Amazon EC2
Amazon EC2 (Elastic Cloud Compute) by Amazon Web Services (AWS) provides management for your cloud instances. You can bring instance data from Amazon EC2 into Brinqa to gain a comprehensive view of your cloud security landscape, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Amazon EC2 and how to obtain that information from Amazon. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Amazon EC2 from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Amazon EC2 with Brinqa:
-
Access key ID and Secret access key: The access keys associated with the Amazon EC2 account, which must have the AmazonEC2ReadOnlyAccess permission in order to access EC2 instances from the Amazon SDK. For additional information, see Create an IAM user for Amazon EC2 access.
-
Default region: The AWS region for the Amazon EC2 connector. If not specified, the connector uses the AWS Default Region Provider Chain to automatically determine the most appropriate region. This ensures that the connector adheres to the recommended AWS practices for region selection. For additional information on the AWS Default Region Provider Chain, refer to the AWS documentation.
-
Assume role: The Amazon Resource Name (ARN) for the role that the connector assumes when accessing AWS services, which must have permissions to log in to the API server and return data. You can use multiple ARNs separated by commas, e.g.,
target1RoleARN,target2RoleARN.noteThere is no character limit for the Assume role field.
Create an IAM user for Amazon EC2 access
For the Amazon EC2 connector to interact with the AWS SDK and retrieve instances, you must provide specific AWS credentials and permissions. If you want to configure cross-account access, you can skip this section and go to the Set up permissions for cross-account access section instead.
To create an IAM user for EC2 access, follow these steps:
-
Log in to your organization's AWS Management Console as an administrator.
-
Navigate to the Identity and Access Management (IAM) dashboard.
-
From the navigation pane under Access management, click Users, and then click Create user.
-
Provide a User name, leave the Provide user access to AWS Management Console option unchecked, and then click Next.
-
Click the Attach policies directly option, search for and select the AmazonEC2ReadOnlyAccess permission.
-
Click Next and then click Create user.
The Users page displays and the new IAM user is available in the Users table.
If you do not have permissions to create a new IAM user, contact your AWS administrator. For additional information, see AWS documentation.
Obtain Amazon EC2 access keys
After you have created an IAM user, you can then generate the access keys that are required for the Amazon EC2 connector to access the AWS SDK. To do so, follow these steps:
-
Navigate to the IAM dashboard.
-
From the navigation pane under Access management, click Users.
-
Choose the IAM user you created in the earlier steps.
-
Click the Security credentials tab and then click Create access key.
-
Select the Application running outside AWS use case and then click Next.
-
Provide a description and then click Create access key.
The access key ID and secret access key display. The secret access key is shown only once and cannot be retrieved again, so copy the key and save it to a secure location.
If you do not have the permissions to create access keys, contact your Amazon EC2 administrator. For additional information, see AWS documentation.
Create a role and assign permissions
After creating an IAM user and obtaining the Amazon EC2 access keys, the next step is to create a role and obtain the ARN that is required for the integration. To do so, follow these steps:
-
From the IAM dashboard, click Roles, and then click Create role.
-
For the Trusted entity type, choose AWS account, and then click Next.
-
Search for and select the AmazonEC2ReadOnlyAccess permission from the list of permissions and click Next.
-
Assign a name and description and then click Create role.
-
Back on the Roles page, click the new role and copy the value in the ARN field as shown below:
The ARN, along with the access key ID and secret access key, are required for authentication in the integration configuration.
If you do not have the permissions to create roles, contact your Amazon EC2 administrator. For additional information, see AWS documentation.
(Optional) Set up permissions for cross-account access
You can configure cross-account access to allow the Amazon EC2 connector to interact with multiple AWS accounts. If this is what you want to do, you can skip the Create an IAM user for Amazon EC2 access section.
Before we begin, let's introduce some terms for clarity:
-
Source account: The AWS account with EC2 instances that the connector will access.
-
Target account: The AWS account that is connected to the EC2 instances in the source account.
In every AWS target account with EC2 Instances, follow these steps:
-
From the IAM dashboard, click Roles, and then click Create role.
-
For the Trusted entity type, select AWS account, and then select Another AWS account.
-
Enter the AWS account ID of the AWS source account and then click Next
-
Attach a policy to the role that grants permissions for the actions you want to allow in the target account (e.g., AmazonEC2ReadOnlyAccess).
