Configure a GovCloud Account Using IAM Access Keys (SaaS and AMI)

If your organization requires you to use IAM access keys, use the instructions in this topic. If your organization requires a more secure method, review the Configure a GovCloud Account Using a Cross-Account Role (SaaS only) or the Configure a GovCloud Account Using a Cross-Account Role (AMI only) topics.
AWS GovCloud is an isolated cloud region that hosts sensitive data and regulated workloads for customers who must comply with strict US government security and compliance requirements. Only companies or organizations operated by employees who are US citizens working on US soil can access the AWS GovCloud environment.

Because AWSGovCloud operates under such strict requirements, its configuration is a little more complicated than your standard commercial AWS account.

In a standard commercial account, you need one set of credentials—an IAM access key and secret key—to connect your CloudCheckr and AWS accounts:

In a GovCloud configuration, all AWS GovCloud activity, usage, and billing is managed through a standard AWS account or linked commercial account so you need two sets of credentials: one for your GovCloud account and one for your commercial linked account:


Determine Your Payer

Before CloudCheckr can ingest the cost data from your AWS GovCloud account, you must provide the payer credentials.

Who the payer is depends on your GovCloud setup:

Scenario

Use Credentials From

CloudCheckr Configuration

Master Payer account directly linked to GovCloud account

Master Payer

Master Payer and GovCloud accounts

Linked Commercial account is a payee of the Master Payer account

Linked Commercial

Master Payer, Linked Commercial, and GovCloud accounts

Because AWS stores the billing data in the Master Payer account and payees cannot access this data directly, you must set up the Master Payer and its payees as separate accounts.

CloudCheckr will correctly disperse the billing data to each of the payees.

If your Linked Commercial account is one of multiple payees but you used the Master Payer account credentials, you could see duplicate costs in your payee accounts.

Procedure

Click each step in this wizard to see the instructions on how to configure a GovCloud account using IAM access keys. You can use these instructions regardless of your GovCloud setup.

A Master Payer account is required so that CloudCheckr can ingest the cost data from the GovCloud region.

  1. Login to the AWS GovCloud Management Console.
  2. Click All services, locate the Security, Identity & Compliance section, and select IAM.

    The Welcome to Identity and Access Management screen displays.

  3. From the dashboard, click Policies.

  4. Click Create policy.

    The Create policy page opens.

  5. Follow this step to add the Cost policy and the billing policy that corresponds to your billing method.
    1. Click a button to display your selected policy document.

      {  
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"CloudCheckrCostPermissions",
      "Effect":"Allow",
      "Action":[
      "ec2:DescribeAccountAttributes",
      "ec2:DescribeAvailabilityZones",
      "ec2:DescribeReservedInstancesOfferings",
      "ec2:DescribeReservedInstances",
      "ec2:DescribeReservedInstancesListings",
      "ec2:DescribeHostReservationOfferings",
      "ec2:DescribeReservedInstancesModifications",
      "ec2:DescribeHostReservations",
      "ec2:DescribeInstances",
      "ec2:DescribeInstanceStatus",
      "ec2:DescribeRegions",
      "ec2:DescribeKeyPairs",
      "ec2:DescribePlacementGroups",
      "ec2:DescribeAddresses",
      "ec2:DescribeSpotInstanceRequests",
      "ec2:DescribeImages",
      "ec2:DescribeImageAttribute",
      "ec2:DescribeSnapshots",
      "ec2:DescribeVolumes",
      "ec2:DescribeTags",
      "ec2:DescribeNetworkInterfaces",
      "ec2:DescribeSecurityGroups",
      "ec2:DescribeInstanceAttribute",
      "ec2:DescribeVolumeStatus",
      "elasticache:DescribeReservedCacheNodes",
      "elasticache:DescribeReservedCacheNodesOfferings",
      "rds:DescribeReservedDBInstances",
      "rds:DescribeReservedDBInstancesOfferings",
      "rds:DescribeDBInstances",
      "redshift:DescribeReservedNodes",
      "redshift:DescribeReservedNodeOfferings",
      "s3:GetBucketACL",
      "s3:GetBucketLocation",
      "s3:GetBucketLogging",
      "s3:GetBucketPolicy",
      "s3:GetBucketTagging",
      "s3:GetBucketWebsite",
      "s3:GetBucketNotification",
      "s3:GetLifecycleConfiguration",
      "s3:GetNotificationConfiguration",
      "s3:List*",
      "dynamodb:DescribeReservedCapacity",
      "dynamodb:DescribeReservedCapacityOfferings",
      "iam:GetAccountAuthorizationDetails",
      "iam:ListRolePolicies",
      "iam:ListAttachedRolePolicies"
      ],
      "Resource":"*"
      }
      ]
      }

