As part of your account preparation, you will create least privilege policies—individual policies you will attach to your cross-account role that allow CloudCheckr to access the AWS data it needs to create its reports.
Each least privilege policy provides permissions to a core function in our application:
Cost
Billing
Security/Compliance
Inventory
CloudTrail
CloudWatch Flow Logs
Although it may seem like one big policy would be easier to manage, applying these policies separately ensures that whoever uses the cross-account role only has access to the permissions they need to do their job—and nothing more.
This procedure will show you how to create the least privileged policies in the AWS Management Console.
Procedure
Log in to the
AWS Management Console.
The AWS services page opens.
Scroll down to the Security, Identity & Compliance section and select IAM.
The Welcome to Identity and Access Management screen displays.
From the dashboard, click Policies.
A list of policies displays.
Click Create policy.
The Create Policy page opens.
For each core function of CloudCheckr that you want a cross-account role to have access to, follow these steps:
Click a button to display the selected policy document.
Copy the entire contents of the policy document to your clipboard.
Return to the Create Policy page in the AWS Management Console.
Click the JSON tab.
Replace the text in the JSON tab with the policy you just copied.
For any Billing and CloudTrail policies, replace the dummy S3 bucket name with the name of the S3 bucket where AWS stores your Detailed Billing Report (DBR) or Cost Usage Report (CUR). Here is an example
from the Billing JSON file:
Click Review policy.
The Review policy page opens.
Type a name for the policy and click Create policy.
A message at the top of the policy page indicates that your policy has been created.
Repeat step 5 for each least privilege policy you want to attach to your cross-account role.
Click each button to review the exceptions to our default policy structure.
CloudCheckr will attempt to ingest data from all of the AWS core features to populate the Cost, Billing, Security, Inventory, and CloudWatch Flow Log reports. Since CloudCheckr must make calls even to those categories where you have not enabled permissions, you will see Unauthorized Access attempts in your CloudTrail logs.
These logs are only an indication of the CloudCheckr
workflow and in no way reflect an attempt on the part of CloudCheckr to collect unauthorized information from customers.
To help you maintain a secure, least privilege configuration, CloudCheckr's Security/Compliance policy does not include any s3:GetObject permissions. However, you can add the s3:GetObject permission to the following reports:
We recommend restricting this permission to only selected S3 bucket(s).
List of VPCs report: enables CloudCheckr to ingest data from the Elastic Beanstalk
applications for this report.
The default Security/Compliance policy will only display 0 as the number of Elastic Beanstalk applications within a VPC.
As per the latest AWS requirements, CloudCheckr's CloudFormation template and the Inventory policy do not include the s3:GetEncryptionConfiguration by default.
However, without this permission, CloudCheckr cannot get the information it needs to report on the S3 Bucket Without Default Encryption Enabled Best Practice Check (BPC). If you decide not to add this permission to your policy, we recommend that you ignore or disable this BPC to avoid any false negatives.
