This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Scanning AWS in Lansweeper Cloud

dlafleur
Engaged Sweeper III

‎01-30-2025 01:33 AM

Ok folks.  I am trying to figure out how to efficiently scan my AWS assets into Lansweeper Cloud.
I have setup the Cloud Sensor, however, it pulls in so much data that I simply do not need thus taking up an asset license.  We have multiple AWS accounts in our environment.  We tried using the Access Key and secret key with On-Prem, which I really liked, however, that is not a very secure way to do things.  So what is the preferred method?
How does one using Lansweeper Cloud, inventory their AWS assets.  I'm just wanting to see info for ec2 Instances, AWS S3 Buckets, and Tags.  That's it.  I don't need any of the AMI, network, rds, etc information.

So.  Any suggestions?  What works for you?  Anyone have any examples?  LOL..  As you can tell, I really need some direction here.  Any help would be appreciated.  Thanks

0 Kudos
1 REPLY 1
PatrickCloud
Lansweeper Employee
Lansweeper Employee

4 weeks ago

Hello @dlafleur,

With the Sites cloud scanner, some resource types may be scanned even though they were not selected when creating the cloud action. This is due to the fact that the current scanner core was designed this way for a different purpose.
This behavior will be corrected in the coming weeks.
In the meantime, a way to prevent this in AWS is by adding a Deny action on these types of resources in the Reading policy. The following policy, for example, would ensure that only EC2s, VPCs and S3s are scanned (they must also be selected in the cloud action):

 

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Action": [
               "s3:Describe*",
               "s3:Get*",
               "s3:List*",
               "ec2:Get*",
               "ec2:List*",
               "ec2:Search*",
               "ec2:Describe*"
           ],
           "Resource": "*"
       },
       {
           "Effect": "Deny",
           "Action": [
               "rds:DescribeDBInstances",
               "ec2:DescribeNetworkInterfaces",
               "ec2:DescribeInternetGateways",
               "ec2:DescribeRouteTables",
               "ec2:DescribeSubnets",
               "ec2:DescribeVolumes",
               "ec2:DescribeSecurityGroups",
               "ec2:DescribeImages",
               "ec2:DescribeReservedInstances",
               "ec2:DescribeReservedInstancesOfferings",
               "ec2:DescribeNatGateways",
               "ec2:DescribeVpcPeeringConnections",
               "ec2:DescribeNetworkAcls"
           ],
           "Resource": "*"
       }
   ]
}

 

 If you still see unwanted asset types after a scan with this new policy, you may want to check the LAST SUCCESSFUL SCAN time of these assets and make sure it relates to the latest scan.
If it is the result of a previous scan, you can now bulk-delete the unsolicited cloud assets.
If it is the result of that scan, check the type of the unsolicited assets that were returned and determine which Action are necessary to be added to the Deny block (tip: ChatGPT can help you on this one, there really are a lot of granular permissions).

0 Kudos

Product Discussions

Share feedback, exchange ideas and find answers to Lansweeper product questions.

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now