      {
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"CostReadDBR",
      "Effect":"Allow",
      "Action":[
      "s3:GetBucketACL",
      "s3:GetBucketLocation",
      "s3:GetBucketLogging",
      "s3:GetBucketPolicy",
      "s3:GetBucketTagging",
      "s3:GetBucketWebsite",
      "s3:GetBucketNotification",
      "s3:GetLifecycleConfiguration",
      "s3:GetNotificationConfiguration",
      "s3:GetObject"
      ],
      "Resource":[
      "arn:aws-us-gov:s3:::[YOUR DETAILED BILLING REPORT BUCKET]",
      "arn:aws-us-gov:s3:::[YOUR DETAILED BILLING REPORT BUCKET]/*"
      ]
      }
      ]
      }

      {
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"CostReadCUR",
      "Effect":"Allow",
      "Action":[
      "s3:GetObject"
      ],
      "Resource":[
      "arn:aws-us-gov:s3:::[YOUR COST AND USAGE REPORT BUCKET]",
      "arn:aws-us-gov:s3:::[YOUR COST AND USAGE REPORT BUCKET]/*"
      ]
      }
      ]
      }

    2. Copy the entire contents of the policy document to your clipboard.
    3. Return to the Create policy page in the AWS GovCloud Management Console.
    4. Click the JSON tab.

    5. Replace the text in the JSON tab with the policy you just copied.
      In your Cost and Billing policies, make sure that you replace the dummy S3 bucket name with the name of the S3 bucket where your Detailed Billing Report (DBR) or Cost Usage Report (CUR) data will be stored:

    6. Click Review policy.
    7. Type a name for the policy and click Create policy.

      AWS adds the new policy to the list.

  1. Return to the IAM dashboard and click Groups.

  2. Click the Create New Group button.

    The Create New Group Wizard opens.

  3. Type a group name. Click Next Step.
  4. Select the checkbox associated with the Trusted User policy you created and click Next Step.

    The page displays the new IAM group name and shows that the Trusted User policy is now attached.
  5. Click Create Group.

    AWS adds the new IAM group to the group list.

  1. Return to the IAM dashboard and click Users.

  2. Click the Add user button.

    The Add User wizard screen displays.

  3. On this screen:
    • Type the username.
    • Select the Programmatic access check box to generate an access key and secret key ID.
    • Click Next: Permissions.

    The Set permissions screen displays. The Add user to group button is selected by default.

  4. Select the checkbox associated with your IAM group and click Next: Tags.

    The Add tags (optional) page displays. For the purposes of this procedure, you will not add tags.

  5. Click Next: Review.

    The page displays the name of the IAM user and the group that the IAM user belongs to.

  6. Review your choices and click Create user.
  7. Download or copy and save the access key ID and secret key to a safe location and click Close.

    You will use these keys as your payer credentials if your Master Payer account is directly linked to your GovCloud account.

  1. Launch CloudCheckr.
  2. From the right side of the screen, click NEW ACCOUNT.

    The New Account screen displays.

  3. Type a unique name for your account and in the Cloud Provider section, select Amazon Web Services.
  4. Scroll down to the Navigation Visibility section and select the check boxes next to the modules and sections you want to be accessible for this account.
  5. At the bottom of the New Account page, click Create.

    CloudCheckr opens the Configure Account page. You will need to create a role in AWS before you can complete the configuration.

  1. Return to the IAM dashboard and click Roles.

    The Roles page opens.

