured to control network access to the EC2 instance. It allows inbound traffic on port 22 (for SSH access) and port 8080 (for the application running on the instance). All outbound traffic is permitted by the security group.

Usage:

  • Port 22 (SSH): Allows access to the instance for secure management and configuration.

  • Port 8080: Used for HTTP traffic or communication between the instance and other services.

  • Port 8443: Used for HTTPS traffic or communication between the instance and other services.

  • SecurityGroupEgress: Allows the instance to communicate outbound over any protocol to the internet or other AWS services.

4. LineajeUnifiedScannerEC2Instance

Type: AWS::EC2::Instance Description: This resource creates an EC2 instance where the unified scanner will run. The instance is assigned an AMI (ImageId), instance type, SSH key, security group, and block device mapping. Additionally, user data is passed to the instance for bootstrapping, which includes an email as part of the configuration.

Usage:

  • AMI: The image ID refers to a predefined AMI that the EC2 instance will launch from.

  • Instance Type: The instance type is either a custom type or a default type based on the parameters provided.

  • Block Device Mappings: Ensures that the root volume is an EBS volume with 50 GB of storage, with the option to delete upon termination.

  • UserData: The UserData section adds provided email address, used for initial configuration of instance.

Get the Device Code for the AMI

  1. Logon to SBOM360 portal (https://app.veedna.com)

  2. Click on "Integrations" icon

  3. Click on "Register AMI"

  4. Click on "Verify Device". It will redirect to login page.

  5. Provide the SBOM360 credentials when prompted the login page. If credentials are cached, then it may not prompt for the SBOM360 credentials again.

  7. Click on “Confirm”

  8. Copy the generated SBOM360 Portal Page.

PreviousRelease Notes

Last updated