Guide: Activate Cloud Asset Context in ASM

This guide outlines the steps to enable and leverage Cloud Asset Context in Censys Attack Surface Management (ASM) to streamline identification and remediation workflows. By ingesting metadata directly from your cloud providers, you can gain full visibility and direct risks to the appropriate security teams.

Phase 1: Ingestion & Integration

To begin, ensure your cloud connectors are active to ingest the cloud metadata fields from AWS, Azure, GCP, and Wiz. Some examples:

• ARN (Amazon Resource Name)
• Resource group (AWS)
• Subscription ID (Azure)
• Cloud tags
• Project Name (GCP)

Phase 2: Feature Activation & Setup

Phase 3: Operationalizing the Context

Once the data is flowing, use these new fields to close the loop on risk prioritization and remediation:

Build Advanced Queries: Create new search queries using cloud tags or resource groups to filter your attack surface by business unit or environment.

Direct Remediation: Use fields such Billing Provider or Cloud Tags to automatically identify which team owns a specific vulnerable asset.

Determine Asset Importance: Ensure that you are acting on high importance assets, but reviewing the cloud context of your ingested cloud resources.

Workflow Example Queries:

1. Identify Ownership by Business Unit Use cloud-specific tags to find all assets belonging to a specific project or department. Query: (cloud.aws.tags.key: "Department" and cloud.aws.tags.value: "Security") or (cloud.azure.tags.key: "Department" and cloud.azure.tags.value: "Security") or (cloud.gcp.tags.key: "Department" and cloud.azure.tags.value: "Security")

Goal: Quickly list all assets owned by the "Security" team for targeted risk assessments across AWS, Azure, and GCP.

Censys Best Practice: Use Auto Tagging functionality to automatically tag assets with department or project tags for assignment of future associated assets.

2. Locate Unmanaged AWS Assets Find specific AWS resources by their Amazon Resource Name to verify they are being tracked in your internal CMDB.
   Query: cloud.aws.arn:*

Goal: Audit all AWS assets to ensure they have the correct ARN metadata for compliance. Censys Best Practice: Leverage Saved Query Automation to alert your slack channel with newly tagged assets that have not been reviewed.

3. Prioritize Risks Based on Asset Type Identify which assets need to be remediated first based on relevant cloud metadata. For example, Load Balancers in AWS:
   Query: cloud.aws.dns_name: *elb.amazonaws.com

Goal: Filter for your most important cloud assets to prioritize their risks first for remediation Censys Best Practices: Use Saved Query Automation to email assets with Load Balancers in AWS for instant alerts on matched assets.

4. Filter on fields across any level in the cloud hierarchy Isolate assets based on any level in the cloud hierarchy in AWS, Azure, or GCP. This includes organization, management group, account, subscription, project, and resource-level metadata.

   Query: cloud.azure.subscription.name: "production-west" or cloud.gcp.project.name: "production-west"

Goal: Filters for assets in the "production-west" subscription and project across Azure and GCP, prioritization remediation for production critical infrastructure. Censys Best Practices: Enable Saved Query Automation to push Teams notification on production critical infrastructure.

5. Identify ownership based on contact email Find all assets associated with a specific cloud contact.

   Query: cloud.aws.account.email: "[email protected]"

Goal: Use the account contact email to match remediation owners with discovered attack surface assets. Censys Best Practice: Deploy auto tagging to assign asset tags to the findings for a deeper managed workspace.