  2. From the middle of the page, click Create role.

    The Create role page opens.

  3. In the Select type of trusted entity section, click Another AWS account.

    The screen prompts you to add an Account ID value.

  4. To obtain the Account ID value:
    1. Return to the Configure Accounts page in CloudCheckr.
    2. Click the Use a Role for Cross-Account Access tab.
    3. Click Toggle Manual vs CloudFormation to view the instructions on how to create a cross-account role manually.
    4. Copy the Account ID.

  5. Return to the AWS GovCloud Management Console and perform the following steps:
    1. Paste the Account ID.
    2. In the Options section, select the Require external ID checkbox.

      AWS displays more information about the purpose of the external ID.

  6. To obtain the External ID value:
    1. Return to the Configure Accounts page in CloudCheckr.
    2. Copy the external ID.

  7. Return to the AWS GovCloud Management Console and perform the following steps:
    1. Paste the External ID.
    2. Verify that the Require MFA radio button is not selected.
  8. Click Next: Permissions.

    A list of policies displays.

  9. Select the checkboxes next to your Cost and Billing policies and click Next: Tags.

    For the purposes of this procedure, we will not add tags.

  10. Click Next: Review.

    The Review page opens.

  11. Type a name for the role and click Create role.

    The role is now displayed in the list.

  12. Select the checkbox next to the new role and click the role name.

    The Summary page for the selected role opens.

    At the top of the page, you will see the Role ARN value.

    ARN values use this format: arn:aws-us-gov:iam::YourAccountIDHere:role/CloudCheckrRole

  13. Click the Copy icon next to the ARN value.
  14. Return to the Configure Accounts page in CloudCheckr.
    1. Paste the Role ARN value into the AWS Role ARN field.
    2. Click Update.

      Your Master Payer account now has the role it needs to ingest the cost data from the AWS GovCloud region.

  1. Return to the IAM dashboard and click Policies.
  2. From the list of policies, select the checkbox next to the Cost policy.
  3. From the Policies actions menu, select Attach.

    The Attach Policy page opens.

  4. From the Filter drop-down menu, select Roles.

  5. Select the checkbox next to your role and click Attach policy.
  6. Repeat these steps to attach the Billing policy to your role.

All GovCloud activity, usage, and billing is managed through a standard AWS account referred to as the linked commercial account.

  1. Login to the AWS GovCloud Management Console.
  2. Click All services and select IAM.
  3. From the dashboard, click Policies.
  4. Click Create policy.
  5. Follow this step to add the Security and Inventory policies.
    1. Click a button to display your selected policy document.

      { 
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"SecurityPermissons",
      "Effect":"Allow",
      "Action":[
      "acm:DescribeCertificate",
      "acm:ListCertificates",
      "acm:GetCertificate",
      "cloudtrail:DescribeTrails",
      "cloudtrail:GetTrailStatus",
      "logs:GetLogEvents",
      "logs:DescribeLogGroups",
      "logs:DescribeLogStreams",
      "config:DescribeConfigRules",
      "config:GetComplianceDetailsByConfigRule",
      "config:DescribeDeliveryChannels",
      "config:DescribeDeliveryChannelStatus",
      "config:DescribeConfigurationRecorders",
      "config:DescribeConfigurationRecorderStatus",
      "ec2:Describe*",
      "iam:Get*",
      "iam:List*",
      "iam:GenerateCredentialReport",
      "kms:DescribeKey",
      "kms:GetKeyPolicy",
      "kms:GetKeyRotationStatus",
      "kms:ListAliases",
      "kms:ListGrants",
      "kms:ListKeys",
      "kms:ListKeyPolicies",
      "kms:ListResourceTags",
      "rds:Describe*",
      "ses:ListIdentities",
      "ses:GetSendStatistics",
      "ses:GetIdentityDkimAttributes",
      "ses:GetIdentityVerificationAttributes",
      "ses:GetSendQuota",
      "sns:GetSnsTopic",
      "sns:GetTopicAttributes",
      "sns:GetSubscriptionAttributes",
      "sns:ListTopics",
      "sns:ListSubscriptionsByTopic",
      "sqs:ListQueues",
      "sqs:GetQueueAttributes"
      ],
      "Resource":"*"
      }
      ]
      }

