AWS Cloud Account Onboarding: Existing User and Secret Key

Learn how you can onboard an AWS cloud account by using an existing user and secret key.

Overview

As discussed in an earlier user guide, there are two ways users can authorize CoreStack to access their AWS cloud accounts:

  1. Assume an Amazon Resource Name (ARN) role
  2. Provide access through a secret key

In our earlier user guide we discussed the first approach, and so in this user guide we'll cover the second. The second method of providing CoreStack with access to your AWS cloud account involves using an existing user with a secret key.

For the existing user option, you need to add the permissions manually.

Permissions needed for Assessment Only (Read-Only Access)

Permissions (Read-Only)
ce:GetReservationPurchaseRecommendation
ce:GetReservationUtilization
support:DescribeTrustedAdvisorCheckResult
budgets:ViewBudget
config:
Lambda:

Permissions needed for Assessment Read-Only + Sync with AWS WAF

Permissions (Read-Only + Sync with AWS WAF)
ce:GetReservationPurchaseRecommendation
ce:GetReservationUtilization
support:DescribeTrustedAdvisorCheckResult
budgets:ViewBudget
config:
lambda:

Wellarchitected:*

Permission needed for Assessment + Automation (Read-Write Access)

Permissions (Read-Write Access)
ec2"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeregisterImage",
"ec2:TerminateInstances",
"ec2:CreateTags",
"ec2:CreateImage",
"ec2:RunInstances",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:AllocateAddress",
"ec2:CreateVolume",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteVolume",
"ec2:DescribeVolumes",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:CreateSnapshot",
"ec2:ModifyInstanceAttribute",
"ec2:AssociateAddress"
"iam:SimulatePrincipalPolicy""organizations:ListAccounts",
"s3:HeadBucket",
"ec2:DescribeSubnets"
s3"s3:CreateBucket",
"s3:HeadBucket",
"s3:DeleteObject",
"s3:DeleteBucket",
"s3:GetBucketLocation",
"s3:GetBucketTagging",
"s3:GetObject",
"s3:ListObjects",
"s3:PutBucketPolicy",
"s3:PutBucketTagging",
"s3:PutEncryptionConfiguration"
CloudTrail"cloudtrail:AddTags",
"cloudtrail:CreateTrail",
"cloudtrail:DeleteTrail",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudtrail:ListTags",
"cloudtrail:PutEventSelectors",
"cloudtrail:StartLogging",
"cloudtrail:UpdateTrail"
IAM"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:DeleteRolePolicy",
"iam:PutRolePolicy",
"iam:PassRole"
Computeoptimizercompute-optimizer:*
Cloudwatch"cloudwatch:DescribeAlarms",
"cloudwatch:DeleteAlarms",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricAlarm"
ElasticComputCloud"ec2:StartInstances",
* "ec2:StopInstances"
Inspector"inspector:ListRulesPackages",
"inspector:DescribeRulesPackages",
"inspector:ListAssessmentRuns",
"inspector:ListAssessmentTemplates",
"inspector:ListFindings",
"inspector:DescribeFindings",
"inspector:DescribeAssessmentRuns",
"inspector:CreateResourceGroup",
"inspector:CreateAssessmentTarget",
"inspector:CreateAssessmentTemplate",
"inspector:StartAssessmentRun"
cfn"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack"
GuardDuty"s3:*",
"guardduty:GetFindings",
"guardduty:ListDetectors",
"guardduty:CreateDetector",
"guardduty:UpdateDetector",
"s3:ListBucket",
"guardduty:DeleteDetector",
"guardduty:CreatePublishingDestination",
"guardduty:DeletePublishingDestination",
"guardduty:DescribePublishingDestination",
"guardduty:ListFindings",
"guardduty:GetDetector",
"guardduty:TagResource",
"iam:TagRole",
"iam:CreateServiceLinkedRole"
kms"kms:Create",
"kms:Describe
",
"kms:Enable",
"kms:List
",
"kms:Put",
"kms:Update
",
"kms:Revoke",
"kms:Disable
",
"kms:Get",
"kms:Delete
",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
Auth"aws-portal:ViewBilling",
"aws-portal:ModifyBilling",
"budgets:ViewBudget",
"budgets:ModifyBudget",
"budgets:CreateBudgetAction",
"budgets:DeleteBudgetAction",
"budgets:UpdateBudgetAction",
"tag:getResources",
"tag:getTagKeys",
"tag:getTagValues"
"ce:GetReservationPurchaseRecommendation""ce:GetReservationUtilization",
"support:DescribeTrustedAdvisorCheckResult"
workspaces"workspaces:TerminateWorkspaces",
"workspaces:RevokeIpRules",
"workspaces:Describe",
"workspaces:ListAvailableManagementCidrRanges",
"workspaces:DeleteIpGroup",
"workspaces:DeleteWorkspaceImage",
"workspaces:StopWorkspaces",
"workspaces:StartWorkspaces",
"workspaces:Create
",
"workspaces:RebootWorkspaces",
"workspaces:Modify*",
"workspaces:UpdateRulesOfIpGroup",
"workspaces:DisassociateIpGroups",
"workspaces:RebuildWorkspaces",
"workspaces:AssociateIpGroups",
"workspaces:AuthorizeIpRules",
"workspaces:ImportWorkspaceImage",
"workspaces:DeleteTags"
Lambda"lambda:*"
DynamoDB"dynamodb:DescribeTable",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchGet",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWrite",
"dynamodb:CreateTable",
"dynamodb:Delete",
"dynamodb:Update",
"dynamodb:PutItem"
Wellarchitected"wellarchitected:*"
Configconfig:*

