Amazon Web Services — Extraction Guide

Data Extraction Guide
for Amazon Web Services

Step-by-step instructions for your IT or Cloud team to extract AWS security configuration data as CSV files for the V/ergent cloud security assessment. Uses the AWS CLI — no live API access granted to V/ergent. Includes Release 5 programme packs: 50 cross-system SoD rules across all 10 platforms.

13Data Files

7Domains

56+Checks + R5 rules

~20 minEst. Time

All Guides

Quick start

Recommended extraction path

Use the V/ergent extractor first. It writes CSVs to a timestamped folder under C:\Vergent\Export, then you upload that folder into the audit project.

Get extractor

1. Confirm accessUse the read-only role/API scopes listed below.

2. Download with codePaid/active users receive an email code before download.

3. Run locallyPowerShell writes CSV output; V/ergent does not receive credentials.

4. Upload and auditUpload CSVs, confirm file match, then run the audit.

Manual path if automated extraction is blocked

Use the required-file list below as the manual checklist. Keep filenames unchanged, leave unavailable files empty with only headers, and record any missing source in the upload notes before running the audit.

0 Before You Begin

Automated extraction recommended. V/ergent provides Extract-VergentAWS.ps1 which uses the AWS CLI to extract all 13 files automatically. Requires PowerShell 5.1+ and AWS CLI v2 installed on Windows.

Read-only — no changes to your AWS account. All operations use read-only API calls (Describe*, List*, Get*). V/ergent never modifies any AWS resource. The IAM policy below grants exactly the permissions needed — nothing more.

Requirement	Details	Notes
AWS CLI v2	Installed and configured with `aws configure`	Download: aws.amazon.com/cli
IAM User / Role	Attach `V/ergent_ReadOnly` policy (see Section 3)	Or use `SecurityAudit` AWS managed policy as alternative
PowerShell	PowerShell 5.1+ (built into Windows 10/11)	Required for `Extract-VergentAWS.ps1`
AWS Region	Primary region where workloads run	IAM and S3 exports are global regardless of region
Permissions	See IAM policy in Section 3	Minimum: ReadOnlyAccess + iam:GenerateCredentialReport

1 Required Files (13 total)

All files are CSV format. The PowerShell script produces these exact filenames.

Identity & Access

iam_credential_report.csvIdentity

IAM Credential Report

All IAM users: MFA status, access key age, password last used, root account key status. Generated by AWS.

iam_users.csvIdentity

IAM Users & Groups

All IAM users with their group memberships and directly attached policies.

iam_policies.csvIdentity

IAM Policies (Customer-Managed)

Customer-created IAM policies with policy document summaries for wildcard action/resource analysis.

iam_roles.csvIdentity

IAM Roles & Trust Policies

All IAM roles with trust policy principals and attached policies for cross-account/wildcard trust analysis.

Data Security

s3_buckets.csvData Sec

S3 Bucket Inventory

All S3 buckets: public access block settings, versioning, encryption, logging, and MFA delete status.

Network Security

security_groups.csvNetwork

EC2 Security Groups

All security group inbound rules: port ranges, protocols, and CIDR ranges. Identifies open SSH/RDP.

vpc_config.csvNetwork

VPC & Flow Logs Config

All VPCs with flow log status, internet gateway attachment, and default VPC identification.

ec2_instances.csvNetwork

EC2 Instances

Running EC2 instances: public IPs, IAM role attachment, security groups, EBS volume encryption status.

Audit & Logging

cloudtrail_trails.csvAudit

CloudTrail Trails

All CloudTrail trails: multi-region status, global service events, log validation, CloudWatch integration.

config_rules.csvAudit

AWS Config Compliance Rules

AWS Config rule compliance status — identifies non-compliant resources against CIS/security benchmarks.

Encryption & Compliance

kms_keys.csvEncryption

KMS Keys & Rotation

Customer-managed KMS keys: key state, automatic rotation status, and alias names.

rds_instances.csvEncryption

RDS Instances

All RDS instances: encryption at rest, public accessibility, backup retention, deletion protection.

account_settings.csvCompliance

Account Password Policy & Root Config

IAM password policy settings and root account MFA/access key status.

Detailed extraction steps require sign-in

The full extraction guide — including SQL queries, transaction codes, PowerShell scripts, and the complete file/table reference — is available to V/ergent customers. The overview above tells you what's involved; sign in to access the operational detail.

Already a customer? Sign in here.

What V/ergent ships for AWS (Release 5)

Native coverage: 15 IAM cross-account / privilege-escalation patterns (AWS-CSOD-001..015).

Plus the three Release 5 programme packs that run alongside this platform's audit:

AML / Wolfsberg Programme Controls — 25 controls spanning sanctions-list cadence, PEP / KYC review, CTR / SAR filing, structuring detection, transaction-monitoring tuning. Wired into all 7 ERP connectors (skips on cloud-only audits). Guide.
Cross-System SoD — 50 multi-ERP conflict patterns spanning SAP × Oracle × D365 × NetSuite × Sage × AWS × Azure. Detects fraud paths a single-system review will never see. Guide.
SAP Fraud Patterns — 30 SAP-GRC-parity patterns (STAD audit-log delete, debugger replace in PROD, Z* shadow SAP_ALL, dormant SAP_ALL, posting-period unlock + GL post, etc.). Guide.

Every finding carries citations across 13 frameworks (COSO 2013, COBIT 2019, NIST CSF 2.0, ISO 27001:2022, CIS v8, SOX ITGC, SOC 2 TSC, PCI DSS v4, HIPAA, DORA, NIS2, GDPR, Kenya DPA) — 11 of 13 at ≥75% mapped coverage. See the Check Packs page for per-pack framework coverage badges.

Data Extraction Guidefor Amazon Web Services

Recommended extraction path

Data Extraction Guide
for Amazon Web Services