      {
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"InventoryAndUtilization",
      "Effect":"Allow",
      "Action":[
      "acm:DescribeCertificate",
      "acm:ListCertificates",
      "acm:GetCertificate",
      "ec2:Describe*",
      "ec2:GetConsoleOutput",
      "autoscaling:Describe*",
      "cloudformation:DescribeStacks",
      "cloudformation:GetStackPolicy",
      "cloudformation:GetTemplate",
      "cloudformation:ListStackResources",
      "cloudfront:List*",
      "cloudfront:GetDistributionConfig",
      "cloudfront:GetStreamingDistributionConfig",
      "cloudhsm:Describe*",
      "cloudhsm:List*",
      "cloudsearch:Describe*",
      "cloudtrail:DescribeTrails",
      "cloudtrail:GetTrailStatus",
      "cloudwatch:DescribeAlarms",
      "cloudwatch:GetMetricStatistics",
      "cloudwatch:ListMetrics",
      "cognito-identity:ListIdentities",
      "cognito-identity:ListIdentityPools",
      "cognito-idp:ListGroups",
      "cognito-idp:ListIdentityProviders",
      "cognito-idp:ListUserPools",
      "cognito-idp:ListUsers",
      "cognito-idp:ListUsersInGroup",
      "config:DescribeConfigRules",
      "config:GetComplianceDetailsByConfigRule",
      "config:Describe*",
      "datapipeline:ListPipelines",
      "datapipeline:GetPipelineDefinition",
      "datapipeline:DescribePipelines",
      "directconnect:DescribeLocations",
      "directconnect:DescribeConnections",
      "directconnect:DescribeVirtualInterfaces",
      "dynamodb:ListTables",
      "dynamodb:DescribeTable",
      "dynamodb:ListTagsOfResource",
      "ecs:ListClusters",
      "ecs:DescribeClusters",
      "ecs:ListContainerInstances",
      "ecs:DescribeContainerInstances",
      "ecs:ListServices",
      "ecs:DescribeServices",
      "ecs:ListTaskDefinitions",
      "ecs:DescribeTaskDefinition",
      "ecs:ListTasks",
      "ecs:DescribeTasks",
      "ssm:ListResourceDataSync",
      "ssm:ListAssociations",
      "ssm:ListDocumentVersions",
      "ssm:ListDocuments",
      "ssm:ListInstanceAssociations",
      "ssm:ListInventoryEntries",
      "elasticache:Describe*",
      "elasticache:List*",
      "elasticbeanstalk:Describe*",
      "elasticfilesystem:DescribeFileSystem",
      "elasticfilesystem:DescribeTags",
      "elasticloadbalancing:Describe*",
      "elasticmapreduce:Describe*",
      "elasticmapreduce:List*",
      "es:ListDomainNames",
      "es:DescribeElasticsearchDomains",
      "glacier:ListTagsForVault",
      "glacier:DescribeVault",
      "glacier:GetVaultNotifications",
      "glacier:DescribeJob",
      "glacier:GetJobOutput",
      "glacier:ListJobs",
      "glacier:ListVaults",
      "iam:Get*",
      "iam:List*",
      "iam:GenerateCredentialReport",
      "iot:DescribeThing",
      "iot:ListThings",
      "kms:DescribeKey",
      "kms:GetKeyPolicy",
      "kms:GetKeyRotationStatus",
      "kms:ListAliases",
      "kms:ListGrants",
      "kms:ListKeys",
      "kms:ListKeyPolicies",
      "kms:ListResourceTags",
      "kinesis:ListStreams",
      "kinesis:DescribeStream",
      "kinesis:GetShardIterator",
      "kinesis:GetRecords",
      "lambda:ListFunctions",
      "lambda:ListTags",
      "Organizations:List*",
      "Organizations:Describe*",
      "rds:Describe*",
      "rds:List*",
      "redshift:Describe*",
      "route53:ListHealthChecks",
      "route53:ListHostedZones",
      "route53:ListResourceRecordSets",
      "s3:GetBucketACL",
      "s3:GetBucketLocation",
      "s3:GetBucketLogging",
      "s3:GetBucketPolicy",
      "s3:GetBucketTagging",
      "s3:GetBucketWebsite",
      "s3:GetBucketNotification",
      "s3:GetLifecycleConfiguration",
      "s3:GetNotificationConfiguration",
      "s3:List*",
      "sdb:ListDomains",
      "sdb:DomainMetadata",
      "ses:ListIdentities",
      "ses:GetSendStatistics",
      "ses:GetIdentityDkimAttributes",
      "ses:GetIdentityVerificationAttributes",
      "ses:GetSendQuota",
      "sns:GetSnsTopic",
      "sns:GetTopicAttributes",
      "sns:GetSubscriptionAttributes",
      "sns:ListTopics",
      "sns:ListSubscriptionsByTopic",
      "sqs:ListQueues",
      "sqs:GetQueueAttributes",
      "storagegateway:Describe*",
      "storagegateway:List*",
      "support:*",
      "swf:ListClosedWorkflowExecutions",
      "swf:ListDomains",
      "swf:ListActivityTypes",
      "swf:ListWorkflowTypes",
      "workspaces:DescribeWorkspaceDirectories",
      "workspaces:DescribeWorkspaceBundles",
      "workspaces:DescribeWorkspaces"
      ],
      "Resource":"*"
      }
      ]
      }

