In a previous post I explained how to create basic AWS Credentials with IAM.
In this post, I explain how to create Advanced AWS Credentials with IAM. As sample, I choose to use our solution Elastic Detector for Continuous Monitoring that required an advanced IAM user for enabling AWS connector.
Understanding IAM Policy for Elastic Detector
Elastic Detector uses AWS API to interact with your AWS infrastructure on AWS EC2 and VPC.
In order to do so, the different functionalities of Elastic Detector require different permissions.
AWS Auto-Discovery: In order to be able to list your assets on AWS EC2 and VPC, the following permissions are required on EC2 service:
- DescribeInstances, DescribeInstanceStatus, DescribeInstanceAttribute
- DescribeRouteTables, DescribeNetworkAcls, DescribeRouteTables, DescribeSubnets
AWS Continuous Auto-Check: In order to be able to automatically configure checks on your assets and monitor them, the following permissions are required on AWS CloudWatch service:
AWS Clone&Scan: In order to be able to clone and to seclud any instance you want to scan on AWS EC2 and VPC, the following permissions are required EC2 service:
- CreateSecurityGroup, AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress
- CreateImage, DescribeImages, DeregisterImage, DeleteSnapshot
- RunInstances, StartInstances, StopInstances, TerminateInstances, GetPasswordData
- DescribeKeyPairs, ImportKeyPair, DeleteKeyPair
Elastic Detector requires an AWS user/credentials to connect to your AWS infrastructure, automatically discover your assets and perform vulnerability assessment on clones. This can be configured via AWS IAM.
If you want to know more about Elastic Detector, “Security Assessment solution” for AWS, please follow this link.
This document describes how to create an IAM user, an IAM group and an IAM policy (that contains all required actions) according to current AWS best practices for IAM usage.
In this case the following best practice applies:
- Create Individual IAM Users
- Use groups to assign permissions to IAM users
- Grant least privilege
Create an IAM Group
Login to AWS console and enter IAM Service.
Click on Groups on the left of the AWS console and then click on the “Create New Group” button. This will open a page where you can create a new IAM group.
Click on “Next Step” button until you reach “Create Group” button.
Create an IAM User
Click on Users on the left of the AWS console and then click on the “Create New Users” button. This will open a page where you can create a new IAM user.
After clicking on the “Create” button, pay attention to save the user security credentials by clicking on “Download Credentials” button or on “Show User Security Credentials”.
Then select your newly created user and add it to the group you created during previous step.
Create an IAM Policy for Elastic Detector
Click on Policies on the left of the AWS console and then click on the “Create Policy” button. This will open a page where you can create a new IAM policy.
Click on the select button for “Create Your Own Policy”. This will open a IAM policy editor where you have to insert your policy.
The policy for Elastic-Detector is explained later in this document and can be found in the annexe.
Then click on the “Validate Policy” button and fix “Policy Name” and “Description” if your policy is not valid. To validate your policy, click on the “Create Policy” button.
Then select the newly created policy, and attach it the IAM group previously created.
You now have a user that is in a group with a specific policy.
Checking Policy using AWS Policy Simulator
Enter IAM Policy simulator, and select your user on the left pane and select an AWS service and all its available actions
Then click on the “Run Simulation Button” on the top right corner.
You will then be able to view the AWS permissions for the user.
Hope this helps.