📘

Note:

Apart from the aforementioned permissions, a role should also be created for trusted authentication with CoreStack that should have the following services and polices as well.

Permissions (Read-Write Access)
Services"lambda.amazonaws.com",
"config.amazonaws.com"
Policies"logs:",
"s3:
",
"cloudtrail:",
"cloudwatch:",
"config:",
"lambda:"
Managedpolicyarns"arn:aws:iam::aws:policy/ReadOnlyAccess",
"arn:aws:iam::aws:policy/service-role/AWS_ConfigRole"
Policy"iam:PassRole" to be given s for the role created for CoreStack
480 480

How to add permissions manually

For any cases where permissions need to be added manually, you can perform the following steps.

For example, let's say we have to add permission for the policy “WellArchitectedConsoleFullAccess”.

Start by navigating to IAM > Users > Add Permission in the AWS portal:

  1. Click Attach existing policy directly
  2. Search for “WellArch”
  3. Select “WellArchitectedConsoleFullAccess”
  4. Click Next and Review
  5. The permission will be added to that account
1100 1100

Setting AWS Managed Policy Permissions for AWS WAF

In cases where users want to sync their CoreStack workload assessments with AWS WAF, then some additional permissions are required.

To get started, navigate to IAM > Policies > Create Policy in the AWS portal.

1100

Select Manual Action > All.

1100

Select All resources.

1100

Next, review and then create the policy.

1100

How to get the Access and Secret keys from the AWS portal

If you want to choose the option to use an access and secret key form AWS to grant access to CoreStack, then first you need to retrieve those values from your AWS account.

Follow these steps to get that info:

  1. First, log in to your AWS portal.
  2. Next, navigate to IAM > Users.
480 480
  1. Select any user, then go to Security Credentials.
480
  1. Click on the Create Access Key button under Access Keys.
480
  1. The Access Key and Secret Key should be displayed, and you should also be able to download the .json file if you wish.

Currently, you should only be able to create a maximum of 2 Access and Secret keys for any single IAM user.

480

Onboarding an AWS cloud account as a Master Account using an access key and secret key

Follow the below steps to onboard an AWS cloud account into CoreStack as a Master Account using an access key and secret key.

First, navigate to the Account Governance page in CoreStack, then click on Add New.

1100
  1. Select the account type, then click on Start Now.
348
  1. Choose AWS as the cloud account option, then click on Get Started.
480
  1. Select the Access type and then Master Account as the Account type based on your preferences, then click on Next.
417
  1. Fill in the Access key, Secret Key, and any other required information, then click on *Validate.
465
  1. After validation is completed, the Advanced Settings will be displayed. Fill out these fields according to your preferences, and click I’m Done.
480

You should see a confirmation message once done.

1100

Onboarding an AWS cloud account as a Linked Account using an access key and secret key

Follow the below steps to onboard an AWS cloud account into CoreStack as a Master Account using an access key and secret key.

First, navigate to the Account Governance page in CoreStack, then click on Add New.

1100
  1. Select the account type, then click on Start Now.
473
  1. Choose AWS as the cloud account option, then click on Get Started.
480
  1. Select Linked Account for the Account type, then click on Next.
1100
  1. Fill in the Access key, Secret Key, and any other required information, then click on Validate.
480
  1. After validation is completed, the Advanced Settings will be displayed. Fill out these fields according to your preferences, and click I’m Done.
480

You should see a confirmation message once done.

1100