Setting up Permissions for AWS Integration

To extract the resources from the client-side, NVADR expects the users to follow the steps below to provide the necessary permissions and input. NVADR performs comprehensive and non-comprehensive scans based on a set of permissions granted. 

Steps to configure policies for Comprehensive Scans

  • Open the Roles section from the IAM page of the AWS Console.
  • Click on Create Role.
  • Choose the AWS Account box.
  • Click on the "Another AWS Account" radio button.
  • Enter the following 12-digit Account ID of NVADR AWS Account (647087456535).
  • Choose the “Require external ID” checkbox.
  • Copy the value of External ID from NVADR Portal and paste it into the External ID text box.
  • Click on Next Button.
  • Under Permission Policies section, search for “ReadOnlyAccess” and “SecurityAudit” and choose both policies by clicking on the checkbox on its left-hand side. 
  • Scroll down to click on the Next button.
  • Provide with a role name (e.g. cloudhunt-demo-role).
  • Click on Create Role.
  • The role you created will now appear in the Roles section. Click on the role name to open role details.
  • Copy the ARN value from the summary section from the top of the page (It has the following structure: arn:aws:iam::XXXXXXXXXXXX:role/cloudhunt-demo-role)
  • Provide the Portal with ARN Value which you copied in the last step.

Steps to configure policies for Non-Comprehensive scans (Restricted Permissions)

  • Open the Roles section from the IAM page of the AWS Console.
  • Click on Create Role.
  • Choose the AWS Account box.
  • Click on the “Another AWS Account” radio button.
  • Enter the following 12-digit Account ID of NVADR AWS Account (647087456535).
  • Choose the “Require external ID” checkbox.
  • Copy the value of External ID from NVADR Portal and paste it into the External ID text box.
  • Click on the “Next” button.
  • In the Permission Policies section, click on the Create Policy button, which will open a new page.
  • Click on the JSON tab.
  • Paste the following JSON:
{
  "Version": "2012-10-17",
  "Statement": [
     {
           "Effect": "Allow",
           "Action": [
              "eks:*",
              "lightsail:*"
           ],
           "Resource": "*"
     },
     {
           "Action": [
              "mediastore:Get*",
              "mediastore:List*",
              "mediastore:Describe*"
           ],
           "Effect": "Allow",
           "Resource": "*",
           "Condition": {
              "Bool": {
                 "aws:SecureTransport": "true"
              }
           }
     },
     {
           "Effect": "Allow",
           "Action": "ec2:Describe*",
           "Resource": "*"
     },
     {
           "Effect": "Allow",
           "Action": "elasticloadbalancing:Describe*",
           "Resource": "*"
     },
     {
           "Effect": "Allow",
           "Action": [
              "cloudwatch:ListMetrics",
              "cloudwatch:GetMetricStatistics",
              "cloudwatch:Describe*"
           ],
           "Resource": "*"
     },
     {
           "Effect": "Allow",
           "Action": "autoscaling:Describe*",
           "Resource": "*"
     },
     {
           "Effect": "Allow",
           "Action": [
              "route53:Get*",
              "route53:List*",
              "route53:TestDNSAnswer"
           ],
           "Resource": [
              "*"
           ]
     },
     {
           "Effect": "Allow",
           "Action": [
              "s3:Get*",
              "s3:List*",
              "s3-object-lambda:Get*",
              "s3-object-lambda:List*"
           ],
           "Resource": "*"
     },
     {
           "Effect": "Allow",
           "Action": [
              "apigateway:*"
           ],
           "Resource": "arn:aws:apigateway:*::/*"
     },
     {
           "Effect": "Allow",
           "Action": [
              "acm:ListCertificates",
              "cloudfront:DescribeFunction",
              "cloudfront:Get*",
              "cloudfront:List*",
              "iam:ListServerCertificates",
              "route53:List*",
              "waf:ListWebACLs",
              "waf:GetWebACL",
              "wafv2:ListWebACLs",
              "wafv2:GetWebACL"
           ],
           "Resource": "*"
     },
     {
           "Effect": "Allow",
           "Action": "elasticloadbalancing:Describe*",
           "Resource": "*"
     },
     {
           "Effect": "Allow",
           "Action": [
              "ec2:DescribeInstances",
              "ec2:DescribeClassicLinkInstances",
              "ec2:DescribeSecurityGroups"
           ],
           "Resource": "*"
     },
     {
           "Effect": "Allow",
           "Action": "arc-zonal-shift:GetManagedResource",
           "Resource": "arn:aws:elasticloadbalancing:*:*:loadbalancer/*"
     },
     {
           "Effect": "Allow",
           "Action": [
              "arc-zonal-shift:ListManagedResources",
              "arc-zonal-shift:ListZonalShifts"
           ],
           "Resource": "*"
     },
     {
           "Sid": "AllowAPIs",
           "Effect": "Allow",
           "Action": [
              "acm:ListCertificates",
              "autoscaling:DescribeAccountLimits",
              "autoscaling:DescribeAutoScalingGroups",
              "autoscaling:DescribeAutoScalingInstances",
              "autoscaling:DescribeLaunchConfigurations",
              "autoscaling:DescribePolicies",
              "autoscaling:DescribeLoadBalancers",
              "autoscaling:DescribeNotificationConfigurations",
              "autoscaling:DescribeScalingActivities",
              "autoscaling:DescribeScheduledActions",
              "cloudformation:DescribeStackResource",
              "cloudformation:DescribeStackResources",
              "cloudformation:DescribeStacks",
              "cloudformation:GetTemplate",
              "cloudformation:ListStackResources",
              "cloudformation:ListStacks",
              "cloudformation:ValidateTemplate",
              "cloudtrail:LookupEvents",
              "cloudwatch:DescribeAlarms",
              "cloudwatch:GetMetricStatistics",
              "cloudwatch:ListMetrics",
              "ec2:DescribeAccountAttributes",
              "ec2:DescribeAddresses",
              "ec2:DescribeImages",
              "ec2:DescribeInstanceAttribute",
              "ec2:DescribeInstances",
              "ec2:DescribeInstanceStatus",
              "ec2:DescribeKeyPairs",
              "ec2:DescribeLaunchTemplateVersions",
              "ec2:DescribeLaunchTemplates",
              "ec2:DescribeSecurityGroups",
              "ec2:DescribeSnapshots",
              "ec2:DescribeSpotInstanceRequests",
              "ec2:DescribeAvailabilityZones",
              "ec2:DescribeSubnets",
              "ec2:DescribeVpcs",
              "elasticbeanstalk:Check*",
              "elasticbeanstalk:Describe*",
              "elasticbeanstalk:List*",
              "elasticbeanstalk:RequestEnvironmentInfo",
              "elasticbeanstalk:RetrieveEnvironmentInfo",
              "elasticloadbalancing:DescribeInstanceHealth",
              "elasticloadbalancing:DescribeLoadBalancers",
              "elasticloadbalancing:DescribeSSLPolicies",
              "elasticloadbalancing:DescribeTargetGroups",
              "elasticloadbalancing:DescribeTargetHealth",
              "iam:GetRole",
              "iam:ListAttachedRolePolicies",
              "iam:ListInstanceProfiles",
              "iam:ListRolePolicies",
              "iam:ListRoles",
              "iam:ListServerCertificates",
              "rds:DescribeDBEngineVersions",
              "rds:DescribeDBInstances",
              "rds:DescribeOrderableDBInstanceOptions",
              "rds:DescribeDBSnapshots",
              "s3:ListAllMyBuckets",
              "sns:ListSubscriptionsByTopic",
              "sns:ListTopics",
              "sqs:ListQueues"
           ],
           "Resource": "*"
     },
     {
           "Sid": "AllowS3",
           "Effect": "Allow",
           "Action": [
              "s3:GetObject",
              "s3:GetObjectAcl",
              "s3:GetObjectVersion",
              "s3:GetObjectVersionAcl",
              "s3:GetBucketLocation",
              "s3:GetBucketPolicy",
              "s3:ListBucket"
           ],
           "Resource": "arn:aws:s3:::elasticbeanstalk-*"
     }
  ]
}
  • Click on the “Next” button
  • Enter a name for the policy (e.g. cloudhunt-demo-policy)
  • Click on Create Policy
  • Now go back to the previous browser tab where you were creating the role
  • Click on the refresh button on the left-hand side of the “Create Policy” button
  • The policy you created earlier will now appear in the list! Choose the policy by clicking on the checkbox on its left-hand side
  • Scroll down to click on the “Next” button
  • Provide with a role name (e.g. cloudhunt-demo-role)
  • Click on Create Role
  • The role you created will now appear in the Roles section. Click on the role name to open role details
  • Copy the ARN value from the summary section from the top of the page (It has the following structure: arn:aws:iam::XXXXXXXXXXXX:role/cloudhunt-demo-role)
  • Provide the Portal with ARN Value which you copied in the last step