-
After creating the role, select it from the list of roles and then click the Trust relationships tab.
-
Click Edit trust policy and edit the trust relationship policy document to include the AWS source account ID you entered in step 3.
-
Click Update policy and note down the Role ARN, as you will need this ARN in the source account for the next steps.
In the AWS source account connecting to the EC2 Instances, follow these steps:
-
From the IAM dashboard, click Users, and then click Create user.
-
Enter a username (e.g.,
CrossAccountUser) and click Next. -
Select Attach policies directly and then click Create policy.
-
Click the JSON tab and attach a policy to the user that allows it to assume roles in the target account. For example, the policy should allow
sts:AssumeRolefor the target account's role:{"Version": "2024-05-30","Statement": [{"Effect": "Allow","Action": "sts:AssumeRole","Resource": "<target-role-arn>"}]}Replace
<target-role-arn>with the ARN of the role created in the target account. -
Click Next.
-
Repeat steps 3-5 for each target ARN.
-
Search for and select the AmazonEC2ReadOnlyAccess permission from the list of permissions and click Next.
-
Click Create user.
After creating the user, follow the steps for obtaining access keys. Use these credentials in the integration configuration along with the role ARN for the target you created earlier. You can enter the ARNs in a comma-separated format:
target1RoleARN, target2RoleARN,target3RoleARN.
For additional information on configuring cross-account access, see AWS documentation
Additional settings
The Amazon EC2 connector contains an additional option for specific configuration:
-
Session duration: The duration, in seconds, for the assumed role session. This determines the time period during which the credentials issued by the assumed role remain valid. The default setting is 900 seconds, or 15 minutes.
-
Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 4.
Types of data to retrieve
The Amazon EC2 connector can retrieve the following types of data from the Amazon EC2 API:
Table 1: Data retrieved from Amazon EC2
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| EBS Snapshot | Yes | Cloud Resource |
| EBS Volume | Yes | Cloud Resource |
| Elastic IP | Yes | Cloud Resource |
| Instance | Yes | Host |
| Network ACL | Yes | Cloud Resource |
| Network Interface | Yes | Cloud Resource |
| Route Table | Yes | Cloud Resource |
| Security Group | Yes | Cloud Resource |
| Subnet | Yes | Subnet |
| VPC Peering Connection | Yes | Cloud Resource |
For detailed steps on how to view the data retrieved from Amazon EC2 in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
EBS Snapshot
Table 2: EBS Snapshot attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| Generated (set to "AWS") | CLOUD_PROVIDER |
| Generated (sync capture timestamp) | LAST_CAPTURED |
| region | REGION |
| s.description() | DESCRIPTION |
| s.encrypted() | ENCRYPTED |
| s.kmsKeyId() | KMS_KEY_ID |
| s.ownerId() | OWNER_ID |
| s.progress() | PROGRESS |
| s.snapshotId() | SNAPSHOT_ID |
| s.snapshotId() | UID |
| s.startTime() | FIRST_SEEN |
| s.stateAsString() | SOURCE_STATUS |
| s.storageTierAsString() | STORAGE_TIER |
| s.volumeId() | VOLUME_ID |
| s.volumeSize() | VOLUME_SIZE_GIB |
| tags | TAGS |
EBS Volume
Table 3: EBS Volume attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| attachments (instanceId) | ATTACHED_INSTANCE_IDS |
| attachments (instanceId@device:state) | ATTACHMENTS |
| Generated (set to "AWS") | CLOUD_PROVIDER |
| Generated (sync capture timestamp) | LAST_CAPTURED |
| region | REGION |
| tags | TAGS |
| v.availabilityZone() | AVAILABILITY_ZONE |
| v.createTime() | FIRST_SEEN |