    2. Copy the entire contents of the policy document to your clipboard.
    3. Return to the Create policy page in the AWS GovCloud Management Console.
    4. Click the JSON tab.
    5. Replace the text in the JSON tab with the policy you just copied.
    6. Click Review policy.
    7. Type a name for the policy and click Create policy.

      AWS adds the new policy to the list.

  1. Return to the IAM dashboard and click Groups.
  2. Click the Create New Group button.
  3. Type a group name. Click Next Step.
  4. Select the checkbox associated with the policy you created and click Next Step.
  5. Click Create Group.

    AWS adds the new IAM group to the group list.

  1. Return to the IAM dashboard and click Users.
  2. Click the Add user button.
  3. On this screen:
    • Type the username.
    • Select the Programmatic access check box to generate an access key and secret key ID.
    • Click Next: Permissions.

    The Set permissions screen displays. The Add user to group button is selected by default.
  4. Select the checkbox associated with your IAM group and click Next: Tags.
  5. Click Next: Review.
  6. Review your choices and click Create user.
  7. Download or copy and save the access key ID and secret key to a safe location and click Close.

    You will use these keys as your payer credentials if your Linked Commercial account is a payee of the Master Payer account.

  1. Launch CloudCheckr.
  2. From the right side of the screen, click NEW ACCOUNT.

    The New Account screen displays.

  3. Type a unique name for your account and in the Cloud Provider section, select Amazon Web Services.
  4. Scroll down to the Navigation Visibility section and select the check boxes next to the modules and sections you want to be accessible for this account.
  5. At the bottom of the New Account page, click Create.

    CloudCheckr opens the Configure Account page. You will need to create a role in AWS before you can complete the configuration.

  1. Return to the IAM dashboard and click Roles.

  2. From the middle of the page, click Create role.

    The Create role page opens.

  3. In the Select type of trusted entity section, click Another AWS account.

    The screen prompts you to add an Account ID value.

  4. To obtain the Account ID value:
    1. Return to the Configure Accounts page in CloudCheckr.
    2. Click Toggle Manual vs CloudFormation to view the instructions on how to create a cross-account role manually.
    3. Copy the Account ID.

  5. Return to the AWS GovCloud Management Console and perform the following steps:
    1. Paste the Account ID.
    2. In the Options section, select the Require external ID checkbox.

      AWS displays more information about the purpose of the external ID.

  6. To obtain the External ID value:
    1. Return to the Configure Accounts page in CloudCheckr.
    2. Copy the external ID.

