AWS Service Account Requirements

CloudControl uses a service account in the form of an IAM user to integrate with AWS. This service account is used to discover and collect information about the AWS Account protected by CloudControl.

Note: Each IAM user can only be associated with one AWS Account. If you plan to protect multiple AWS Accounts, you will need an AWS service account for each one.

To create an AWS service account, you must do the following: 

  1. Create a new IAM user using the name that you want for your service account, for example, htcc-service-user.

    The IAM user must have programmatic access, but do not add any permissions at this time.

    Important: Once created, the Access Key ID and the Secret Access Key are displayed. You must note them now, as the secret key is not displayed anywhere else in AWS. These two keys are required when you add an AWS account to CloudControl.

  2. Create a customer-managed policy, and paste the following text under the JSON tab to add the permissions.

    Important: All values must be exactly as shown.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "config:DescribeConfigurationRecorders",
                    "config:DescribeConfigurationRecorderStatus",
                    "cloudtrail:DescribeTrails",
                    "cloudtrail:GetEventSelectors",
                    "cloudtrail:GetTrailStatus",
                    "cloudtrail:StartLogging",
                    "cloudtrail:UpdateTrail",
                    "cloudwatch:DescribeAlarmsForMetric",
                    "ec2:AuthorizeSecurityGroupEgress",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:CreateFlowLogs",
                    "ec2:CreateSecurityGroup",
                    "ec2:CreateVpc",
                    "ec2:DeleteFlowLogs",
                    "ec2:DeleteSecurityGroup",
                    "ec2:DeleteVpc",
                    "ec2:DescribeFlowLogs",
                    "ec2:DescribeAddresses",
                    "ec2:DescribeAvailabilityZones",
                    "ec2:DescribeHostReservationOfferings",
                    "ec2:DescribeHostReservations",
                    "ec2:DescribeHosts",
                    "ec2:DescribeImages",
                    "ec2:DescribeInstances",
                    "ec2:DescribeInstanceStatus",
                    "ec2:DescribeMovingAddresses",
                    "ec2:DescribeNetworkInterfacePermissions",
                    "ec2:DescribeNetworkInterfaces",
                    "ec2:DescribeRegions",
                    "ec2:DescribeReservedInstances",
                    "ec2:DescribeReservedInstancesListings",
                    "ec2:DescribeReservedInstancesModifications",
                    "ec2:DescribeReservedInstancesOfferings",
                    "ec2:DescribeSecurityGroupReferences",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeStaleSecurityGroups",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeVpcAttribute",
                    "ec2:DescribeVpcClassicLink",
                    "ec2:DescribeVpcClassicLinkDnsSupport",
                    "ec2:DescribeVpcEndpointConnectionNotifications",
                    "ec2:DescribeVpcEndpointConnections",
                    "ec2:DescribeVpcEndpoints",
                    "ec2:DescribeVpcEndpointServices",
                    "ec2:DescribeVpcEndpointServiceConfigurations",
                    "ec2:DescribeVpcEndpointServicePermissions",
                    "ec2:DescribeVpcPeeringConnections",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeVpnGateways",
                    "ec2:RevokeSecurityGroupEgress",
                    "ec2:RevokeSecurityGroupIngress",
                    "ecr:BatchCheckLayerAvailability",
                    "ecr:BatchGetImage",
                    "ecr:DescribeImages",
                    "ecr:DescribeRepositories",
                    "ecr:GetAuthorizationToken",
                    "ecr:GetDownloadUrlForLayer",
                    "ecr:ListImages",
                    "iam:ChangePassword",
                    "iam:CreateRole",
                    "iam:CreateVirtualMFADevice",
                    "iam:EnableMFADevice",
                    "iam:GenerateCredentialReport",
                    "iam:GetAccountPasswordPolicy",
                    "iam:GetAccountSummary",
                    "iam:GetCredentialReport",
                    "iam:GetGroup",
                    "iam:GetGroupPolicy",
                    "iam:GetPolicy",
                    "iam:GetPolicyVersion",
                    "iam:GetRole",
                    "iam:GetRolePolicy",
                    "iam:GetUser",
                    "iam:GetUserPolicy",
                    "iam:ListAccountAliases",
                    "iam:ListAttachedGroupPolicies",
                    "iam:ListAttachedRolePolicies",
                    "iam:ListAttachedUserPolicies",
                    "iam:ListEntitiesForPolicy",
                    "iam:ListGroupPolicies",
                    "iam:ListGroups",
                    "iam:ListGroupsForUser",
                    "iam:ListPolicies",
                    "iam:ListPoliciesGrantingServiceAccess",
                    "iam:ListPolicyVersions",
                    "iam:ListRolePolicies",
                    "iam:ListRoles",
                    "iam:ListUserPolicies",
                    "iam:ListUsers",
                    "iam:ListVirtualMFADevices",
                    "iam:UpdateAccountPasswordPolicy",
                    "iam:UpdateRole",
                    "kms:DescribeKey",
                    "kms:ListKeys",
                    "kms:GetKeyRotationStatus",
                    "logs:CreateLogDelivery",
                    "logs:CreateLogGroup",
                    "logs:DeleteLogGroup",
                    "logs:DescribeMetricFilters",
                    "logs:PutMetricFilter",
                    "logs:UpdateLogDelivery",
                    "s3:GetBucketAcl",
                    "s3:GetBucketLocation",
                    "s3:GetBucketLogging",
                    "s3:GetBucketPolicy",
                    "s3:GetBucketTagging",
                    "s3:GetEncryptionConfiguration",
                    "s3:ListAllMyBuckets",
                    "s3:PutBucketLogging",
                    "s3:PutObject",
                    "sns:ListSubscriptionsByTopic"
                ],
                "Resource": "*"
            }
        ]
    }
  3. After you create the policy, attach the policy to the IAM user that you created.