| v.encrypted() | ENCRYPTED |
| v.iops() | IOPS |
| v.kmsKeyId() | KMS_KEY_ID |
| v.multiAttachEnabled() | MULTI_ATTACH_ENABLED |
| v.size() | SIZE_GIB |
| v.snapshotId() | SNAPSHOT_ID |
| v.stateAsString() | SOURCE_STATUS |
| v.throughput() | THROUGHPUT |
| v.volumeId() | UID |
| v.volumeId() | VOLUME_ID |
| v.volumeTypeAsString() | VOLUME_TYPE |
Elastic IP
Table 4: Elastic IP attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| address.allocationId() | ALLOCATION_ID |
| address.associationId() | ASSOCIATION_ID |
| address.domainAsString() | DOMAIN |
| address.instanceId() | INSTANCE_ID |
| address.networkInterfaceId() | NETWORK_INTERFACE_ID |
| address.networkInterfaceOwnerId() | NETWORK_INTERFACE_OWNER_ID |
| address.privateIpAddress() | PRIVATE_IP |
| address.publicIp() | PUBLIC_IP |
| address.publicIp() | PUBLIC_IP_ADDRESSES |
| address.publicIp() | UID |
| address.publicIpv4Pool() | PUBLIC_IPV4_POOL |
| Generated (set to "AWS") | CLOUD_PROVIDER |
| Generated (sync capture timestamp) | LAST_CAPTURED |
| region | REGION |
| tags | TAGS |
Instance
Table 5: Instance attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| architectureAsString | ARCHITECTURE |
| availabilityZone | AVAILABILITY_ZONE |
| blockDeviceMappings | BLOCK_DEVICE_MAPPINGS |
| Generated (computed from platformDetails, instanceType, architecture) | DESCRIPTION |
| Generated (set to "AWS") | CLOUD_PROVIDER |
| Generated (set to "Host", "Virtual Machine") | CATEGORIES |
| Generated (sync capture timestamp) | LAST_CAPTURED |
| hypervisorAsString | HYPERVISOR |
| iamInstanceProfile.arn | IAM_INSTANCE_PROFILE_ARN |
| imageId | IMAGE_ID |
| instanceId | UID |
| instanceTypeAsString | INSTANCE_TYPE |
| ipv6Addresses | IPV6_ADDRESSES |
| keyName | KEY_NAME |
| lastSeen | LAST_SEEN |
| launchTime | FIRST_SEEN |
| launchTime | LAUNCH_TIME |
| metadataOptions.httpTokens | IMDSV2_REQUIRED |
| monitoring | MONITORING |
| name (from tags) | NAME |
| networkInterfaces.macAddress | MAC_ADDRESSES |
| networkInterfaces.privateIpAddress | IP_ADDRESSES, PRIVATE_IP_ADDRESSES, PUBLIC_IP_ADDRESSES |
| ownerId | OWNER_ID |
| platformAsString, platformDetails | OPERATING_SYSTEM |
| privateDNSName | HOSTNAMES, PRIVATE_DNS_NAMES |
| publicDNSName | PUBLIC_DNS_NAMES |
| ramdiskId | RAM_DISK_ID |
| region | REGION |
| rootDeviceName | ROOT_DEVICE_NAME |
| rootDeviceTypeAsString | ROOT_DEVICE_TYPE |
| securityGroups.groupId | SECURITY_GROUP_IDS |
| securityGroups.groupName | SECURITY_GROUPS |
| state | SOURCE_STATUS, STATUS |
| stateTransitionReason | STATE_TRANSITION_REASON |
| subnetId | SUBNET_ID |
| tags | TAGS |
| virtualizationTypeAsString | VIRTUALIZATION_TYPE |
| vpcId | VPC_ID |
Network ACL
Table 6: Network ACL attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| acl.associations (subnetId) | ASSOCIATED_SUBNET_IDS |
| acl.entries (egress entries) | EGRESS_ENTRIES |
| acl.entries (ingress entries) | INGRESS_ENTRIES |
| acl.isDefault() | IS_DEFAULT |
| acl.networkAclId() | NETWORK_ACL_ID |
| acl.networkAclId() | UID |
| acl.ownerId() | OWNER_ID |
| acl.vpcId() | VPC_ID |
| Generated (set to "AWS") | CLOUD_PROVIDER |
| Generated (sync capture timestamp) | LAST_CAPTURED |
| region | REGION |
| tags | TAGS |
Network Interface
Table 7: Network Interface attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| Generated (set to "AWS") | CLOUD_PROVIDER |
| Generated (sync capture timestamp) | LAST_CAPTURED |
| nic.association().ipOwnerId() | ASSOCIATION_IP_OWNER_ID |
| nic.association().publicDnsName() | PUBLIC_DNS_NAMES |
| nic.association().publicIp() | ASSOCIATION_PUBLIC_IP |
| nic.association().publicIp() | PUBLIC_IP_ADDRESSES |
| nic.attachment().instanceId() | ATTACHED_INSTANCE_ID |
| nic.attachment().statusAsString() | ATTACHMENT_STATUS |
| nic.availabilityZone() | AVAILABILITY_ZONE |
| nic.description() | DESCRIPTION |
| nic.groups() (groupId) | SECURITY_GROUP_IDS |
| nic.interfaceTypeAsString() | INTERFACE_TYPE |
| nic.ipv6Addresses() | IPV6_ADDRESSES |
| nic.macAddress() | MAC_ADDRESSES |
| nic.networkInterfaceId() | NETWORK_INTERFACE_ID |
| nic.networkInterfaceId() | UID |
| nic.ownerId() | OWNER_ID |
| nic.privateDnsName() | PRIVATE_DNS_NAMES |
| nic.privateIpAddresses() | PRIVATE_IP_ADDRESSES |
| nic.statusAsString() | SOURCE_STATUS |
| nic.subnetId() | SUBNET_ID |
| nic.tagSet() | TAGS |
| nic.vpcId() | VPC_ID |
| region | REGION |
Route Table
Table 8: Route Table attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| Generated (computed from gateway IDs) | HAS_INTERNET_GATEWAY_ROUTE |
| Generated (set to "AWS") | CLOUD_PROVIDER |
| Generated (sync capture timestamp) | LAST_CAPTURED |
| region | REGION |
| routes (destination -> target) | ROUTES |
| routes (gateway IDs starting with igw-) | INTERNET_GATEWAY_IDS |
| routes (natGatewayId) | NAT_GATEWAY_IDS |
| rt.associations (main flag) | IS_MAIN_TABLE |
| rt.associations (subnetId) | ASSOCIATED_SUBNET_IDS |
| rt.ownerId() | OWNER_ID |
| rt.routeTableId() | ROUTE_TABLE_ID |
| rt.routeTableId() | UID |
| rt.vpcId() | VPC_ID |
| tags | TAGS |
Security Group
Table 9: Security Group attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| Generated (computed from CIDR ranges) | INGRESS_OPEN_CIDRS |
| Generated (computed from CIDR ranges) | INGRESS_OPEN_TO_INTERNET |
| Generated (set to "AWS") | CLOUD_PROVIDER |
| Generated (sync capture timestamp) | LAST_CAPTURED |
| ipPermissions (formatted) | INGRESS_RULES |
| ipPermissionsEgress (formatted) | EGRESS_RULES |
| region | REGION |
| sg.description() | DESCRIPTION |
| sg.groupId() | GROUP_ID |
| sg.groupId() | UID |
| sg.groupName() | GROUP_NAME |
| sg.ownerId() | OWNER_ID |
| sg.vpcId() | VPC_ID |
| tags | TAGS |
| userIdGroupPairs (groupId) | REFERENCED_GROUP_IDS |
Subnet
Table 10: Subnet attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| Generated (set to "AWS") | CLOUD_PROVIDER |
| Generated (sync capture timestamp) | LAST_CAPTURED |
| region | REGION |
| subnet.availabilityZone() | AVAILABILITY_ZONE |
| subnet.availableIpAddressCount() | AVAILABLE_IP_COUNT |
| subnet.cidrBlock() | CIDR_BLOCK |
| subnet.ipv6CidrBlockAssociationSet() | IPV6_CIDR_BLOCKS |
| subnet.mapPublicIpOnLaunch() | MAP_PUBLIC_IP_ON_LAUNCH |
| subnet.ownerId() | OWNER_ID |
| subnet.stateAsString() | SOURCE_STATUS |
| subnet.subnetArn() | SUBNET_ARN |
| subnet.subnetId() | SUBNET_ID |
| subnet.subnetId() | UID |
| subnet.vpcId() | VPC_ID |
| tags | TAGS |
VPC Peering Connection
Table 11: VPC Peering Connection attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
| accepterVpcInfo.cidrBlock() | ACCEPTER_CIDR |
| accepterVpcInfo.ownerId() | ACCEPTER_OWNER_ID |
| accepterVpcInfo.region() | ACCEPTER_REGION |
| accepterVpcInfo.vpcId() | ACCEPTER_VPC_ID |
| Generated (computed from owner IDs) | IS_CROSS_ACCOUNT |
| Generated (set to "AWS") | CLOUD_PROVIDER |
| Generated (sync capture timestamp) | LAST_CAPTURED |
| peering.status().codeAsString() | SOURCE_STATUS |
| peering.vpcPeeringConnectionId() | PEERING_CONNECTION_ID |
| peering.vpcPeeringConnectionId() | UID |
| region | REGION |
| requesterVpcInfo.cidrBlock() | REQUESTER_CIDR |
| requesterVpcInfo.ownerId() | REQUESTER_OWNER_ID |
| requesterVpcInfo.region() | REQUESTER_REGION |
| requesterVpcInfo.vpcId() | REQUESTER_VPC_ID |
| tags | TAGS |
Operation options
The Amazon EC2 connector supports the following operation options. See connector operation options for information about how to apply them.
