Background

When CloudSploit first introduced API key access to its APIs, all API keys were created as account administrators. This meant that the keys could be used to perform nearly any action that a logged-in administrator could perform including creating new users, deleting users, accessing scan reports, etc.


In June, 2018, CloudSploit added the ability to customize the exact API endpoints, and methods on those endpoints, that each key can access. To customize each key's role, follow these steps:


Configuring API Key Permissions

1. Log into the CloudSploit console and navigate to the "API Keys" page.

2. If you have not already created an API key, create a new one from the dashboard. Be sure to save the secret key, as it will not be accessible again.

3. Next to the key, select "Edit" under the "Permissions" column

4. By default, all keys have "All Permissions" which effectively makes them an admin of the account. You can leave this box checked if this is the desired behavior.

5. If you prefer to customize the key's permissions, you can uncheck the "All Permissions" box and instead select 1 or more of the permissions from the window.

6. When you are finished, click "Save."


Permissions System

Each of the permissions has a short description describing what access it allows. In general, most endpoints have both a "read" and a "readwrite" option. The former allows view-only access to the resource, while the latter will allow the key to view, modify, create, and delete (when applicable) resources via the endpoint.


Not all endpoints have all permission methods available. For example, the "categories" endpoint only has a "read" permission, but CloudSploit categories are a global concept and can not be modified by any users.


Keep in mind that API key roles are only used to allow or disallow access to the resource endpoints. All resources within those endpoints, regardless of which user, group, etc. it belongs to, will be accessible. For example, allowing "users:read" will allow the API key to view all users, regardless of which groups those users are in.


Security Note

Note: it is strongly recommended that you restrict the API keys to only the permissions needed, as part of the principle of least privilege.