Configure a GovCloud Account Using IAM Access Keys

If your organization requires you to use IAM access keys, use the instructions in this topic. If your organization requires a more secure method to credential your GovCloud account and you are using the AMI product, review the Configure a GovCloud Account Using a Cross-Account Role (AMI only) topic.

AWS GovCloud is an isolated cloud region that hosts sensitive data and regulated workloads for customers who must comply with strict US government security and compliance requirements. Only companies or organizations operated by employees who are US citizens working on US soil can access the AWS GovCloud environment.

Because AWSGovCloud operates under such strict requirements, its configuration is a little more complicated than your standard commercial AWS account.

In a standard commercial account, you need one set of credentials—an IAM access key and secret key—to connect your CloudCheckr and AWS accounts:

In a GovCloud configuration, all AWS GovCloud activity, usage, and billing is managed through a standard AWS account or linked commercial account so you need two sets of credentials: one for your GovCloud account and one for your commercial linked account:


Determine Your Payer

Before CloudCheckr can ingest the cost data from your AWS GovCloud account, you must provide the payer credentials.

Who the payer is depends on your GovCloud setup:

Scenario

Use Credentials From

CloudCheckr Configuration

Master Payer account directly linked to GovCloud account

Master Payer

Master Payer and GovCloud accounts

Linked Commercial account is a payee of the Master Payer account

Linked Commercial

Master Payer, Linked Commercial, and GovCloud accounts

Because AWS stores the billing data in the Master Payer account and payees cannot access this data directly, you must set up the Master Payer and its payees as separate accounts.

CloudCheckr will correctly disperse the billing data to each of the payees.

If your Linked Commercial account is one of multiple payees but you used the Master Payer account credentials, you could see duplicate costs in your payee accounts.

Procedure

Click each step to learn how to configure a GovCloud account using a cross-account role.

Since it is the most common setup, these instructions are tailored to the GovCloud scenario where a linked commercial account is a payee of a Master Payer account.
A Master Payer account is required so that CloudCheckr can ingest the cost data from the GovCloud region.

  1. Log in to the AWS Console.
  2. Click All services, locate the Security, Identity & Compliance section, and select IAM.
    The Welcome to Identity and Access Management screen displays.
  3. From the dashboard, click Policies.
  4. Click Create policy.The Create policy page opens.
  5. Follow this step to add the Cost policy and the Billing policy that corresponds to your billing method.
    1. Click a button to display your selected policy document.
      {  
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"CloudCheckrCostPermissions",
      "Effect":"Allow",
      "Action":[
      "ec2:DescribeAccountAttributes",
      "ec2:DescribeAvailabilityZones",
      "ec2:DescribeReservedInstancesOfferings",
      "ec2:DescribeReservedInstances",
      "ec2:DescribeReservedInstancesListings",
      "ec2:DescribeHostReservationOfferings",
      "ec2:DescribeReservedInstancesModifications",
      "ec2:DescribeHostReservations",
      "ec2:DescribeInstances",
      "ec2:DescribeInstanceStatus",
      "ec2:DescribeRegions",
      "ec2:DescribeKeyPairs",
      "ec2:DescribePlacementGroups",
      "ec2:DescribeAddresses",
      "ec2:DescribeSpotInstanceRequests",
      "ec2:DescribeImages",
      "ec2:DescribeImageAttribute",
      "ec2:DescribeSnapshots",
      "ec2:DescribeVolumes",
      "ec2:DescribeTags",
      "ec2:DescribeNetworkInterfaces",
      "ec2:DescribeSecurityGroups",
      "ec2:DescribeInstanceAttribute",
      "ec2:DescribeVolumeStatus",
      "elasticache:DescribeReservedCacheNodes",
      "elasticache:DescribeReservedCacheNodesOfferings",
      "rds:DescribeReservedDBInstances",
      "rds:DescribeReservedDBInstancesOfferings",
      "rds:DescribeDBInstances",
      "redshift:DescribeReservedNodes",
      "redshift:DescribeReservedNodeOfferings",
      "s3:GetBucketACL",
      "s3:GetBucketLocation",
      "s3:GetBucketLogging",
      "s3:GetBucketPolicy",
      "s3:GetBucketTagging",
      "s3:GetBucketWebsite",
      "s3:GetBucketNotification",
      "s3:GetLifecycleConfiguration",
      "s3:GetNotificationConfiguration",
      "s3:List*",
      "dynamodb:DescribeReservedCapacity",
      "dynamodb:DescribeReservedCapacityOfferings",
      "iam:GetAccountAuthorizationDetails",
      "iam:ListRolePolicies",
      "iam:ListAttachedRolePolicies"
      ],
      "Resource":"*"
      }
      ]
      }
      {
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"CostReadCUR",
      "Effect":"Allow",
      "Action":[
      "s3:GetObject"
      ],
      "Resource":[
      "arn:aws-us-gov:s3:::[YOUR COST AND USAGE REPORT BUCKET]",
      "arn:aws-us-gov:s3:::[YOUR COST AND USAGE REPORT BUCKET]/*"
      ]
      }
      ]
      }
    2. Copy the entire contents of the policy document to your clipboard.
    3. Return to the Create policy page in the AWS GovCloud Management Console.
    4. Click the JSON tab.
    5. Replace the text in the JSON tab with the policy you just copied.
      In your Cost and Billing policies, make sure that you replace the dummy S3 bucket name with the name of the S3 bucket where your Detailed Billing Report (DBR) or Cost Usage Report (CUR) data will be stored:

