Announcing the CloudSploit API
Since our launch, the CloudSploit team has been working hard to make security easily accessible to all users of AWS infrastructure. To date, we have detected millions of potential security risks in our customer’s accounts, while continuing to provide a freely available scanning service. While the CloudSploit platform contains many great features, a number of our customers have expressed an interest in integrating CloudSploit into their existing workflows — continuous deployment pipelines, security tools, monitoring services, and more. Today, we are happy to announce the release of the CloudSploit API to address these requests.
Background
The CloudSploit API extends the CloudSploit security scanning service to any other service or device with the ability to make JSON API calls. Using the API, you can query for a list of past scan reports, as well as trigger new scans in realtime. Now, CloudSploit scans are no longer constrained to the web console, but rather the full set of results are exposed, including the suggested remediation actions, affected resources, and help links.
Accessing the API
There are two ways of using the CloudSploit API: as a Premium Plan subscriber or as an API Plan subscriber. The former access type allows you to scan any existing AWS account that has been connected and upgraded within CloudSploit. Traditionally, these accounts had been scanned periodically in the background by CloudSploit, with the results saved in the dashboard. The new API feature now extends the scanning options to include the ability to scan these accounts in realtime.
The API Plan option enables you to scan any AWS account by passing an AWS role ARN and external ID (or access key and secret) to the API and receiving the results in realtime. Unlike the Premium Plan, these accounts do not have to be previously connected to CloudSploit. However, the API Plan does not provide access to many of the tools and features available within the CloudSploit dashboard.
We have designed the API Plan primarily for security consultant firms who provide security services to many customers. The ability to scan any AWS account (given the correct credentials) makes it endlessly extensible.
Getting Started
Using the API is quite straightforward. You’ll need a CloudSploit API key and secret to sign your requests, which you can obtain from the “API Keys” page within the CloudSploit dashboard. Be careful not to expose your secret, as it can be used to read potentially sensitive information from your CloudSploit account (as well as initiate scans against your AWS account and view the results).
The full set of documentation is available on our support dashboard. If you have trouble, don’t hesitate to file a ticket.
