AWS Cloud Account Onboarding: Existing User and Secret Key
Learn how you can onboard an AWS cloud account by using an existing user and secret key.
Overview
As discussed in an earlier user guide, there are two ways users can authorize CoreStack to access their AWS cloud accounts:
- Assume an Amazon Resource Name (ARN) role
- Provide access through a secret key
In our earlier user guide we discussed the first approach, and so in this user guide we'll cover the second. The second method of providing CoreStack with access to your AWS cloud account involves using an existing user with a secret key.
For the existing user option, you need to add the permissions manually.
Permissions needed for Assessment Only (Read-Only Access)
Permissions (Read-Only) |
---|
ce:GetReservationPurchaseRecommendation ce:GetReservationUtilization support:DescribeTrustedAdvisorCheckResult budgets:ViewBudget config: Lambda: |
Permissions needed for Assessment Read-Only + Sync with AWS WAF
Permissions (Read-Only + Sync with AWS WAF) |
---|
ce:GetReservationPurchaseRecommendation ce:GetReservationUtilization support:DescribeTrustedAdvisorCheckResult budgets:ViewBudget config: lambda: Wellarchitected:* |
Permission needed for Assessment + Automation (Read-Write Access)
Permissions (Read-Write Access) | |
---|---|
ec2 | "ec2:DetachVolume", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", "ec2:DeregisterImage", "ec2:TerminateInstances", "ec2:CreateTags", "ec2:CreateImage", "ec2:RunInstances", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:AllocateAddress", "ec2:CreateVolume", "ec2:RevokeSecurityGroupIngress", "ec2:DeleteVolume", "ec2:DescribeVolumes", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:CreateSnapshot", "ec2:ModifyInstanceAttribute", "ec2:AssociateAddress" |
"iam:SimulatePrincipalPolicy" | "organizations:ListAccounts", "s3:HeadBucket", "ec2:DescribeSubnets" |
s3 | "s3:CreateBucket", "s3:HeadBucket", "s3:DeleteObject", "s3:DeleteBucket", "s3:GetBucketLocation", "s3:GetBucketTagging", "s3:GetObject", "s3:ListObjects", "s3:PutBucketPolicy", "s3:PutBucketTagging", "s3:PutEncryptionConfiguration" |
CloudTrail | "cloudtrail:AddTags", "cloudtrail:CreateTrail", "cloudtrail:DeleteTrail", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:ListTags", "cloudtrail:PutEventSelectors", "cloudtrail:StartLogging", "cloudtrail:UpdateTrail" |
IAM | "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:ListRolePolicies", "iam:ListRoles", "iam:DeleteRolePolicy", "iam:PutRolePolicy", "iam:PassRole" |
Computeoptimizer | compute-optimizer:* |
Cloudwatch | "cloudwatch:DescribeAlarms", "cloudwatch:DeleteAlarms", "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "cloudwatch:PutMetricAlarm" |
ElasticComputCloud | "ec2:StartInstances", * "ec2:StopInstances" |
Inspector | "inspector:ListRulesPackages", "inspector:DescribeRulesPackages", "inspector:ListAssessmentRuns", "inspector:ListAssessmentTemplates", "inspector:ListFindings", "inspector:DescribeFindings", "inspector:DescribeAssessmentRuns", "inspector:CreateResourceGroup", "inspector:CreateAssessmentTarget", "inspector:CreateAssessmentTemplate", "inspector:StartAssessmentRun" |
cfn | "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackResource", "cloudformation:DescribeStacks", "cloudformation:UpdateStack" |
GuardDuty | "s3:*", "guardduty:GetFindings", "guardduty:ListDetectors", "guardduty:CreateDetector", "guardduty:UpdateDetector", "s3:ListBucket", "guardduty:DeleteDetector", "guardduty:CreatePublishingDestination", "guardduty:DeletePublishingDestination", "guardduty:DescribePublishingDestination", "guardduty:ListFindings", "guardduty:GetDetector", "guardduty:TagResource", "iam:TagRole", "iam:CreateServiceLinkedRole" |
kms | "kms:Create", "kms:Describe", "kms:Enable", "kms:List", "kms:Put", "kms:Update", "kms:Revoke", "kms:Disable", "kms:Get", "kms:Delete", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" |
Auth | "aws-portal:ViewBilling", "aws-portal:ModifyBilling", "budgets:ViewBudget", "budgets:ModifyBudget", "budgets:CreateBudgetAction", "budgets:DeleteBudgetAction", "budgets:UpdateBudgetAction", "tag:getResources", "tag:getTagKeys", "tag:getTagValues" |
"ce:GetReservationPurchaseRecommendation" | "ce:GetReservationUtilization", "support:DescribeTrustedAdvisorCheckResult" |
workspaces | "workspaces:TerminateWorkspaces", "workspaces:RevokeIpRules", "workspaces:Describe", "workspaces:ListAvailableManagementCidrRanges", "workspaces:DeleteIpGroup", "workspaces:DeleteWorkspaceImage", "workspaces:StopWorkspaces", "workspaces:StartWorkspaces", "workspaces:Create", "workspaces:RebootWorkspaces", "workspaces:Modify*", "workspaces:UpdateRulesOfIpGroup", "workspaces:DisassociateIpGroups", "workspaces:RebuildWorkspaces", "workspaces:AssociateIpGroups", "workspaces:AuthorizeIpRules", "workspaces:ImportWorkspaceImage", "workspaces:DeleteTags" |
Lambda | "lambda:*" |
DynamoDB | "dynamodb:DescribeTable", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchGet", "dynamodb:DescribeStream", "dynamodb:DescribeTable", "dynamodb:Get", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWrite", "dynamodb:CreateTable", "dynamodb:Delete", "dynamodb:Update", "dynamodb:PutItem" |
Wellarchitected | "wellarchitected:*" |
Config | config:* |
Note:
Apart from the aforementioned permissions, a role should also be created for trusted authentication with CoreStack that should have the following services and polices as well.
Permissions (Read-Write Access) | |
---|---|
Services | "lambda.amazonaws.com", "config.amazonaws.com" |
Policies | "logs:", "s3:", "cloudtrail:", "cloudwatch:", "config:", "lambda:" |
Managedpolicyarns | "arn:aws:iam::aws:policy/ReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole" |
Policy | "iam:PassRole" to be given s for the role created for CoreStack |


