Chariot integrates with Amazon Web Services, Google Cloud, and Azure for asset discovery and attribution. In this page, we list the credentials required for each integration.

Amazon Web Services

Clicking on the AWS integration card will bring up the following menu:

Chariot provides two independent techniques to integrate your instance with an AWS account (Pull-Based and Event-Based). Praetorian recommends enabling both options for maximal coverage. 

Pull-Based (IAM Access Keys)

The "Pull-Based" technique uses IAM Access Keys to retrieve cloud-hosted assets in your attack surface. Each day, Chariot uses the provided keys to enumerate and scan all publicly accessible assets in your cloud environment.

To enable Pull-Based scanning, download the linked CloudFormation Template:

This template will create a new IAM role in your account that trusts Chariot's production AWS account (992382785633). The role will have the following IAM permission policies attached:

ReadOnlyAccess
SecurityAudit

To use the template, log into the AWS account you would like to integrate with Chariot. If your AWS environment consists of multiple accounts governed in an AWS Organization, log into the management account. 

Once logged into your respective account, navigate to CloudFormation, and click Create Stack > With new resources (standard):

Upload the template as seen below and click Next:

Choose a name for the CloudFormation Stack and provide an External ID. The Stack name can be any arbitrary value, but you must provide your Chariot account's primary email address for the External ID. This is typically the email address of the user who initially created the account. The integration will fail if you provide a different email address. You can find the primary email address from the Organization Settings page in Chariot:

Enter the email address in the Stack parameter box:

Click Next to continue. On the following page, keep all the default values, and click Next again:

On the last page, review the changes the Stack will make, accept the acknowledgement prompt at the bottom of the page, and click Submit to launch the Stack:

Once the Stack completes, return to the AWS integration card in Chariot and provide the linked AWS account ID, which can be found by clicking your username in the top right of the AWS console:

Paste your AWS Account ID into Chariot and click Add to complete the integration:

Upon completing the integration, Chariot will create a new seed for each linked AWS account:

Every 24 hours, Chariot will enumerate all public-facing assets in each account and scan each asset for vulnerabilities.

Event-Based (AWS EventBridge)

Additionally, Chariot can use EventBridge to trigger webhook notifications from your AWS account whenever a new cloud asset comes online. This option allows Chariot to respond to changes in your attack surface without missing assets that may only exist between scheduled scans.

Note: The Event-Based integration requires CloudTrail to be enabled. If you do not have CloudTrail enabled, please refer to the AWS documentation bulleted below, and enable CloudTrail before proceeding. You do not need any Chariot-specific configurations and can leave all settings at their default values:

To enable EventBridge updates between AWS and Chariot, download the "real-time updates" CloudFormation template from the link in the dialogue box below:

Log into your AWS console, navigate to CloudFormation, and click Create Stack > With new resources (standard):

Upload the EventBridge template as seen below and click Next:

On the next page, enter a name for the stack and specify your Chariot webhook. If you have not created a webhook yet, please follow the webhook instructions.

Leave everything else as default, and continue through the prompts until the stack is created. 

After the stack completes, your AWS account will send a webhook notification to Chariot every time monitored AWS assets come online. This will create a new Asset in your Chariot account, which Chariot will immediately scan and add to the daily queue.

Google Cloud Platform

Clicking on the GCP integration card will bring up the following menu:

To integrate Chariot with GCP, create a service account with the following IAM role:

roles/Viewer

Paste the account's email address and private key into the menu above, along with your GCP Project ID. Click Add to complete the integration.

Chariot will now regularly ingest assets from your GCP environment for risk detection.

Microsoft Azure

Clicking on the Azure integration card will bring up the following menu:

To integrate Chariot with Azure, create an Application Registration with the following role:

Reader

Paste the registration's ID and secret into the menu above, along with your Azure tenant and subscription IDs. Click Add to complete the integration.

Chariot will now regularly ingest assets from your Azure environment for risk detection.