Axiom Security

By default Axiom lists all EC2 in AWS accounts you have integrated into Axiom. <a href="https://support.axiom.security/en/articles/9615149-ec2-remote-connect">Learn more about Axiom's EC2 Remote Connect</a>

If you don't want EC2s to appear as selectable Targets at all (in the request form, scopes, and workflows), follow the steps below: 

Check if any of your users already created requests where the Target is an EC2 instance. If any of your users have already created such requests, then do not proceed, and instead <a href="https://axiomsecurity.atlassian.net/servicedesk/customer/portal/3/group/15/create/35" rel="nofollow noopener noreferrer" target="_blank">contact Axiom technnical support</a>. ​

Prevent Axiom from identifying EC2s as addressable Targets, by updating the AWS IAM policy which is attached to the IAM role used for the Axiom integration. ​

1. Go to your AWS IAM console and locate the IAM policy named “AxiomAWSIntegrationPolicy” attached to the IAM role “AxiomIntegrationRole” (these are the default names, but they may be different if you manually changed them when you were setting up your AWS integration). ​
2. Remove the following from AxiomAWSIntegrationPolicy:
 - <code>ec2:Describe*</code>
 - <code>logs:GetL*</code>
 - <code>ssm:DescribeI*</code>
 - <code>ssm:DescribeS*</code>

<a href="https://support.axiom.security/en/articles/9378537-triggering-a-manual-scan-for-an-integration-integrated-system">Run a manual scan</a> for the affected AWS account/s, so that Axiom can re-map your AWS environment, without including EC2s.

1. Check if any of your users already created requests where the Target is an EC2 instance. If any of your users have already created such requests, then do not proceed, and instead <a href="https://axiomsecurity.atlassian.net/servicedesk/customer/portal/3/group/15/create/35" rel="nofollow noopener noreferrer" target="_blank">contact Axiom technnical support</a>. ​
2. Prevent Axiom from identifying EC2s as addressable Targets, by updating the AWS IAM policy which is attached to the IAM role used for the Axiom integration. ​ 
 1. Go to your AWS IAM console and locate the IAM policy named “AxiomAWSIntegrationPolicy” attached to the IAM role “AxiomIntegrationRole” (these are the default names, but they may be different if you manually changed them when you were setting up your AWS integration). ​
 2. Remove the following from AxiomAWSIntegrationPolicy:
 - <code>ec2:Describe*</code>
 - <code>logs:GetL*</code>
 - <code>ssm:DescribeI*</code>
 - <code>ssm:DescribeS*</code> 
3. <a href="https://support.axiom.security/en/articles/9378537-triggering-a-manual-scan-for-an-integration-integrated-system">Run a manual scan</a> for the affected AWS account/s, so that Axiom can re-map your AWS environment, without including EC2s.

How can I prevent AWS EC2s from being included in Targets lists?