Here you can find all the information a customer may need to setup the necessary AWS resources and what information is required to enable the Fluid Attacks CSPM module or to add a new credential to clone your repository.
If you need to learn how to reach this point, go back to the CSPM setup.
By selecting AWS, you will notice two things:
You will need to setup an IAM role that our scanner can assume to access your AWS resources. After successfully creating the role, all that is required is the role's Amazon Resource Name (ARN) to get started with CSPM.
Before you create this role, you will also need an external ID that Fluid Attacks generates for your organization. Check above how to get this data.
Now we will show you how to create the required role from the AWS user interface.
We need to start a session in the AWS Management Console with a user account authorized to create new roles and attach policies to it.
Once logged into the AWS Management Console, use the search bar to look for the IAM service and select it.
Inside the IAM Dashboard, select the Roles option in the left sidebar menu.
And click the button Create role.
When setting up the role configuration, in the Trusted entity type section, select Custom trust policy.
And in the code editor below Custom trust policy, paste the following policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FluidAttacksAccess",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:iam::205810638802:role/prod_integrates"
},
"StringEquals": {
"sts:ExternalId": "<YOUR-EXTERNAL-ID>"
}
}
}
]
}
Let us review the previous policy. There are 4 key takeaways from it:
Principal
field is set as *
, meaning any AWS account can assume this role. Do not worry though, we limit the entities that can assume this role later in the policy.sts:AssumeRole
action allows other entities to assume this role.aws:PrincipalArn
condition ensures that although the principal is open to anyone, the role can only be assumed by Fluid Attacks' production role.sts:ExternalId
is a shared secret between Fluid Attacks and you and is used to verify that the request to assume the role comes from Fluid Attacks.After clicking Next, you will have to choose the permissions the role will have over AWS resources. Select the permission ReadOnlyAccess (recommended). Or, if you prefer, to maintain the principle of least privilege, you can add to your policy the read-only access permissions for each resource you wish to include. Here is the list of resources that we check in our CSPM module. If your goal is to clone a CodeCommit repository, don't forget to add the corresponding permission.
Here is an example of a user-managed policy used to clone CodeCommit repositories following the principle of least privilege:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LeastPrivilegeCodeCommit",
"Effect": "Allow",
"Action": ["codecommit:Get*", "codecommit:GitPull"],
"Resource": ["<REPO'S ARN>"]
}
]
}
You will need to create similar statements for each resource you desire. We recommend using the read-only AWS managed policy that exists for each resource.
Recommended permission settings to prevent inconsistencies over time:
If you prefer to create your own policy for restricting permissions granted to the role, below you'll find the list of actions used by the AWS CSPM module to run the checks over your infrastructure.
apigateway:GET(GetMethod)
apigateway:GET(GetResources)
apigateway:GET(GetRestApis)
autoscaling:DescribeAutoScalingInstances
cloudfront:GetDistribution
cloudfront:GetDistributionConfig
cloudfront:ListDistributions
cloudtrail:DescribeTrails
cloudtrail:GetTrailStatus
cloudtrail:ListTrails
cognito-idp:GetUserPoolMfaConfig
dynamodb:DescribeContinuousBackups
dynamodb:DescribeTable
dynamodb:ListTables
ec2:DescribeFlowLogs
ec2:DescribeImages
ec2:DescribeInstanceAttribute
ec2:DescribeInstances
ec2:DescribeKeyPairs
ec2:DescribeLaunchTemplateVersions
ec2:DescribeNetworkAcls
ec2:DescribeNetworkInterfaces
ec2:DescribeRegions
ec2:DescribeSecurityGroups
ec2:DescribeSnapshots
ec2:DescribeVolumes
ec2:DescribeVpcEndpoints
ec2:DescribeVpcs
eks:DescribeCluster
eks:ListClusters
elasticache:DescribeCacheClusters
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeSSLPolicies
elasticloadbalancing:DescribeTags
iam:GenerateCredentialReport
iam:GetAccountPasswordPolicy