  7. Return to the AWS GovCloud Management Console and perform the following steps:
    1. Paste the External ID.
    2. Verify that the Require MFA radio button is not selected.
  8. Click Next: Permissions.

    A list of policies displays.

  9. Select the checkbox next to the policy or policies you want to attach to this role and click Next: Tags.

    For the purposes of this procedure, we will not add tags.

  10. Click Next: Review.

    The Review page opens.

  11. Type a name for the role and click Create role.

    The role is now displayed in the list.

  12. Select the checkbox next to the new role and click the role name.

    The Summary page for the selected role opens.

    At the top of the page, you will see the Role ARN value.

    ARN values use this format: arn:aws-us-gov:iam::YourAccountIDHere:role/CloudCheckrRole

  13. Click the Copy icon next to the ARN value.
  14. Return to the Configure Accounts page in CloudCheckr.
    1. Paste the Role ARN value into the AWS Role ARN field.
    2. Click Update.

      Your Linked Commercial account now has the role it needs to ingest the inventory and security data from the AWS GovCloud region.

  1. Return to the IAM dashboard and click Policies.
  2. From the list of policies, select the checkbox next to the Security policy.
  3. From the Policies actions menu, select Attach.

    The Attach Policy page opens.
  4. From the Filter drop-down menu, select Role.
  5. Select the checkbox next to your role and click Attach policy.
  6. Repeat these steps to attach the Inventory policy to your role.

  1. Return to the IAM dashboard and click Policies.
  2. Click Create policy.
  3. Follow this step to add the Security, Inventory, CloudTrail, and CloudWatch Flow Logs policies.
    1. Click a button to display the selected policy document:

      { 
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"SecurityPermissons",
      "Effect":"Allow",
      "Action":[
      "acm:DescribeCertificate",
      "acm:ListCertificates",
      "acm:GetCertificate",
      "cloudtrail:DescribeTrails",
      "cloudtrail:GetTrailStatus",
      "logs:GetLogEvents",
      "logs:DescribeLogGroups",
      "logs:DescribeLogStreams",
      "config:DescribeConfigRules",
      "config:GetComplianceDetailsByConfigRule",
      "config:DescribeDeliveryChannels",
      "config:DescribeDeliveryChannelStatus",
      "config:DescribeConfigurationRecorders",
      "config:DescribeConfigurationRecorderStatus",
      "ec2:Describe*",
      "iam:Get*",
      "iam:List*",
      "iam:GenerateCredentialReport",
      "kms:DescribeKey",
      "kms:GetKeyPolicy",
      "kms:GetKeyRotationStatus",
      "kms:ListAliases",
      "kms:ListGrants",
      "kms:ListKeys",
      "kms:ListKeyPolicies",
      "kms:ListResourceTags",
      "rds:Describe*",
      "ses:ListIdentities",
      "ses:GetSendStatistics",
      "ses:GetIdentityDkimAttributes",
      "ses:GetIdentityVerificationAttributes",
      "ses:GetSendQuota",
      "sns:GetSnsTopic",
      "sns:GetTopicAttributes",
      "sns:GetSubscriptionAttributes",
      "sns:ListTopics",
      "sns:ListSubscriptionsByTopic",
      "sqs:ListQueues",
      "sqs:GetQueueAttributes"
      ],
      "Resource":"*"
      }
      ]
      }

      {
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"InventoryAndUtilization",
      "Effect":"Allow",
      "Action":[
      "acm:DescribeCertificate",
      "acm:ListCertificates",
      "acm:GetCertificate",
      "ec2:Describe*",
      "ec2:GetConsoleOutput",
      "autoscaling:Describe*",
      "cloudformation:DescribeStacks",
      "cloudformation:GetStackPolicy",
      "cloudformation:GetTemplate",
      "cloudformation:ListStackResources",
      "cloudfront:List*",
      "cloudfront:GetDistributionConfig",
      "cloudfront:GetStreamingDistributionConfig",
      "cloudhsm:Describe*",
      "cloudhsm:List*",
      "cloudsearch:Describe*",
      "cloudtrail:DescribeTrails",
      "cloudtrail:GetTrailStatus",
      "cloudwatch:DescribeAlarms",
      "cloudwatch:GetMetricStatistics",
      "cloudwatch:ListMetrics",
      "cognito-identity:ListIdentities",
      "cognito-identity:ListIdentityPools",
      "cognito-idp:ListGroups",
      "cognito-idp:ListIdentityProviders",
      "cognito-idp:ListUserPools",
      "cognito-idp:ListUsers",
      "cognito-idp:ListUsersInGroup",
      "config:DescribeConfigRules",
      "config:GetComplianceDetailsByConfigRule",
      "config:Describe*",
      "datapipeline:ListPipelines",
      "datapipeline:GetPipelineDefinition",
      "datapipeline:DescribePipelines",
      "directconnect:DescribeLocations",
      "directconnect:DescribeConnections",
      "directconnect:DescribeVirtualInterfaces",
      "dynamodb:ListTables",
      "dynamodb:DescribeTable",
      "dynamodb:ListTagsOfResource",
      "ecs:ListClusters",
      "ecs:DescribeClusters",
      "ecs:ListContainerInstances",
      "ecs:DescribeContainerInstances",
      "ecs:ListServices",
      "ecs:DescribeServices",
      "ecs:ListTaskDefinitions",
      "ecs:DescribeTaskDefinition",
      "ecs:ListTasks",
      "ecs:DescribeTasks",
      "ssm:ListResourceDataSync",
      "ssm:ListAssociations",
      "ssm:ListDocumentVersions",
      "ssm:ListDocuments",
      "ssm:ListInstanceAssociations",
      "ssm:ListInventoryEntries",
      "elasticache:Describe*",
      "elasticache:List*",
      "elasticbeanstalk:Describe*",
      "elasticfilesystem:DescribeFileSystem",
      "elasticfilesystem:DescribeTags",
      "elasticloadbalancing:Describe*",
      "elasticmapreduce:Describe*",
      "elasticmapreduce:List*",
      "es:ListDomainNames",
      "es:DescribeElasticsearchDomains",
      "glacier:ListTagsForVault",
      "glacier:DescribeVault",
      "glacier:GetVaultNotifications",
      "glacier:DescribeJob",
      "glacier:GetJobOutput",
      "glacier:ListJobs",
      "glacier:ListVaults",
      "iam:Get*",
      "iam:List*",
      "iam:GenerateCredentialReport",
      "iot:DescribeThing",
      "iot:ListThings",
      "kms:DescribeKey",
      "kms:GetKeyPolicy",
      "kms:GetKeyRotationStatus",
      "kms:ListAliases",
      "kms:ListGrants",
      "kms:ListKeys",
      "kms:ListKeyPolicies",
      "kms:ListResourceTags",
      "kinesis:ListStreams",
      "kinesis:DescribeStream",
      "kinesis:GetShardIterator",
      "kinesis:GetRecords",
      "lambda:ListFunctions",
      "lambda:ListTags",
      "Organizations:List*",
      "Organizations:Describe*",
      "rds:Describe*",
      "rds:List*",
      "redshift:Describe*",
      "route53:ListHealthChecks",
      "route53:ListHostedZones",
      "route53:ListResourceRecordSets",
      "s3:GetBucketACL",
      "s3:GetBucketLocation",
      "s3:GetBucketLogging",
      "s3:GetBucketPolicy",
      "s3:GetBucketTagging",
      "s3:GetBucketWebsite",
      "s3:GetBucketNotification",
      "s3:GetLifecycleConfiguration",
      "s3:GetNotificationConfiguration",
      "s3:List*",
      "sdb:ListDomains",
      "sdb:DomainMetadata",
      "ses:ListIdentities",
      "ses:GetSendStatistics",
      "ses:GetIdentityDkimAttributes",
      "ses:GetIdentityVerificationAttributes",
      "ses:GetSendQuota",
      "sns:GetSnsTopic",
      "sns:GetTopicAttributes",
      "sns:GetSubscriptionAttributes",
      "sns:ListTopics",
      "sns:ListSubscriptionsByTopic",
      "sqs:ListQueues",
      "sqs:GetQueueAttributes",
      "storagegateway:Describe*",
      "storagegateway:List*",
      "support:*",
      "swf:ListClosedWorkflowExecutions",
      "swf:ListDomains",
      "swf:ListActivityTypes",
      "swf:ListWorkflowTypes",
      "workspaces:DescribeWorkspaceDirectories",
      "workspaces:DescribeWorkspaceBundles",
      "workspaces:DescribeWorkspaces"
      ],
      "Resource":"*"
      }
      ]
      }

