AWS Account Onboarding
Below the complete steps for the account onboarding process in CloudSPX:
1. Create a Cross-Account IAM Role in AWS Account
To begin, access the IAM console of the AWS account and follow the steps outlined below to create the cross-account IAM role:
a) Select IAM Role Creation
Trusted entity type: AWS account
AWS account type: Another AWS account
Account ID: XXXXXXXXXX
External ID: GDtfDCFYjL
Require MFA should remain unchecked.
b) Permissions Setup
On the permissions screen, click Create inline policy, and select the JSON tab. Paste the following JSON policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:GetCallerIdentity",
"Resource": "*"
}
]
}
c) Review and create the policy, then attach it to the role.
d) Complete the role creation process by reviewing the settings, assigning a name, and creating the role.
2. Attach Required Policies to the IAM Role
After the IAM role has been created, attach the following permission policies:
a) AmazonEC2ReadOnlyAccess (AWS Managed)
b) ReadOnlyAccess (AWS Managed - job function)
c) CLOUDSPX-CSPM-min (Customer Managed) [Find below the policy JSON]
Policy JSON for CLOUDSPX-CSPM-min policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "cloudspx-cspm-min",
"Effect": "Allow",
"Action": [
"inspector:ListAssessmentTemplates",
"athena:StartQueryExecution",
"inspector2:ListFilters",
"athena:GetQueryResults",
"inspector2:UntagResource",
"inspector2:SearchVulnerabilities",
"inspector2:GetMember",
"inspector2:BatchGetAccountStatus",
"inspector2:ListCisScanResultsAggregatedByTargetResource",
"inspector2:ListFindingAggregations",
"inspector:GetTelemetryMetadata",
"inspector2:ListCoverage",
"inspector2:GetCisScanResultDetails",
"inspector2:TagResource",
"inspector2:ListCisScanConfigurations",
"glue:GetTables",
"inspector2:GetConfiguration",
"athena:GetQueryExecutions",
"inspector:GetAssessmentReport",
"inspector2:GetClustersForImage",
"inspector2:BatchGetFreeTrialInfo",
"inspector2:ListUsageTotals",
"inspector2:ListCoverageStatistics",
"s3:PutObject",
"s3:GetObject",
"inspector2:ListFindings",
"athena:ListDatabases",
"inspector:DescribeAssessmentTargets",
"inspector2:GetDelegatedAdminAccount",
"glue:GetCatalog",
"inspector2:GetEc2DeepInspectionConfiguration",
"inspector:ListFindings",
"inspector:DescribeAssessmentTemplates",
"inspector:DescribeAssessmentRuns",
"inspector2:ListAccountPermissions",
"inspector:ListExclusions",
"inspector:ListTagsForResource",
"inspector2:BatchGetFindingDetails",
"inspector:DescribeExclusions",
"inspector:DescribeRulesPackages",
"inspector2:BatchGetCodeSnippet",
"inspector:SetTagsForResource",
"inspector:ListAssessmentRunAgents",
"inspector:DescribeCrossAccountAccessRole",
"inspector2:ListDelegatedAdminAccounts",
"inspector-scan:ScanSbom",
"inspector2:ListTagsForResource",
"inspector2:GetEncryptionKey",
"inspector:ListRulesPackages",
"inspector:DescribeFindings",
"inspector:ListEventSubscriptions",
"inspector:ListAssessmentTargets",
"inspector2:ListCisScanResultsAggregatedByChecks",
"inspector2:ListMembers",
"inspector2:GetCisScanReport",
"guardduty:UpdateDetector",
"inspector:PreviewAgents",
"inspector2:DescribeOrganizationConfiguration",
"glue:GetDatabases",
"inspector:ListAssessmentRuns",
"inspector2:ListCisScans",
"glue:GetTable",
"glue:GetDatabase",
"s3:ListAllMyBuckets",
"athena:GetQueryExecution",
"inspector2:GetFindingsReportStatus",
"inspector:GetExclusionsPreview",
"inspector:DescribeResourceGroups",
"securitylake:GetDataLakeSources",
"inspector2:BatchGetMemberEc2DeepInspectionStatus",
"s3:GetBucketLocation",
"inspector2:GetSbomExport"
],
"Resource": "*"
}
]
}