    6. Click Review policy.
    7. Type a name for the policy and click Create policy.

      AWS adds the new policy to the list.

  1. Launch CloudCheckr.
  2. From the right side of the screen, click NEW ACCOUNT.

    The New Account screen displays.

  3. Type a unique name for your account and in the Cloud Provider section, select Amazon Web Services.
  4. Scroll down to the Navigation Visibility section and select the check boxes next to the modules and sections you want to be accessible for this account.
  5. At the bottom of the New Account page, click Create.

    CloudCheckr opens the Configure Account page. You will need to create a role in AWS before you can complete the configuration.

  1. Return to the IAM dashboard and click Roles.

    The Roles page opens.

  2. From the middle of the page, click Create role.

    The Create role page opens.

  3. In the Select type of trusted entity section, click Another AWS account.

    The screen prompts you to add an Account ID value.

  4. To obtain the Account ID value:
    1. Return to the Configure Accounts page in CloudCheckr.
    2. Click the Use a Role for Cross-Account Access tab.
    3. Click Toggle Manual vs CloudFormation to view the instructions on how to create a cross-account role manually.
    4. Copy the Account ID.
  5. Return to the AWS GovCloud Management Console and perform the following steps:
    1. Paste the Account ID.
    2. In the Options section, select the Require external ID checkbox.

      AWS displays more information about the purpose of the external ID.

  6. To obtain the External ID value:
    1. Return to the Configure Accounts page in CloudCheckr.
    2. Copy the external ID.
  7. Return to the AWS GovCloud Management Console and perform the following steps:
    1. Paste the External ID.
    2. Verify that the Require MFA radio button is not selected.
  8. Click Next: Permissions.

    A list of policies displays.

  9. Select the checkboxes next to your Cost and Billing policies and click Next: Tags.

    For the purposes of this procedure, we will not add tags.

  10. Click Next: Review.

    The Review page opens.

  11. Type a name for the role and click Create role.

    The role is now displayed in the list.

  12. Select the checkbox next to the new role and click the role name.

    The Summary page for the selected role opens.

    At the top of the page, you will see the Role ARN value.

    ARN values use this format:

    arn:aws-us-gov:iam::YourAccountIDHere:role/CloudCheckrRole
  13. Click the Copy icon next to the ARN value.
  14. Return to the Configure Accounts page in CloudCheckr.
    1. Paste the Role ARN value into the AWS Role ARN field.
    2. Click Update.

      Your Master Payer account now has the role it needs to ingest the cost data from the AWS GovCloud region.

  1. Return to the IAM dashboard and click Policies.
  2. From the list of policies, select the checkbox next to the Cost policy.
  3. From the Policies actions menu, select Attach.

    The Attach Policy page opens.

  4. From the Filter drop-down menu, select Roles.
  5. Select the checkbox next to your role and click Attach policy.
  6. Repeat these steps to attach the Billing policy to your role.
All GovCloud activity, usage, and billing is managed through a standard AWS account referred to as the linked commercial account.

