Fortanix Key Insight - AWS Configuration for Scanning

1.0 Introduction

1.1 Purpose

Welcome to the Fortanix Key Insight – Amazon Web Services (AWS) Configuration for Scanning Guide. The purpose of this guide is to describe the minimum access privileges required for Fortanix Key Insight to scan the Amazon Web Services (AWS) cloud account(s) or organization.

1.2 Intended Audience

This guide is intended to be used by technical stakeholders of Fortanix Key Insight, such as the Cloud Security Engineer, who will use this feature to configure a single AWS account or organization for scanning the keys and services.

2.0 Terminology Reference

For AWS terminologies, refer to Key Insight - Concepts Guide and Key Insight – AWS Concepts Guide.

3.0 AWS Single Account – Onboarding Setup

This section describes the steps to onboard a single AWS account in Fortanix Key Insight.

3.1 Set Up an IAM User with the Necessary Permissions – AWS Account

  1. Create an IAM user in the AWS account to be scanned and attach the following permissions policy:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "FortanixFkiScannerPermissions",
                "Effect": "Allow",
                "Action": "Account:ListRegions",
                "Resource": "*"
            }
        ]
    }
    
    NOTE
    Key Insight also uses sts:GetCallerIdentity permission, granted by default, and does not need to be specifically requested.
  2. Attach the permissions policies as described in Section 4.0: Access Control Permissions to Scan AWS for S3, RDS, EBS, or KMS read-only access.

3.2 Create and Save an Access Key for the IAM User – AWS Account

Create the access or secret key pair for the IAM user created in Section 3.1: Set Up an IAM User with the Necessary Permissions - AWS Account. This access or secret key pair will be entered into the Key Insight cloud account creation page.

Click the AWS user menu → Security Credentials to create an Access Key.

1.png Figure 1: Create AWS Access Key

4.0 Access Control Permissions to Scan AWS

This section describes the general requirements for AWS access permissions.

The following read-only permissions are required for scanning the AWS KMS, S3, EBS, and RDS services. These permissions will be added manually for single account on-boarding setup and will be propagated automatically by the CloudFormation Template (CFT) in the AWS organization on-boarding setup.

  • KMS
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "kms:ListKeys",
                    "tag:GetResources"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "kms:GetKeyRotationStatus",
                    "kms:GetKeyPolicy",
                    "kms:DescribeKey",
                    "kms:ListKeyPolicies",
                    "kms:ListResourceTags"
                ],
                "Resource": "arn:aws:kms:*:*:key/*"
            }
        ]
    }
    
    
  • RDS
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "rds:DescribeDBInstances",
                "Resource": "*"
            }
        ]
    }
    
  • EBS
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ec2:DescribeVolumes",
                "Resource": "*"
            }
        ]
    }
    
  • S3
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:ListAllMyBuckets",
                    "s3:GetEncryptionConfiguration",
                    "s3:GetBucketLocation"
                ],
                "Resource": "*"
            }
        ]
    }
    

5.0 AWS Organization – Onboarding Setup

This section describes the steps to configure an AWS organization for performing key scans using Fortanix Key Insight.

Before you add a new AWS cloud account and create a new AWS connection in Fortanix Key Insight for the first time, you must set up your AWS role in the AWS organization as described in the following sections.

The sections below describe the steps for onboarding an AWS organization in Fortanix Key Insight.

Onboarding an AWS organization is a three-step process as described below.

NOTE
Fortanix Key Insight will not scan the management account of your AWS Organization even though it can be selected.

5.1 Set up an IAM User with the Necessary Permissions – AWS Organization

For steps to set up an IAM user with the necessary permissions for an AWS organization, refer to the Appendix- Section 6.1: Set Up an IAM User with the Necessary Permissions – AWS Organization.

5.2 Create and Save an Access Key for the IAM User – AWS Organization

Create the access or secret key pair for the IAM user created in Section 6.1: Set Up an IAM User with the Necessary Permissions - AWS Organization above. This access or secret key pair will be entered into Key Insight cloud account creation page.

Click the AWS user menu → Security Credentials to create an Access Key.

1.png Figure 2: Create AWS Access Key

5.3 Deploy the CFT

This section outlines the steps for deploying the CloudFormation Template (CFT) through StackSets to create roles that the IAM user, created in Section 6.1: Set Up an IAM User with the Necessary Permissions - AWS Organization, can assume.

To deploy the CFT for role creation from a root or user account, the account must have the following permissions policy (if there are no other attached policies covering these permissions already).

NOTE
To attach the following permission policy, the IAM user needs the corresponding IAM service read or write permissions.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FortanixCFTPermissions",
            "Effect": "Allow",
            "Action": [
                "cloudformation:*",
                "organizations:*",
                "s3:*"
            ],
            "Resource": "*"
        }
    ]
}
NOTE
See Activate trusted access with AWS organizations - AWS CloudFormation for details.
  • This will create a AWSServiceRoleForCloudFormationStackSetsOrgAdmin role in the management account and a AWSServiceRoleForCloudFormationStackSetsOrgMember role in member accounts. These roles allow AWS CloudFormation Stacksets to perform supported operations within the organization's accounts.
  1. Create the JSON file for the CFT. Refer to the Appendix- Section 6.2: Create a JSON file for CFT to create the CFT.
  2. Go to your AWS account from which the CFT will be deployed. Activate trusted access with AWS Organization as described in the beginning of this section.
  3. Go to your AWS console CloudFormation → StackSets page.

