How to create an Amazon Web Services account for a user with minimal permissions
Technical Articles ID:
KB82936
Last Modified: 10/13/2021
Environment
McAfee Cloud Workload Security (CWS) 5.x for Amazon Web Services (AWS)
Summary
For CWS to communicate with the AWS cloud, you must register an AWS account with ePolicy Orchestrator. AWS users must have at least read-only permissions configured for them for the Amazon Elastic Cloud Compute (EC2) web service.
NOTE: CWS offer three levels of permissions when registering an AWS account. You can configure your AWS account according to your requirement. To create an AWS user account for a user with minimal permissions, follow the steps in this article.
Solution
To create an AWS user account:
- Create a user:
- Log on to your AWS Management Console.
- Load the Identity and Access Management (IAM) dashboard.
- Under the Users section, click Create User.
- Type a user name.
- Select the option Generate an access key for each user, and then click Create.
- Click Download Credentials, and then save the .csv file. These credentials contain both the Access Key and the Secret Key.
- Close the window.
- Create a Policy:
- In the navigation pane, click Policies, Create New Policy.
- Under the Create Policy section, click Create your own Policy.
- Type a name and description.
- Copy and paste one or more of the following policies, based on your requirements:
Ec2-ReadOnly policy (discovery/visibility) -
This set of rules allows only a limited privilege user permission to discover ec2 assets and read firewall rules.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
}
]
}
Remediation policy - This set of rules allows a user to remediate Security Groups.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateTags"
],
"Resource": [
"*"
]
}
]
}
Network Traffic Discovery policy - This set of rules allows a user to enable network traffic flow logs at VPC levels. With this policy, CWS can discover network traffic logs.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:CreateLogStream",
"logs:PutLogEvents",
"iam:GetUser",
"ec2:CreateFlowLogs",
"ec2:DeleteFlowLogs"
],
"Resource": [
"*"
]
}
]
}
Amazon GuardDuty policy - This policy allows CWS to discover Amazon GuardDuty events (CWS 5.0.1 and later).
{
"Version": "2012-10-17",
"Statement": [
"Sid": "DiscoverGuardGuty",
"Effect": "Allow",
"Action": [
"guardduty:GetThreatIntelSet",
"guardduty:GetIPSet",
"guardduty:ListIPSets",
"guardduty:GetFindings",
"guardduty:ListThreatIntelSets",
"guardduty:GetThreatIntelSet",
"guardduty:GetMasterAccount",
"guardduty:GetIPSet",
"guardduty:ListFindings",
"guardduty:GetMembers",
"guardduty:GetFindingsStatistics",
"guardduty:GetDetector",
"guardduty:ListMembers",
"guardduty:ListDetectors",
"guardduty:GetInvitationsCount",
"guardduty:ListInvitations"
Workload Shut down policy - This set of rules allows you to shut down the selected workload as a remediation measure (CWS 5.0.1 and later).
{
"Version": "2012-10-17",
"Statement": [
{ "Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:StopInstances",
"Resource": "*"
}
- Create an IAM role with flow logs for your AWS account:
NOTE: To access the flow logs on your virtual networks, you must create an IAM role with flow log policies. You can then view the traffic flow logs of your virtual networks in CWS.
- Log on to your AWS management console.
- To load the IAM dashboard, select IAM.
- Type the name McafeeFlowLogger for your role, and then click Next.
NOTE: The name of the role must be McafeeFlowLogger, and it is case sensitive.
- On the Select Role Type page next to Amazon EC2, click Select.
- On the Attach Policy page, click Next Step.
- On the Review page, make a note of the ARN for your role, and then click Create Role.
- Type a name for your role.
- Under Permissions, expand the Inline Policies section, and then click Click Here.
- Select Custom Policy, and then click Select.
- Copy this policy and paste it in the Policy Document window. Type a name for your policy in the Policy Name field, and then click Apply Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
- This policy enables the VPC flow log at the VPC level, for the AWS account:
- Select the option Edit Trust Relationship.
- Delete any existing policy document.
- Copy and paste this policy, and click Update Trust Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Assign the Policy to a User:
The Secret Access key is generated when you create the Access key. Use the Access key and the Secret Access key while registering your cloud account using CWS in ePO.
- Under the Users section, select the user, and then click Attach Policy.
- On the Summary page, click Add Permissions and select Attach existing policies directly.
- Select the policy that you created, and then attach the policy.
- Go back to the Summary page and click the Security Credentials tab.
- Click Create access key.
NOTE: For more information about AWS policies, permissions, roles, and cross account access, see the relevant Cloud Workload Security Installation Guide.
|