  1. Login to the AWS Console.
  2. Click All services and select IAM.
  3. From the dashboard, click Policies.
  4. Click Create policy.
  5. Follow this step to add the Security and Inventory policies.
    1. Click a button to display your selected policy document.
      { 
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"SecurityPermissons",
      "Effect":"Allow",
      "Action":[
      "acm:DescribeCertificate",
      "acm:ListCertificates",
      "acm:GetCertificate",
      "cloudtrail:DescribeTrails",
      "cloudtrail:GetTrailStatus",
      "logs:GetLogEvents",
      "logs:DescribeLogGroups",
      "logs:DescribeLogStreams",
      "config:DescribeConfigRules",
      "config:GetComplianceDetailsByConfigRule",
      "config:DescribeDeliveryChannels",
      "config:DescribeDeliveryChannelStatus",
      "config:DescribeConfigurationRecorders",
      "config:DescribeConfigurationRecorderStatus",
      "ec2:Describe*",
      "iam:Get*",
      "iam:List*",
      "iam:GenerateCredentialReport",
      "kms:DescribeKey",
      "kms:GetKeyPolicy",
      "kms:GetKeyRotationStatus",
      "kms:ListAliases",
      "kms:ListGrants",
      "kms:ListKeys",
      "kms:ListKeyPolicies",
      "kms:ListResourceTags",
      "rds:Describe*",
      "ses:ListIdentities",
      "ses:GetSendStatistics",
      "ses:GetIdentityDkimAttributes",
      "ses:GetIdentityVerificationAttributes",
      "ses:GetSendQuota",
      "sns:GetSnsTopic",
      "sns:GetTopicAttributes",
      "sns:GetSubscriptionAttributes",
      "sns:ListTopics",
      "sns:ListSubscriptionsByTopic",
      "sqs:ListQueues",
      "sqs:GetQueueAttributes"
      ],
      "Resource":"*"
      }
      ]
      }
      {
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"InventoryAndUtilization",
      "Effect":"Allow",
      "Action":[
      "acm:DescribeCertificate",
      "acm:ListCertificates",
      "acm:GetCertificate",
      "ec2:Describe*",
      "ec2:GetConsoleOutput",
      "autoscaling:Describe*",
      "cloudformation:DescribeStacks",
      "cloudformation:GetStackPolicy",
      "cloudformation:GetTemplate",
      "cloudformation:ListStackResources",
      "cloudfront:List*",
      "cloudfront:GetDistributionConfig",
      "cloudfront:GetStreamingDistributionConfig",
      "cloudhsm:Describe*",
      "cloudhsm:List*",
      "cloudsearch:Describe*",
      "cloudtrail:DescribeTrails",
      "cloudtrail:GetTrailStatus",
      "cloudwatch:DescribeAlarms",
      "cloudwatch:GetMetricStatistics",
      "cloudwatch:ListMetrics",
      "cognito-identity:ListIdentities",
      "cognito-identity:ListIdentityPools",
      "cognito-idp:ListGroups",
      "cognito-idp:ListIdentityProviders",
      "cognito-idp:ListUserPools",
      "cognito-idp:ListUsers",
      "cognito-idp:ListUsersInGroup",
      "config:DescribeConfigRules",
      "config:GetComplianceDetailsByConfigRule",
      "config:Describe*",
      "datapipeline:ListPipelines",
      "datapipeline:GetPipelineDefinition",
      "datapipeline:DescribePipelines",
      "directconnect:DescribeLocations",
      "directconnect:DescribeConnections",
      "directconnect:DescribeVirtualInterfaces",
      "dynamodb:ListTables",
      "dynamodb:DescribeTable",
      "dynamodb:ListTagsOfResource",
      "ecs:ListClusters",