iam:GetAccountSummary
iam:GetCredentialReport
iam:GetInstanceProfile
iam:GetLoginProfile
iam:GetPolicy
iam:GetPolicyVersion
iam:GetRolePolicy
iam:GetUser
iam:ListAccessKeys
iam:ListAttachedRolePolicies
iam:ListAttachedUserPolicies
iam:ListGroupPolicies
iam:ListGroups
iam:ListMFADevices
iam:ListRolePolicies
iam:ListRoles
iam:ListSSHPublicKeys
iam:ListUserPolicies
iam:ListUsers
kms:DescribeKey
kms:GetKeyPolicy
kms:GetKeyRotationStatus
kms:ListAliases
kms:ListKeyPolicies
kms:ListKeys
rds:DescribeDBClusters
rds:DescribeDBInstances
rds:DescribeDBSnapshotAttributes
rds:DescribeDBSnapshots
redshift:DescribeClusterParameters
redshift:DescribeLoggingStatus
s3:GetBucketAcl
s3:GetBucketLogging
s3:GetBucketPolicy
s3:GetBucketVersioning
s3:GetBucketPublicAccessBlock
s3:ListAllMyBuckets
secretsmanager:DescribeSecret
secretsmanager:ListSecrets
sns:GetTopicAttributes
sns:ListTopics
sqs:GetQueueAttributes
sqs:ListQueues
sts:GetCallerIdentity
Following the next step, you will see a summary of the role configuration, where you will be able to name the role and add a brief description.
Once you finish the setup, you will be able to see the new role in the list of IAM roles of your account.
Click on the role to see its details. Here, you will see the ARN (Amazon Resource Name) of the role, which is the information you will fill in Fluid Attacks' platform.
In this section, we will show you how to deploy the required resources to enable the Fluid Attacks CSPM module, using CloudFormation.
First, create a new file with YAML extension, copy the following snippet and save it.
Resources:
CSPMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "sts:AssumeRole"
Principal:
AWS:
- "*"
Condition:
ArnEquals:
aws:PrincipalArn: "arn:aws:iam::205810638802:role/prod_integrates"
StringEquals:
sts:ExternalId: "<YOUR-EXTERNAL-ID>"
Description: Role to enable Fluid Attacks CSPM module
ManagedPolicyArns:
- arn:aws:iam::aws:policy/ReadOnlyAccess
RoleName: CSPM
Remember to change the <YOUR-EXTERNAL-ID>
placeholder with the external ID Fluid Attacks generated for you. If you have any doubts about the configuration of this template, see the detailed description here.
To deploy this template, you have a couple of options:
To be able to deploy the template using the CLI, you first need to install the AWS CLI and then configure the security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) to authenticate as a user with permissions to read and write CloudFormation and IAM resources.
Once that setup is done, execute the following commands:
aws cloudformation deploy --template-file <path/to/template> --stack-name <stack-name> --capabilities CAPABILITY_NAMED_IAM
Once all the resources are deployed you need to retrieve the ARN of the role. You can use the following command:
aws iam get-role --role-name "CSPM"
You will receive a JSON response with details about the role, including the ARN.
To deploy the template using the AWS Management Console, we need to start a session with a user account authorized to perform read and write operations for CloudFormation and IAM resources.
Once logged in, use the searchbar to search for the CloudFormation service.
Once in the CloudFormation Dashboard, search for the drop-down menu in Create stack and select With new resources (standard).
Now, under Prerequisite - Prepare template, select Template is ready and, under Specify template, select Upload a template file and choose the file created at the beginning.
Continue the process and you will be able to set the name of the stack to create.
Click Next, and you will arrive to a section titled Configure stack options. There is no need to change anything here, so just click Next and you will review the stack configuration. At the bottom part, under Capabilities, mark the checkbox to give the CloudFormation service the required permissions to create IAM resources.
Finish the setup and the deployment of the stack will begin. After a few moments, you will see the stack created successfully. Navigate to the Resources tab and you will see the created resources. Click the Physical ID, and it will redirect you to the IAM dashboard, where you will be able to get the role ARN to set in Fluid Attacks' platform.
If you are encountering issues when adding your AWS environment to the platform, check the following:
ReadOnlyAccess
.