Logo

Docs

AWS

AWS Documentation

Welcome to the Scope AWS documentation section. This section will guide you through connecting AWS to Scope and getting the necessary data to start analyzing your AWS environment.

Connect to AWS

To connect to AWS, a user need to be created for Scope with a minimal set of permssions that allow for read-only access to the compromised AWS account.

To create the Scope user, head to the IAM service and create a new user. The user can be called anything such as Scope. If you believe there is an active threat in the account, you may want to choose a less obviouse name such as technical-support.

You don’t need to give this user access to the management consol.

To give Scope the necessary permisions, head to permission options, choose “Attach Policies Directly” and then “Create Policy”.

In Policy editor, choose JSON and replace the default policy with the policy below. Choose a name for the policy and provide a description. Click create the policy. Now attach the policy to the new user you created. You can now create the user.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudtrail:LookupEvents",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "logs:FilterLogEvents",
                "ec2:DescribeInstances",
                "ec2:DescribeVolumes",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeImages",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeVpcEndpoints",
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:GetObject",
                "iam:GetUser",
                "iam:ListUsers",
                "iam:GetRole",
                "iam:ListRoles",
                "iam:SimulatePrincipalPolicy",
                "iam:GenerateCredentialReport",
                "iam:GetCredentialReport",
                "config:DescribeConfigRules",
                "config:GetComplianceDetailsByConfigRule",
                "config:GetResourceConfigHistory",
                "lambda:ListFunctions",
                "lambda:GetFunction",
                "rds:DescribeDBInstances",
                "elasticloadbalancing:DescribeLoadBalancers",
                "guardduty:ListDetectors",
                "guardduty:GetFindings"
            ],
            "Resource": "*"
        }
    ]
}

Generate Credentials

Now we will generate the access key and secret key for the new AWS user in the AWS Management Console.

Steps:

  1. Navigate to IAM > Users in the AWS Management Console.
  2. Select the newly created user.
  3. Go to the Security credentials tab.
  4. Click Create access key , select Other as your use case and save the credentials securely.

These credentials will be used by your app to authenticate API requests to AWS.

Connect to Scope

Use the “Connect AWS” workflow in your app to input the generated access keys.

Workflow:

  1. Navigate to the Case Details page in your app.
  2. Click Connect Client > AWS to open the AWS connection form.
  3. Input the following details:
    • Account ID: The AWS account ID associated with the user (this can be found by clicking the username at the top right hand corner of the console).
    • Access Key ID: The generated access key.
    • Secret Access Key: The generated secret key.
    • Region: The default region for the investigation (e.g., ap-southeast-2).
  4. Submit the form.

Scope will now validate that your credentials can access the AWS environment you are investigating.

If the credentials for vapor have been generated and added to Scope, a message will display saying “AWS account connected successfully”.

Scope Forensics 2025