Cloud Profiles

Managing Cloud Profiles

The Profiles page is the starting point for connecting EndState CloudSec to your cloud environments. A profile is a set of credentials that allows the application to securely communicate with your cloud provider's APIs to discover resources and deploy changes.

Adding a New Profile

  1. Navigate to the Profiles page from the main navigation.
  2. Click the Add Profile button. A dialog box will appear.
  3. Fill in the following details:
    • Profile Name -- A descriptive name (e.g., AWS Production Account, Azure Dev Subscription).
    • Provider -- Select the cloud provider (AWS, Azure, GCP, or OCI) from the dropdown.
    • Credentials -- Enter the required API credentials for the selected provider.

Provider-Specific Credentials

Required fields:

  • Access Key ID -- From an IAM user with sufficient permissions
  • Secret Access Key -- The corresponding secret key

Required IAM permissions:

  • ec2:DescribeSecurityGroups
  • ec2:DescribeInstances
  • ec2:DescribeSubnets
  • ec2:DescribeVpcs
  • ec2:DescribeRouteTables
  • ec2:CreateSecurityGroup
  • ec2:AuthorizeSecurityGroupIngress
  • ec2:AuthorizeSecurityGroupEgress
  1. Click Save Profile.
⚠️

Credentials are stored securely and encrypted at rest with organization-level access controls. Only members of your organization can access them. Always follow the principle of least privilege when creating service accounts.

Connecting and Syncing a Profile

After a profile is saved, it will appear in the table with a Pending status. Before the application can manage its resources, you must connect to it.

  1. Find the profile in the list.
  2. Click the More (...) icon at the end of the row to open the actions menu.
  3. Select Connect.

The application will then perform two key actions:

1. Credential Validation

The application uses the provided credentials to make a simple, read-only API call to verify they are correct and have the necessary permissions.

  • Success -- Status changes to Connected.
  • Failure -- Status changes to Error, with a notification detailing the failure.

2. Resource Discovery

Immediately after a successful connection, the application triggers an automatic discovery process. It scans your cloud account for network-related resources:

  • Virtual Private Clouds (VPCs) / Virtual Networks (VNets)
  • Subnets
  • Virtual Machines (VMs) / EC2 Instances
  • Database Private Endpoints

Discovered resources are added to the Unassigned Resources pool on the Zones page.

Re-syncing Resources

If you make changes to your cloud environment directly, you can re-sync:

  1. Click the ... menu for a Connected profile.
  2. Select Sync.

This re-runs the resource discovery process. The system intelligently keeps existing resource assignments intact while adding new resources and removing deleted ones.

Profile Statuses

StatusMeaning
PendingProfile saved but not yet connected.
Connecting...Connection attempt in progress.
ConnectedSuccessfully authenticated and synced.
ErrorConnection failed. Check credentials and permissions.

Editing and Deleting Profiles

Use the ... actions menu to manage existing profiles:

  • Edit -- Change the profile name or update credentials. Updating credentials resets the status to Pending, requiring re-connection.
  • Delete -- Permanently removes the profile and its credentials. This action cannot be undone.

All profile management actions are recorded in the Audit Logs, including creation, connection attempts (successful and failed), syncs, and deletions.

Getting StartedSecurity Zones