Table 12: Amazon EC2 connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Instance | maxResults | Any numeric value | Limit the number of instances returned per API call. The default value is 1000. | Key: maxResults Value: 10. This key and value combination only retrieves 10 instances per API call. |
| regions | Any region where your Amazon EC2 instances reside | Retrieve instances by the specified AWS regions. | Key: regions Value: us-east-1,us-west-1. This key and value combination only retrieves instances from the us-east-1 and us-west-1 AWS regions. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Amazon EC2 connector uses the AWS SDK v2.25.6. Specifically, it uses the following API endpoints:
Table 13: Amazon EC2 API endpoints
| Connector Object | API Endpoint |
|---|---|
| EBS Snapshot | ec2:DescribeSnapshots |
| EBS Volume | ec2:DescribeVolumes |
| Elastic IP | ec2:DescribeAddresses |
| Instance | ec2:DescribeInstances |
| Network ACL | ec2:DescribeNetworkAcls |
| Network Interface | ec2:DescribeNetworkInterfaces |
| Route Table | ec2:DescribeRouteTables |
| Security Group | ec2:DescribeSecurityGroups |
| Subnet | ec2:DescribeSubnets |
| VPC Peering Connection | ec2:DescribeVpcPeeringConnections |
Changelog
The Amazon EC2 connector has undergone the following changes:
This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.
Table 14: Amazon EC2 connector changelog
| Version | Description | Date Published |
|---|---|---|
| 3.1.0 | - Added 9 new connector objects: EBS Snapshot, EBS Volume, Elastic IP, Network ACL, Network Interface, Route Table, Security Group, Subnet, and VPC Peering Connection. - Added new attributes to the Instance object: BLOCK_DEVICE_MAPPINGS, IAM_INSTANCE_PROFILE_ARN, IMDSV2_REQUIRED, IPV6_ADDRESSES, LAUNCH_TIME, SECURITY_GROUP_IDS. - Sync failures that were previously silently swallowed during multi-region sync now surface as visible failures with detailed error information. No migration required. | June 1st, 2026 |
| 3.0.20 | No change. | March 26th, 2026 |
| 3.0.19 | No change. | December 26th, 2025 |
| 3.0.18 | No change. | September 22nd, 2025 |
| 3.0.17 | Updated the connector icon. This change only affects the connector icon and does not impact functionality. You can update without making any changes to your existing configurations. | August 5th, 2025 |
| 3.0.16 | No change. | August 5th, 2025 |
| 3.0.15 | No change. | July 29th, 2025 |
| 3.0.14 | No change. | June 4th, 2025 |
| 3.0.13 | No change. | March 25th, 2025 |
| 3.0.12 | No change. | March 25th, 2025 |
| 3.0.11 | - Fixed an issue where the EC2 connector sync was failing due to deprecated attributes on the Instance object. As a result, the following attributes were updated:
| October 28th, 2024 |
| 3.0.10 | No change. | September 27th, 2024 |
| 3.0.9 | No change. | August 6th, 2024 |
| 3.0.8 | No change. | July 19th, 2024 |
| 3.0.7 | No change. | June 5th, 2024 |
| 3.0.6 | No change. | May 29th, 2024 |
| 3.0.5 | Fixed an issue where the connector wasn't timing out properly. | March 22nd, 2024 |
| 3.0.4 | Code cleanup and general maintenance. | March 13th, 2024 |
| 3.0.3 | Code cleanup and general maintenance. | March 11th, 2024 |
| 3.0.2 | Added API call timeouts and API call attempt timeouts. | January 26th, 2024 |
| 3.0.1 | Added the AWS icon and some missing attributes. | April 3rd, 2023 |
| 3.0.0 | Initial Integration+ release. | March 13th, 2023 |