How to add permissions manually
For any cases where permissions need to be added manually, you can perform the following steps.
For example, let's say we have to add permission for the policy “WellArchitectedConsoleFullAccess”.
Start by navigating to IAM > Users > Add Permission in the AWS portal:
- Click Attach existing policy directly
- Search for “WellArch”
- Select “WellArchitectedConsoleFullAccess”
- Click Next and Review
- The permission will be added to that account


Setting AWS Managed Policy Permissions for AWS WAF
In cases where users want to sync their CoreStack workload assessments with AWS WAF, then some additional permissions are required.
To get started, navigate to IAM > Policies > Create Policy in the AWS portal.

Select Manual Action > All.

Select All resources.

Next, review and then create the policy.

How to get the Access and Secret keys from the AWS portal
If you want to choose the option to use an access and secret key form AWS to grant access to CoreStack, then first you need to retrieve those values from your AWS account.
Follow these steps to get that info:
- First, log in to your AWS portal.
- Next, navigate to IAM > Users.


- Select any user, then go to Security Credentials.

- Click on the Create Access Key button under Access Keys.

- The Access Key and Secret Key should be displayed, and you should also be able to download the .json file if you wish.
Currently, you should only be able to create a maximum of 2 Access and Secret keys for any single IAM user.

Onboarding an AWS cloud account as a Master Account using an access key and secret key
Follow the below steps to onboard an AWS cloud account into CoreStack as a Master Account using an access key and secret key.
First, navigate to the Account Governance page in CoreStack, then click on Add New.

- Select the account type, then click on Start Now.

- Choose AWS as the cloud account option, then click on Get Started.

- Select the Access type and then Master Account as the Account type based on your preferences, then click on Next.

- Fill in the Access key, Secret Key, and any other required information, then click on *Validate.

- After validation is completed, the Advanced Settings will be displayed. Fill out these fields according to your preferences, and click I’m Done.

You should see a confirmation message once done.

Onboarding an AWS cloud account as a Linked Account using an access key and secret key
Follow the below steps to onboard an AWS cloud account into CoreStack as a Master Account using an access key and secret key.
First, navigate to the Account Governance page in CoreStack, then click on Add New.

- Select the account type, then click on Start Now.

- Choose AWS as the cloud account option, then click on Get Started.

- Select Linked Account for the Account type, then click on Next.

- Fill in the Access key, Secret Key, and any other required information, then click on Validate.

- After validation is completed, the Advanced Settings will be displayed. Fill out these fields according to your preferences, and click I’m Done.

You should see a confirmation message once done.

Updated 10 months ago