      "ecs:DescribeClusters",
      "ecs:ListContainerInstances",
      "ecs:DescribeContainerInstances",
      "ecs:ListServices",
      "ecs:DescribeServices",
      "ecs:ListTaskDefinitions",
      "ecs:DescribeTaskDefinition",
      "ecs:ListTasks",
      "ecs:DescribeTasks",
      "ssm:ListResourceDataSync",
      "ssm:ListAssociations",
      "ssm:ListDocumentVersions",
      "ssm:ListDocuments",
      "ssm:ListInstanceAssociations",
      "ssm:ListInventoryEntries",
      "elasticache:Describe*",
      "elasticache:List*",
      "elasticbeanstalk:Describe*",
      "elasticfilesystem:DescribeFileSystems",
      "elasticfilesystem:DescribeTags",
      "elasticloadbalancing:Describe*",
      "elasticmapreduce:Describe*",
      "elasticmapreduce:List*",
      "es:ListDomainNames",
      "es:DescribeElasticsearchDomains",
      "glacier:ListTagsForVault",
      "glacier:DescribeVault",
      "glacier:GetVaultNotifications",
      "glacier:DescribeJob",
      "glacier:GetJobOutput",
      "glacier:ListJobs",
      "glacier:ListVaults",
      "iam:Get*",
      "iam:List*",
      "iam:GenerateCredentialReport",
      "iot:DescribeThing",
      "iot:ListThings",
      "kms:DescribeKey",
      "kms:GetKeyPolicy",
      "kms:GetKeyRotationStatus",
      "kms:ListAliases",
      "kms:ListGrants",
      "kms:ListKeys",
      "kms:ListKeyPolicies",
      "kms:ListResourceTags",
      "kinesis:ListStreams",
      "kinesis:DescribeStream",
      "kinesis:GetShardIterator",
      "kinesis:GetRecords",
      "lambda:ListFunctions",
      "lambda:ListTags",
      "Organizations:List*",
      "Organizations:Describe*",
      "rds:Describe*",
      "rds:List*",
      "redshift:Describe*",
      "route53:ListHealthChecks",
      "route53:ListHostedZones",
      "route53:ListResourceRecordSets",
      "s3:GetBucketACL",
      "s3:GetBucketLocation",
      "s3:GetBucketLogging",
      "s3:GetBucketPolicy",
      "s3:GetBucketTagging",
      "s3:GetBucketWebsite",
      "s3:GetBucketNotification",
      "s3:GetLifecycleConfiguration",
      "s3:GetNotificationConfiguration",
      "s3:List*",
      "sdb:ListDomains",
      "sdb:DomainMetadata",
      "ses:ListIdentities",
      "ses:GetSendStatistics",
      "ses:GetIdentityDkimAttributes",
      "ses:GetIdentityVerificationAttributes",
      "ses:GetSendQuota",
      "sns:GetSnsTopic",
      "sns:GetTopicAttributes",
      "sns:GetSubscriptionAttributes",
      "sns:ListTopics",
      "sns:ListSubscriptionsByTopic",
      "sqs:ListQueues",
      "sqs:GetQueueAttributes",
      "storagegateway:Describe*",
      "storagegateway:List*",
      "support:*",
      "swf:ListClosedWorkflowExecutions",
      "swf:ListDomains",
      "swf:ListActivityTypes",
      "swf:ListWorkflowTypes",
      "workspaces:DescribeWorkspaceDirectories",
      "workspaces:DescribeWorkspaceBundles",
      "workspaces:DescribeWorkspaces"
      ],
      "Resource":"*"
      }
      ]
      }
    2. Copy the entire contents of the policy document to your clipboard.
    3. Return to the Create policy page in the AWS GovCloud Management Console.
    4. Click the JSON tab.
    5. Replace the text in the JSON tab with the policy you just copied.
    6. Click Review policy.
    7. Type a name for the policy and click Create policy.

      AWS adds the new policy to the list.

  1. Return to the IAM dashboard and click Users.
  2. Click the Add user button.
  3. On this screen:
    • Type the username.
    • Select the Programmatic access check box to generate an access key and secret key ID.
    • Click Next: Permissions.
  4. Click Attach existing policies directly, select the policies you just created, and click Next: Tags.
  5. Click Next: Review.
  6. Review your choices and click Create user.
  7. Download or copy and save the access key ID and secret key to a safe location and click Close.
    You will use these keys as the payer credentials in your GovCloud account since your Linked Commercial account is a payee of the Master Payer account.

  1. Launch CloudCheckr.
  2. From the right side of the screen, click NEW ACCOUNT.

    The New Account screen displays.

  3. Type a unique name for your account and in the Cloud Provider section, select Amazon Web Services.
  4. Scroll down to the Navigation Visibility section and select the check boxes next to the modules and sections you want to be accessible for this account.
  5. At the bottom of the New Account page, click Create.

    CloudCheckr opens the Configure Account page. You will need to create a role in AWS before you can complete the configuration.

  1. Return to the IAM dashboard and click Roles.

  2. From the middle of the page, click Create role.

    The Create role page opens.

  3. In the Select type of trusted entity section, click Another AWS account.

    The screen prompts you to add an Account ID value.

  4. To obtain the Account ID value:
    1. Return to the Configure Accounts page in CloudCheckr.
    2. Click Toggle Manual vs CloudFormation to view the instructions on how to create a cross-account role manually.
    3. Copy the Account ID.
  5. Return to the AWS GovCloud Management Console and perform the following steps:
    1. Paste the Account ID.
    2. In the Options section, select the Require external ID checkbox.

      AWS displays more information about the purpose of the external ID.

  6. To obtain the External ID value:
    1. Return to the Configure Accounts page in CloudCheckr.
    2. Copy the external ID.
  7. Return to the AWS GovCloud Management Console and perform the following steps:
    1. Paste the External ID.
    2. Verify that the Require MFA radio button is not selected.
  8. Click Next: Permissions.

    A list of policies displays.

  9. Select the checkbox next to the policy or policies you want to attach to this role and click Next: Tags.

    For the purposes of this procedure, we will not add tags.

  10. Click Next: Review.

    The Review page opens.

  11. Type a name for the role and click Create role.

    The role is now displayed in the list.

  12. Select the checkbox next to the new role and click the role name.

    The Summary page for the selected role opens.

    At the top of the page, you will see the Role ARN value.

    ARN values use this format

    arn:aws-us-gov:iam::YourAccountIDHere:role/CloudCheckrRole
  13. Click the Copy icon next to the ARN value.
  14. Return to the Configure Accounts page in CloudCheckr.
    1. Paste the Role ARN value into the AWS Role ARN field.
    2. Click Update.

      Your Linked Commercial account now has the role it needs to ingest the inventory and security data from the AWS GovCloud region.

  1. Return to the IAM dashboard and click Policies.
  2. From the list of policies, select the checkbox next to the Security policy.
  3. From the Policies actions menu, select Attach.

    The Attach Policy page opens.

  4. From the Filter drop-down menu, select Role.
  5. Select the checkbox next to your user and click Attach policy.
  6. Repeat these steps to attach the Inventory policy to your role.

  1. Return to the IAM dashboard and click Policies.
  2. Click Create policy.
  3. Follow this step to add the Security, Inventory, CloudTrail, and CloudWatch Flow Logs policies.
    1. Click a button to display the selected policy document:

      { 
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"SecurityPermissons",
      "Effect":"Allow",
      "Action":[
      "acm:DescribeCertificate",
      "acm:ListCertificates",
      "acm:GetCertificate",
      "cloudtrail:DescribeTrails",
      "cloudtrail:GetTrailStatus",
      "logs:GetLogEvents",
      "logs:DescribeLogGroups",
      "logs:DescribeLogStreams",
      "config:DescribeConfigRules",
      "config:GetComplianceDetailsByConfigRule",
      "config:DescribeDeliveryChannels",
      "config:DescribeDeliveryChannelStatus",
      "config:DescribeConfigurationRecorders",
      "config:DescribeConfigurationRecorderStatus",
      "ec2:Describe*",
      "iam:Get*",
      "iam:List*",
      "iam:GenerateCredentialReport",
      "kms:DescribeKey",
      "kms:GetKeyPolicy",
      "kms:GetKeyRotationStatus",
      "kms:ListAliases",
      "kms:ListGrants",
      "kms:ListKeys",
      "kms:ListKeyPolicies",
      "kms:ListResourceTags",
      "rds:Describe*",
      "ses:ListIdentities",
      "ses:GetSendStatistics",
      "ses:GetIdentityDkimAttributes",
      "ses:GetIdentityVerificationAttributes",
      "ses:GetSendQuota",
      "sns:GetSnsTopic",
      "sns:GetTopicAttributes",
      "sns:GetSubscriptionAttributes",
      "sns:ListTopics",
      "sns:ListSubscriptionsByTopic",
      "sqs:ListQueues",
      "sqs:GetQueueAttributes"
      ],
      "Resource":"*"
      }
      ]
      }