      {
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"CloudTrailPermissions",
      "Effect":"Allow",
      "Action":[
      "s3:GetBucketACL",
      "s3:GetBucketLocation",
      "s3:GetBucketLogging",
      "s3:GetBucketPolicy",
      "s3:GetBucketTagging",
      "s3:GetBucketWebsite",
      "s3:GetBucketNotification",
      "s3:GetLifecycleConfiguration",
      "s3:GetNotificationConfiguration",
      "s3:GetObject",
      "s3:List*"
      ],
      "Resource":[
      "arn:aws-us-gov:s3:::[YOUR CLOUDTRAIL BUCKET]",
      "arn:aws-us-gov:s3:::[YOUR CLOUDTRAIL BUCKET]/*"
      ]
      }
      ]
      }

      {
      "Version":"2012-10-17",
      "Statement":[
      {
      "Sid":"CloudWatchLogsSpecific",
      "Effect":"Allow",
      "Action":[
      "logs:GetLogEvents",
      "logs:DescribeLogGroups",
      "logs:DescribeLogStreams"
      ],
      "Resource":[
      "arn:aws-us-gov:logs:*:*:*"
      ]
      }
      ]
      }
    2. Copy the entire contents of the policy document to your clipboard.
    3. Return to the Create policy page in the AWS GovCloud Management Console.
    4. Click the JSON tab.
    5. Replace the text in the JSON tab with the policy you just copied.

      Make sure that you replace the dummy S3 bucket name with the name of the S3 bucket where your CloudTrail data will be stored.
    6. Click Review policy.
    7. Type a name for the policy and click Create policy.

      AWS adds the new policy to the list.

  1. Return to the IAM dashboard and click Groups.
  2. Click the Create New Group button.
  3. Type a group name. Click Next Step.
  4. Select the checkbox associated with the policy you created and click Next Step.
  5. Click Create Group.

    AWS adds the new IAM group to the group list.

  1. Return to the IAM dashboard and click Users.
  2. Click the Add user button.
  3. On this screen:
    • Type the username.
    • Select the Programmatic access check box to generate an access key and secret key ID.
    • Click Next: Permissions.

    The Set permissions screen displays. The Add user to group button is selected by default.
  4. Select the checkbox associated with your IAM group and click Next: Tags.
  5. Click Next: Review.
  6. Review your choices and click Create user.
  7. Download or copy and save the access key ID and secret key to a safe location and click Close.

    You will use these keys as your GovCloud credentials in CloudCheckr.

  1. Return to the IAM dashboard and click Policies.
  2. From the list of policies, select the checkbox next to the Security policy.
  3. From the Policies actions menu, select Attach.

    The Attach Policy page opens.

  4. From the Filter drop-down menu, select Users.
  5. Select the checkbox next to your user and click Attach policy.
  6. Repeat these steps to attach the remaining policies to your user.

  1. Return to the Configure Accounts page in CloudCheckr.
  2. Click the Use an IAM Access Key tab.
  3. In step 9, paste the access key ID and secret access key from the IAM user you just created for your GovCloud account.
  4. For the account type, select the Credentials are for the GovCloud (US) Region radio button.

    CloudCheckr displays additional fields.

  5. In step 11, paste the access key ID and secret access key of the payer.
  6. Click Update.


Post Configuration

Depending on the size of your AWS deployment, it may take CloudCheckr a few minutes or a few hours to create your initial account snapshot.

Once complete, CloudCheckr will send you the Inventory Summary, S3 Summary, and Best Practices Report email(s) if you provided an email address during configuration.


How did we do?