If you want a more streamlined method to create the least privilege policies and a cross-account role, use the CloudFormation template.
Prerequisite: We recommend that you create a CloudCheckr account before you create least privilege policies.
As part of your account preparation, you will create least privilege policies—individual policies you will attach to your cross-account role that allow CloudCheckr to access the AWS data it needs to create its reports.
Each least privilege policy provides permissions to a core function in our application:
Cost
Billing
Security/Compliance
Inventory
CloudTrail
CloudWatch Flow Logs
In theory, it may seem like one big policy would be easier to manage. But, by applying only selected policies, you ensures that whoever uses the cross-account role only has access to the permissions they need to do their job—and nothing more.
This procedure will show you how to create the least privileged policies in the AWS Management Console.
Procedure
Log in to the AWS Management Console. The AWS services page opens.
Scroll down to the Security, Identity & Compliance section and select IAM.The Welcome to Identity and Access Management screen displays.
From the dashboard, click Policies. A list of policies displays.
Click Create policy. The Create Policy page opens.
For each core function of CloudCheckr that you want a cross-account role to have access to, follow these steps:
Click a button to display the selected policy document.
CloudCheckr will attempt to ingest data from all of the AWS core features to populate the Cost, Billing, Security, Inventory, and CloudWatch Flow Log reports. Since CloudCheckr must make calls even to those categories where you have not enabled permissions, you will see Unauthorized Access attempts in your CloudTrail logs. These logs are only an indication of the CloudCheckr workflow and in no way reflect an attempt on the part of CloudCheckr to collect unauthorized information from customers.
To help you maintain a secure, least privilege configuration, CloudCheckr's Security/Compliance policy does not include any s3:GetObject permissions. But, you can add the s3:GetObject permission to the required reports.
As per the latest AWS requirements, CloudCheckr's CloudFormation template and the Inventory policy do not include the s3:GetEncryptionConfiguration by default. However, without this permission, CloudCheckr cannot get the information it needs to report on the S3 Bucket Without Default Encryption Enabled Best Practice Check (BPC). If you decide not to add this permission to your policy, we recommend that you ignore or disable this BPC to avoid any false negatives.