      {
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"InventoryAndUtilization",
      "Effect":"Allow",
      "Action":[
      "acm:DescribeCertificate",
      "acm:ListCertificates",
      "acm:GetCertificate",
      "ec2:Describe*",
      "ec2:GetConsoleOutput",
      "autoscaling:Describe*",
      "cloudformation:DescribeStacks",
      "cloudformation:GetStackPolicy",
      "cloudformation:GetTemplate",
      "cloudformation:ListStackResources",
      "cloudfront:List*",
      "cloudfront:GetDistributionConfig",
      "cloudfront:GetStreamingDistributionConfig",
      "cloudhsm:Describe*",
      "cloudhsm:List*",
      "cloudsearch:Describe*",
      "cloudtrail:DescribeTrails",
      "cloudtrail:GetTrailStatus",
      "cloudwatch:DescribeAlarms",
      "cloudwatch:GetMetricStatistics",
      "cloudwatch:ListMetrics",
      "cognito-identity:ListIdentities",
      "cognito-identity:ListIdentityPools",
      "cognito-idp:ListGroups",
      "cognito-idp:ListIdentityProviders",
      "cognito-idp:ListUserPools",
      "cognito-idp:ListUsers",
      "cognito-idp:ListUsersInGroup",
      "config:DescribeConfigRules",
      "config:GetComplianceDetailsByConfigRule",
      "config:Describe*",
      "datapipeline:ListPipelines",
      "datapipeline:GetPipelineDefinition",
      "datapipeline:DescribePipelines",
      "directconnect:DescribeLocations",
      "directconnect:DescribeConnections",
      "directconnect:DescribeVirtualInterfaces",
      "dynamodb:ListTables",
      "dynamodb:DescribeTable",
      "dynamodb:ListTagsOfResource",
      "ecs:ListClusters",
      "ecs:DescribeClusters",
      "ecs:ListContainerInstances",
      "ecs:DescribeContainerInstances",
      "ecs:ListServices",
      "ecs:DescribeServices",
      "ecs:ListTaskDefinitions",
      "ecs:DescribeTaskDefinition",
      "ecs:ListTasks",
      "ecs:DescribeTasks",
      "ssm:ListResourceDataSync",
      "ssm:ListAssociations",
      "ssm:ListDocumentVersions",
      "ssm:ListDocuments",
      "ssm:ListInstanceAssociations",
      "ssm:ListInventoryEntries",
      "elasticache:Describe*",
      "elasticache:List*",
      "elasticbeanstalk:Describe*",
      "elasticfilesystem:DescribeFileSystem",
      "elasticfilesystem:DescribeTags",
      "elasticloadbalancing:Describe*",
      "elasticmapreduce:Describe*",
      "elasticmapreduce:List*",
      "es:ListDomainNames",
      "es:DescribeElasticsearchDomains",
      "glacier:ListTagsForVault",
      "glacier:DescribeVault",
      "glacier:GetVaultNotifications",
      "glacier:DescribeJob",
      "glacier:GetJobOutput",
      "glacier:ListJobs",
      "glacier:ListVaults",
      "iam:Get*",
      "iam:List*",
      "iam:GenerateCredentialReport",
      "iot:DescribeThing",
      "iot:ListThings",
      "kms:DescribeKey",
      "kms:GetKeyPolicy",
      "kms:GetKeyRotationStatus",
      "kms:ListAliases",
      "kms:ListGrants",
      "kms:ListKeys",
      "kms:ListKeyPolicies",
      "kms:ListResourceTags",
      "kinesis:ListStreams",
      "kinesis:DescribeStream",
      "kinesis:GetShardIterator",
      "kinesis:GetRecords",
      "lambda:ListFunctions",
      "lambda:ListTags",
      "Organizations:List*",
      "Organizations:Describe*",
      "rds:Describe*",
      "rds:List*",
      "redshift:Describe*",
      "route53:ListHealthChecks",
      "route53:ListHostedZones",
      "route53:ListResourceRecordSets",
      "s3:GetBucketACL",
      "s3:GetBucketLocation",
      "s3:GetBucketLogging",
      "s3:GetBucketPolicy",
      "s3:GetBucketTagging",
      "s3:GetBucketWebsite",
      "s3:GetBucketNotification",
      "s3:GetLifecycleConfiguration",
      "s3:GetNotificationConfiguration",
      "s3:List*",
      "sdb:ListDomains",
      "sdb:DomainMetadata",
      "ses:ListIdentities",
      "ses:GetSendStatistics",
      "ses:GetIdentityDkimAttributes",
      "ses:GetIdentityVerificationAttributes",
      "ses:GetSendQuota",
      "sns:GetSnsTopic",
      "sns:GetTopicAttributes",
      "sns:GetSubscriptionAttributes",
      "sns:ListTopics",
      "sns:ListSubscriptionsByTopic",
      "sqs:ListQueues",
      "sqs:GetQueueAttributes",
      "storagegateway:Describe*",
      "storagegateway:List*",
      "support:*",
      "swf:ListClosedWorkflowExecutions",
      "swf:ListDomains",
      "swf:ListActivityTypes",
      "swf:ListWorkflowTypes",
      "workspaces:DescribeWorkspaceDirectories",
      "workspaces:DescribeWorkspaceBundles",
      "workspaces:DescribeWorkspaces"
      ],
      "Resource":"*"
      }
      ]
      }

      {
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"CloudTrailPermissions",
      "Effect":"Allow",
      "Action":[
      "s3:GetBucketACL",
      "s3:GetBucketLocation",
      "s3:GetBucketLogging",
      "s3:GetBucketPolicy",
      "s3:GetBucketTagging",
      "s3:GetBucketWebsite",
      "s3:GetBucketNotification",
      "s3:GetLifecycleConfiguration",
      "s3:GetNotificationConfiguration",
      "s3:GetObject",
      "s3:List*"
      ],
      "Resource":[
      "arn:aws-us-gov:s3:::[YOUR CLOUDTRAIL BUCKET]",
      "arn:aws-us-gov:s3:::[YOUR CLOUDTRAIL BUCKET]/*"
      ]
      }
      ]
      }

      {
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"CloudWatchLogsSpecific",
      "Effect":"Allow",
      "Action":[
      "logs:GetLogEvents",
      "logs:DescribeLogGroups",
      "logs:DescribeLogStreams"
      ],
      "Resource":[
      "arn:aws-us-gov:logs:*:*:*"
      ]
      }
      ]
      }
    2. Copy the entire contents of the policy document to your clipboard.
    3. Return to the Create policy page in the AWS GovCloud Management Console.
    4. Click the JSON tab.
    5. Replace the text in the JSON tab with the policy you just copied.

      Make sure that you replace the dummy S3 bucket name with the name of the S3 bucket where your CloudTrail data will be stored.
    6. Click Review policy.
    7. Type a name for the policy and click Create policy.

      AWS adds the new policy to the list.

  1. Return to the IAM dashboard and click Users.
  2. Click the Add user button.
  3. On this screen:
    • Type the username.
    • Select the Programmatic access check box to generate an access key and secret key ID.
    • Click Next: Permissions.
    • Click Attach existing policies directly, select the policies you just created, and click Next: Tags.
  4. Click Next: Review.
  5. Review your choices and click Create user.
  6. Download or copy and save the access key ID and secret key to a safe location and click Close.
    You will use these keys as your GovCloud credentials in CloudCheckr.

  1. Return to the Configure Accounts page in CloudCheckr.
  2. Click the Use an IAM Access Key tab.
  3. In step 14, paste the access key ID and secret access key from the IAM user you just created for your GovCloud account.
  4. In step 15, select the Credentials are for the GovCloud (US) Region radio button.

    CloudCheckr displays the Paying Account Access Key and Paying Account Secret Key fields.

  5. In step 16, paste the access key ID and secret access key for the linked commercial account.
    In step 16, you must provide the access key ID and secret access key for the linked commercial account.
  6. Click Update.


How did we do?