AWS Service Account Requirements

CloudControl uses a service account in the form of an IAM user to integrate with AWS. This service account is used to discover and collect information about the AWS users that operate in the environment protected by CloudControl.

To create an AWS service account: 

  1. Create a customer-managed policy.

  2. Including the following text to add the permissions.

    Important: All values must be exactly as shown. 

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetPolicyVersion",
                "ec2:DescribeInstances",
                "ec2:DescribeHostReservationOfferings",
                "iam:ListAttachedRolePolicies",
                "ec2:DescribeNetworkInterfacePermissions",
                "ec2:DescribeReservedInstances",
                "iam:ListRolePolicies",
                "s3:GetIpConfiguration",
                "ec2:DescribeReservedInstancesListings",
                "iam:ListPolicies",
                "iam:GetRole",
                "iam:GetPolicy",
                "ec2:DescribeVpcClassicLinkDnsSupport",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeReservedInstancesOfferings",
                "iam:ListEntitiesForPolicy",
                "ecr:GetAuthorizationToken",
                "ec2:DescribeVpcEndpointServiceConfigurations",
                "cloudtrail:DescribeTrails",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcEndpointServicePermissions",
                "iam:GetUserPolicy",
                "iam:ListGroupsForUser",
                "iam:GetGroupPolicy",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeReservedInstancesModifications",
                "ec2:DescribeSubnets",
                "iam:GetRolePolicy",
                "ec2:DescribeVpnGateways",
                "iam:GetAccountSummary",
                "ec2:DescribeMovingAddresses",
                "s3:ListBucketByTags",
                "s3:GetBucketTagging",
                "ec2:DescribeAddresses",
                "s3:GetBucketLogging",
                "ec2:DescribeRegions",
                "iam:ListPoliciesGrantingServiceAccess",
                "ec2:DescribeVpcEndpointServices",
                "iam:GetGroup",
                "s3:GetBucketPolicy",
                "ec2:DescribeVpcAttribute",
                "s3:GetEncryptionConfiguration",
                "ec2:DescribeNetworkInterfaces",
                "iam:ListAttachedUserPolicies",
                "iam:ListAttachedGroupPolicies",
                "ec2:DescribeVpcEndpointConnections",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeHostReservations",
                "iam:ListGroupPolicies",
                "iam:ListRoles",
                "iam:ListUserPolicies",
                "ec2:DescribeVpcEndpointConnectionNotifications",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeHosts",
                "ec2:DescribeImages",
                "iam:ListPolicyVersions",
                "s3:ListAllMyBuckets",
                "ec2:DescribeSecurityGroupReferences",
                "ec2:DescribeVpcs",
                "iam:ListAccountAliases",
                "ecr:*",
                "iam:ListUsers",
                "iam:ListGroups",
                "iam:GetUser",
                "s3:GetBucketLocation",
                "ec2:DescribeStaleSecurityGroups"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "cloudtrail:GetTrailStatus",
            "Resource": "arn:aws:cloudtrail:*:*:trail/*"
        }
    ]
}

 

HyTrust CloudControl

Copyright © 2019 HyTrust, Inc. All Rights Reserved.

Follow us: