Skip to content

Creating a new AWS Cloud IAM role

An IAM role is an IAM entity that defines a set of permissions for making AWS service requests. IAM roles are not associated with a specific user or group.

Policies can be attached to roles to provide different levels of access to your AWS resources. IAM policies define permissions for an action regardless of the method that you use to perform the operation.

AWS CloudFormation Template

The following CloudFormation Template can be used to create an AWS IAM Role that grants SecureCloudDB read-only access to your AWS Account.

When creating a stack from this template, you will be required to provide an External Id that is shared between you and SecureCloudDB. SecureCloudDB generates an unique External Id for each Organization.

Note

For information on the permissions SecureCloudDB requires, check out the Authentication Policies section.

  1. Use the following link to begin the Quick Create form
  2. Enter the External Id for your Organization as provided by SecureCloudDB. The External Id can be found via the creation wizard as shown in the screenshot below:
  3. Afterwards you will have the choice to disable several of the optional permissions. Disabling any of the permissions listed will not prevent you from running an asset discovery; however, it will restrict the extent of security SecureCloudDB can provide you.
  4. Finally, acknowledge that this stack will create IAM resources in your account and click Create Stack to finish.
  1. Log in to the AWS Console and navigate to the CloudFormation service.
  2. Click Create Stack and select With new Resources (standard)
  3. This will take you to the Create stack form. Leave the default selections Template is Ready and Amazon S3 URL selected. In Amazon S3 URL enter the following value and then click Next:
    https://secureclouddb.s3-us-west-2.amazonaws.com/templates/cloudformation-2020-11-30.yaml
    
  4. On the Specify stack details form, enter an name for this stack, e.g., SecureCloudDB-ReadOnly.
  5. On the next section, enter the External Id provided by SecureCloudDb. Afterwards, you can disable any of the optional policies (not required to scan but recommended to secure your account). Once done, click Next to continue.
  6. On the Configure stack options form, it is safe to leave all values at their default setting, but feel free to add any tags, etc that are desired. Click Next.
  7. On the Review form, verify that the External Id is as expected and acknowledge that this CloudFormation template will create an IAM Role that allows external access then click Create Stack.

To create a stack, you use the aws cloudformation create-stack command. In addition, you need to provide the name of the stack, file location of a valid template, and any required input parameters.

Start by downloading the following template and save it as a YAML file to a location easily accessible to you:

Full CloudFormation Template
Description: |
  Create Read-Only IAM Roles And Policies for SecureCloudDB Assessments.
Parameters:
  ExternalId:
    Description: >
      ExternalId generated by SecureCloudDB for your Organization. A value
      should always be provided for this parameter.
    Type: String
    Default: ''
  TrustedSecureCloudDBAccount:
    Description: >
      The AWS Account trusted to read resources. The default value allows access
      from the SecureCloudDB production environment.
    Type: String
    Default: '233965863007'
  SecureCloudDBRoleName:
    Description: >
      The name of the Read-Only role to create for SecureCloudDB. This should
      normally be left as "SecureCloudDB-ReadOnly"
    Type: String
    Default: SecureCloudDB-ReadOnly
  RDSDataApiAccess:
    Description: >
      The following IAM policy allows SecureCloudDB to connect to your  RDS
      Database or Cluster using the RDS Data API.
    Type: String
    Default: Allow
    AllowedValues:
      - Allow
      - Deny
  RDSIAMAuthAccess:
    Description: >
      The following IAM policy allows SecureCloudDB to connect to your  RDS
      Database or Cluster using IAM Auth.
    Type: String
    Default: Allow
    AllowedValues:
      - Allow
      - Deny
  RedshiftDataAccess:
    Description: >
      The following IAM policy allows SecureCloudDB to connect to your  Redshift
      cluster.
    Type: String
    Default: Allow
    AllowedValues:
      - Allow
      - Deny
  DynamoDBStreamActivityMonitoring:
    Description: >
      The following IAM policy allows SecureCloudDB to actively monitor  your
      DynamoDb tables for suspicious activity.
    Type: String
    Default: Allow
    AllowedValues:
      - Allow
      - Deny
  RDSLogFileActivityMonitoring:
    Description: >
      The following IAM policy allows SecureCloudDB to actively monitor  your
      RDS instances via Log Files.
    Type: String
    Default: Allow
    AllowedValues:
      - Allow
      - Deny
  EC2DataAccess:
    Description: >
      The following IAM policy allows SecureCloudDB to connect to your EC2 instances
    Type: String
    Default: Allow
    AllowedValues:
      - Allow
      - Deny
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: SecureCloudDB Configurations
        Parameters:
          - ExternalId
          - TrustedSecureCloudDBAccount
          - SecureCloudDBRoleName
      - Label:
          default: AWS Role Permissions
        Parameters:
          - RDSDataApiAccess
          - RDSIAMAuthAccess
          - RedshiftDataAccess
          - DynamoDBStreamActivityMonitoring
          - RDSLogFileActivityMonitoring
          - EC2DataAccess
    ParameterLabels:
      ExternalId:
        default: External Id
      TrustedSecureCloudDBAccount:
        default: Trusted SecureCloudDB Account
      SecureCloudDBRoleName:
        default: SecureCloudDB Role Name
      RDSDataApiAccess:
        default: RDS Data API Access
      RDSIAMAuthAccess:
        default: RDS IAM Authentication Access
      RedshiftDataAccess:
        default: Redshift Data API Access
      DynamoDBStreamActivityMonitoring:
        default: DynamoDB Stream Activity Monitoring
      RDSLogFileActivityMonitoring:
        default: RDS Log File Activity Monitoring
      EC2DataAccess:
        default: EC2 Data API Access
  'AWS::CloudFormation::Designer':
    830ae1ae-7a1a-4ce9-82b4-30e975f46304:
      size:
        width: 60
        height: 60
      position:
        x: 60
        'y': 90
      z: 1
      embeds: []
Conditions:
  HasExternalId: !Not
    - !Equals
      - Ref: ExternalId
      - ''
  HasRDSDataApiAccess: !Equals
    - Ref: RDSDataApiAccess
    - Allow
  HasRDSIAMAuthAccess: !Equals
    - Ref: RDSIAMAuthAccess
    - Allow
  HasRedshiftDataAccess: !Equals
    - Ref: RedshiftDataAccess
    - Allow
  HasDynamoDBStreamActivityMonitoring: !Equals
    - Ref: DynamoDBStreamActivityMonitoring
    - Allow
  HasRDSLogFileActivityMonitoring: !Equals
    - Ref: RDSLogFileActivityMonitoring
    - Allow
  HasEC2DataAccess: !Equals
    - Ref: EC2DataAccess
    - Allow
Resources:
  SecureCloudDBReadOnlyRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: !Ref SecureCloudDBRoleName
      Description: |
        Read-Only Role for SecureCloudDB Assessments.
      Tags:
        - Key: StackId
          Value: !Ref 'AWS::StackId'
      Policies:
        - PolicyName: SecureCloudDB-ReadOnlyPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'rds:Describe*'
                  - 'rds:List*'
                  - 'redshift:Describe*'
                  - 'redshift:List*'
                  - 'dynamodb:Describe*'
                  - 'dynamodb:List*'
                  - 'es:Describe*'
                  - 'es:List*'
                  - 'elasticache:Describe*'
                  - 'elasticache:List*'
                  - 'ec2:DescribeAccountAttributes'
                  - 'ec2:DescribeAddresses'
                  - 'ec2:DescribeAvailabilityZones'
                  - 'ec2:DescribeInternetGateways'
                  - 'ec2:DescribeRegions'
                  - 'ec2:DescribeRouteTables'
                  - 'ec2:DescribeSecurityGroupReferences'
                  - 'ec2:DescribeSecurityGroups'
                  - 'ec2:DescribeSubnets'
                  - 'ec2:DescribeTags'
                  - 'ec2:DescribeVpcAttribute'
                  - 'ec2:DescribeVpcPeeringConnections'
                  - 'ec2:DescribeVpcs'
                Resource: '*'
        - !If
          - HasRDSDataApiAccess
          - PolicyName: SecureCloudDB-DataPlaneAccess-RDS-DataAPI
            PolicyDocument:
              Version: 2012-10-17
              Statement:
                - Effect: Allow
                  Action:
                    - 'rds-data:ExecuteStatement'
                  Resource: '*'
          - !Ref 'AWS::NoValue'
        - !If
          - HasRDSIAMAuthAccess
          - PolicyName: SecureCloudDB-DataPlaneAccess-RDS-IAMAuth
            PolicyDocument:
              Version: 2012-10-17
              Statement:
                - Effect: Allow
                  Action:
                    - 'rds-db:connect'
                  Resource: 'arn:aws:rds-db:*:*:dbuser:*/secureclouddb'
          - !Ref 'AWS::NoValue'
        - !If
          - HasRedshiftDataAccess
          - PolicyName: SecureCloudDB-DataPlaneAccess-RedShift
            PolicyDocument:
              Version: 2012-10-17
              Statement:
                - Effect: Allow
                  Action:
                    - 'redshift:GetClusterCredentials'
                  Resource: 'arn:aws:redshift:*:*:dbuser:*/secureclouddb'
          - !Ref 'AWS::NoValue'
        - !If
          - HasDynamoDBStreamActivityMonitoring
          - PolicyName: SecureCloudDB-ActivityMonitoring-DynamoDB
            PolicyDocument:
              Version: 2012-10-17
              Statement:
                - Effect: Allow
                  Action:
                    - 'dynamodb:DescribeStream'
                    - 'dynamodb:DescribeTable'
                    - 'dynamodb:GetRecords'
                    - 'dynamodb:GetShardIterator'
                  Resource: '*'
          - !Ref 'AWS::NoValue'
        - !If
          - HasRDSLogFileActivityMonitoring
          - PolicyName: SecureCloudDB-ActivityMonitoring-RDS
            PolicyDocument:
              Version: 2012-10-17
              Statement:
                - Effect: Allow
                  Action:
                    - 'rds:DescribeDBClusterParameters'
                    - 'rds:DownloadDBLogFilePortion'
                    - 'rds:DescribeOptionGroupOptions'
                    - 'rds:DescribeDBLogFiles'
                    - 'rds:DescribeDBParameters'
                    - 'rds:DescribeDBParameterGroups'
                    - 'rds:DescribeOptionGroups'
                    - 'rds:DescribeDBClusterParameterGroups'
                  Resource:
                    - 'arn:aws:rds:*:*:db:*'
                    - 'arn:aws:rds:*:*:og:*'
                    - 'arn:aws:rds:*:*:cluster-pg:*'
                    - 'arn:aws:rds:*:*:pg:*'
          - !Ref 'AWS::NoValue'
        - !If
          - HasEC2DataAccess
          - PolicyName: SecureCloudDB-DataPlaneAccess-EC2
            PolicyDocument:
              Version: 2012-10-17
              Statement:
                - Effect: Allow
                  Action:
                    - "ec2:DescribeInstances"
                    - "ec2:DescribeVPCs"
                    - "ec2:DescribeNetworkACLs"
                    - "ec2:DescribeSecurityGroups"
                  Resource: 'arn:aws:ec2:*:*:instance/*'
          - !Ref 'AWS::NoValue'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Ref TrustedSecureCloudDBAccount
              Service: ecs-tasks.amazonaws.com
            Action:
              - 'sts:AssumeRole'
            Condition: !If
              - HasExternalId
              - StringEquals:
                  'sts:ExternalId': !Ref ExternalId
              - !Ref 'AWS::NoValue'
    Metadata:
      'AWS::CloudFormation::Designer':
        id: 830ae1ae-7a1a-4ce9-82b4-30e975f46304
Outputs:
  SecureCloudDbRoleArn:
    Description: The ARN of the newly created role
    Value:
      'Fn::GetAtt':
        - SecureCloudDBReadOnlyRole
        - Arn

Afterwards, populate the command below accordingly to give SecureCloudDB the authentication policies required to fully secure your environment. To disable any specific permissions, set the ParameterValue to Deny for each individual policy.

Before running the command below, don't forget to replace <CLOUDFORMATION-TEMPLATE-LOCATION> with the location of the file you saved containing the CloudFormation Template.

aws cloudformation create-stack \ 
  --stack-name SecureCloudDB-ReadOnly \ 
  --template-body file:///<CLOUDFORMATION-TEMPLATE-LOCATION> \
  --parameters ParamterKey=SecureCloudDBRoleName,ParamterValue=SecureCloudDB-ReadOnly \
  ParamterKey=TrustedSecureCloudDBAccount,ParamterValue=233965863007 \
  ParameterKey=RDSDataApiAccess,ParameterValue=Allow ParameterKey=RDSIAMAuthAccess,ParameterValue=Allow \
  ParameterKey=RedshiftDataAccess,ParameterValue=Allow \
  ParameterKey=DynamoDBStreamActivityMonitoring,ParameterValue=Allow

Note

If you specify a local template file, AWS CloudFormation uploads it to an Amazon S3 bucket in your AWS account. AWS CloudFormation creates a unique bucket for each region in which you upload a template file. The buckets are accessible to anyone with Amazon S3 permissions in your AWS account. If an AWS CloudFormation-created bucket already exists, the template is added to that bucket.