Skip to content

AWS Cloud Security Configuration

According to Gartner, the #1 threat to cloud infrastructure is entitlements and permissions. Identifying risky permissions and misconfigurations is difficult. SolCyber partners with Ermetic Security to monitor customer’s cloud security posture. Ermetic enables you to address the #1 risk to your cloud infrastructure – identities – by detecting and prioritizing risky entitlements and misconfigurations at scale. Ermetic allows SolCyber to continuously discover a customer’s cloud asset inventory and applies full-stack analytics to identify risk accurately and in context. SolCyber can help customers manage access permissions, ensure cloud compliance and shift left on least privilege, thereby reducing cloud attack surface.

Prerequistes#

Cloudtrail must be enabled for any accounts monitored by Ermetic. During the setup process, Ermetic will automatically detect any Cloudtrail S3 buckets stored locally within the account. If the Cloudtrail for the account feeds to an S3 bucket in a different account, an additional setup step will need to be completed.

Create Ermetic IAM Role#

A read-only IAM role must be created for Ermetic.

Create Role#

  • In the AWS Console, under IAM » Roles, click “Create Role
  • Select the type of trusted entity “Another AWS account
  • Enter Account ID “081802104111
  • Check Require external ID, enter the external ID provided to you by SolCyber and click Next
  • Select “SecurityAudit” policy and finish

Add Inline Role Policy#

  • Open the newly created role
  • Click “Add inline policy” in the “Permissions” tab
  • Enter the following policy and finish.
text
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:Describe*",
        "batch:Describe*",
        "batch:List*",
        "cloudformation:Describe*",
        "cloudformation:List*",
        "cloudtrail:Describe*",
        "cloudtrail:Get*",
        "cloudtrail:List*",
        "cloudtrail:LookupEvents",
        "cloudwatch:Describe*",
        "cloudwatch:GetMetric*",
        "cloudwatch:ListMetrics",
        "cognito-sync:GetCognitoEvents",
        "config:Describe*",
        "dynamodb:Describe*",
        "dynamodb:List*",
        "ec2:Describe*",
        "ecr:Describe*",
        "ecr:GetRegistryScanningConfiguration",
        "ecr:GetRepositoryPolicy",
        "ecr:List*",
        "ecr:StartImageScan",
        "ecr-public:Describe*",
        "ecr-public:GetRepositoryPolicy",
        "ecr-public:List*",
        "ecs:Describe*",
        "ecs:List*",
        "eks:Describe*",
        "eks:List*",
        "elasticache:Describe*",
        "elasticache:List*",
        "elasticbeanstalk:Describe*",
        "elasticbeanstalk:List*",
        "elasticloadbalancing:Describe*",
        "es:Describe*",
        "es:List*",
        "events:ListRules",
        "iam:Generate*",
        "iam:Get*",
        "iam:List*",
        "identitystore:Describe*",
        "inspector2:List*",
        "iot:GetTopicRule",
        "kms:Describe*",
        "kms:GetKey*",
        "kms:List*",
        "lambda:Get*Policy",
        "lambda:GetAccountSettings",
        "lambda:List*",
        "logs:Describe*",
        "organizations:Describe*",
        "organizations:List*",
        "rds:Describe*",
        "rds:List*",
        "redshift:Describe*",
        "redshift:List*",
        "s3:Describe*",
        "s3:GetAccessPoint*",
        "s3:GetAccountPublicAccessBlock",
        "s3:GetBucket*",
        "s3:GetEncryptionConfiguration",
        "s3:GetJobTagging",
        "s3:ListAccessPoints",
        "s3:ListAllMyBuckets",
        "s3:ListBucketVersions",
        "s3:ListJobs",
        "secretsmanager:Describe*",
        "secretsmanager:GetResourcePolicy",
        "secretsmanager:List*",
        "sns:Get*",
        "sns:List*",
        "sqs:Get*",
        "sqs:List*",
        "ssm:Describe*",
        "ssm:List*",
        "sso:Describe*",
        "sso:Get*",
        "sso:List*",
        "sso-directory:List*",
        "sso-directory:Search*",
        "sts:DecodeAuthorizationMessage",
        "tag:Get*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::elasticbeanstalk-*"
    },
    {
      "Effect": "Allow",
      "Action": "apigateway:Get*",
      "NotResource": "arn:aws:apigateway:*::/apikeys*"
    }
  ]
}

Provide Information to SolCyber to Complete Setup#

SolCyber will need the following information to complete the setup:

  • Account Name - this doesn’t have to match the name of the AWS account, but it needs to be descriptive enough, especially if you have multiple accounts that are being monitored by SolCyber. For example: “Acme PROD”, “Acme QA”, “Acme Test”.
  • Account ID
  • ARN for the newly created role
  • Which regions to monitor (generally, this is ALL)
  • The name of the CloudTrail to be used for monitoring