Setting up Permissions for AWS Integration
-
- RedHunt Labs Author
11 July 2023
To extract the resources from the client-side, NVADR expects the users to follow the steps below to provide the necessary permissions and input. NVADR performs comprehensive and non-comprehensive scans based on a set of permissions granted.
Steps to configure policies for Comprehensive Scans
- Open the Roles section from the IAM page of the AWS Console.
- Click on Create Role.
- Choose the AWS Account box.
- Click on the "Another AWS Account" radio button.
- Enter the following 12-digit Account ID of NVADR AWS Account (647087456535).
- Choose the “Require external ID” checkbox.
- Copy the value of External ID from NVADR Portal and paste it into the External ID text box.
- Click on Next Button.
- Under Permission Policies section, search for “ReadOnlyAccess” and “SecurityAudit” and choose both policies by clicking on the checkbox on its left-hand side.
- Scroll down to click on the Next button.
- Provide with a role name (e.g. cloudhunt-demo-role).
- Click on Create Role.
- The role you created will now appear in the Roles section. Click on the role name to open role details.
- Copy the ARN value from the summary section from the top of the page (It has the following structure: arn:aws:iam::XXXXXXXXXXXX:role/cloudhunt-demo-role)
- Provide the Portal with ARN Value which you copied in the last step.
Steps to configure policies for Non-Comprehensive scans (Restricted Permissions)
- Open the Roles section from the IAM page of the AWS Console.
- Click on Create Role.
- Choose the AWS Account box.
- Click on the “Another AWS Account” radio button.
- Enter the following 12-digit Account ID of NVADR AWS Account (647087456535).
- Choose the “Require external ID” checkbox.
- Copy the value of External ID from NVADR Portal and paste it into the External ID text box.
- Click on the “Next” button.
- In the Permission Policies section, click on the Create Policy button, which will open a new page.
- Click on the JSON tab.
- Paste the following JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:*",
"lightsail:*"
],
"Resource": "*"
},
{
"Action": [
"mediastore:Get*",
"mediastore:List*",
"mediastore:Describe*"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"route53:Get*",
"route53:List*",
"route53:TestDNSAnswer"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*",
"s3-object-lambda:Get*",
"s3-object-lambda:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": "arn:aws:apigateway:*::/*"
},
{
"Effect": "Allow",
"Action": [
"acm:ListCertificates",
"cloudfront:DescribeFunction",
"cloudfront:Get*",
"cloudfront:List*",
"iam:ListServerCertificates",
"route53:List*",
"waf:ListWebACLs",
"waf:GetWebACL",
"wafv2:ListWebACLs",
"wafv2:GetWebACL"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeClassicLinkInstances",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "arc-zonal-shift:GetManagedResource",
"Resource": "arn:aws:elasticloadbalancing:*:*:loadbalancer/*"
},
{
"Effect": "Allow",
"Action": [
"arc-zonal-shift:ListManagedResources",
"arc-zonal-shift:ListZonalShifts"
],
"Resource": "*"
},
{
"Sid": "AllowAPIs",
"Effect": "Allow",
"Action": [
"acm:ListCertificates",
"autoscaling:DescribeAccountLimits",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribePolicies",
"autoscaling:DescribeLoadBalancers",
"autoscaling:DescribeNotificationConfigurations",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeScheduledActions",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",
"cloudformation:ListStacks",
"cloudformation:ValidateTemplate",
"cloudtrail:LookupEvents",
"cloudwatch:DescribeAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListServerCertificates",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstances",
"rds:DescribeOrderableDBInstanceOptions",
"rds:DescribeDBSnapshots",
"s3:ListAllMyBuckets",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sqs:ListQueues"
],
"Resource": "*"
},
{
"Sid": "AllowS3",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicy",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::elasticbeanstalk-*"
}
]
}- Click on the “Next” button
- Enter a name for the policy (e.g. cloudhunt-demo-policy)
- Click on Create Policy
- Now go back to the previous browser tab where you were creating the role
- Click on the refresh button on the left-hand side of the “Create Policy” button
- The policy you created earlier will now appear in the list! Choose the policy by clicking on the checkbox on its left-hand side
- Scroll down to click on the “Next” button
- Provide with a role name (e.g. cloudhunt-demo-role)
- Click on Create Role
- The role you created will now appear in the Roles section. Click on the role name to open role details
- Copy the ARN value from the summary section from the top of the page (It has the following structure: arn:aws:iam::XXXXXXXXXXXX:role/cloudhunt-demo-role)
- Provide the Portal with ARN Value which you copied in the last step