    2.png
    Figure 3: CloudFormation StackSets Page

  4. Create StackSets and upload the CFT template JSON file that you created in Step 1 above.

    3.png
    Figure 4: Choose CTF Template

  5. After you uploaded the CFT template, you will see the JSON file uploaded in the template field.

    4.png
    Figure 5: JSON File Uploaded

  6. Enter the StackSet name (and optionally description). Enter AWSAccountID and AWSUserName of the user that initializes the scan.
    NOTE
    The AWSAccountID and AWSUserName must be created in advance as described in Section 6.1: Set Up an IAM User With the Necessary Permissions - AWS Organization.

    5.png
    Figure 6: StackSet Details

6.0 Appendix

6.1 Set up an IAM User with the Necessary Permissions – AWS Organization

Create an IAM user in AWS and attach the following permissions policy to list accounts and assume roles.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FortanixFkiScannerPermissions",
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent",
                "organizations:ListChildren",
                "organizations:ListOrganizationalUnitsForParent"
            ],
            "Resource": "*"
        },
        {
            "Sid": "FortanixFkiScannerPermissionsRole",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::*:role/FortanixOrganizationAccessRoleForCredentials"
        }
    ]
}

NOTE
The above IAM user must be created using one of the two options:
  • From the AWS management account.
  • From an AWS member account, where the IAM user is then assigned as a delegated administrator for AWS organizations. See Delegated Administrator for AWS Organizations for details. For example, if you create the IAM user with the name FortanixKeyInsightScanner, you should attach the following JSON in the settings of AWS Organizations service:
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "Statement",
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::{REPLACE_WITH_ACCOUNT_NUMBER_OF_CREATED_IAM_USER}:user/FortanixKeyInsightScanner"
          },
          "Action": [
            "organizations:DescribeOrganization",
            "organizations:ListAccounts",
            "organizations:ListAccountsForParent",
            "organizations:ListChildren",
            "organizations:ListOrganizationalUnitsForParent",
          ]
          "Resource": "*"
        }
      ]
    }
    

6.2 Create a JSON File for CFT

The CFT to be deployed in the StackSets for the whole AWS organization is attached as follows. The account ID and the IAM username created in Section 6.1: Set Up an IAM User with the Necessary Permissions - AWS Organization needs to be entered.

{
  "Description": "Create IAM roles and policies to grant read-only access to Fortanix Key Insight. Version 1.0",
  "Parameters": {
    "AwsAccountId": {
      "Type": "Number",
      "Description": "Enter the AWS account ID from which the data security scan will be performed. The access key and secret key associated with the user of this account are used by Fortanix data security assessment for scanning."
    },
    "AwsUserName": {
      "Type": "String",
      "Description": "Enter the AWS user name associated with the AwsAccountId. The access key and secret key associated with this user of the account are used by Fortanix data security assessment for scanning."
    }
  },
  "Resources": {
    "FortanixOrganizationAccessRoleForCredentials": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": "FortanixOrganizationAccessRoleForCredentials",
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": {
                  "Fn::Sub": "arn:aws:iam::${AwsAccountId}:user/${AwsUserName}"
                }
              },
              "Action": "sts:AssumeRole"
            }
          ]
        }
      }
    },
    "FortanixKmsReadOnlyPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "FortanixKmsReadOnlyPolicy",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "kms:ListKeys",
                "tag:GetResources"
              ],
              "Resource": "*"
            },
            {
              "Effect": "Allow",
              "Action": [
                "kms:GetKeyRotationStatus",
                "kms:GetKeyPolicy",
                "kms:DescribeKey",
                "kms:ListKeyPolicies",  
                "kms:ListResourceTags"
              ],
              "Resource": "arn:aws:kms:*:*:key/*"
            }
          ]
        },
        "Roles": [
          {
            "Ref": "FortanixOrganizationAccessRoleForCredentials"
          }
        ]
      }
    },
    "FortanixS3ReadOnlyPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "FortanixS3ReadOnlyPolicy",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetEncryptionConfiguration",
                "s3:GetBucketLocation"
              ],
              "Resource": "*"
            }
          ]
        },
        "Roles": [
          {
            "Ref": "FortanixOrganizationAccessRoleForCredentials"
          }
        ]
      }
    },
    "FortanixRdsReadOnlyPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "FortanixRdsReadOnlyPolicy",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "rds:DescribeDBInstances",
              "Resource": "*"
            }
          ]
        },
        "Roles": [
          {
            "Ref": "FortanixOrganizationAccessRoleForCredentials"
          }
        ]
      }
    },
         "FortanixEbsReadOnlyPolicy": {
      "Type": "AWS::IAM::Policy",
      "Properties": {
        "PolicyName": "FortanixEbsReadOnlyPolicy",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "ec2:DescribeVolumes",
              "Resource": "*"
            }
          ]
        },
        "Roles": [
          {
            "Ref": "FortanixOrganizationAccessRoleForCredentials"
          }
        ]
      }
    }
  },
  "Outputs": {
    "RoleId": {
      "Description": "The ID of the IAM role",
      "Value": {
        "Ref": "FortanixOrganizationAccessRoleForCredentials"
      }
    },
    "RoleArn": {
      "Description": "The ARN of the IAM role",
      "Value": {
        "Fn::GetAtt": [
          "FortanixOrganizationAccessRoleForCredentials",
          "Arn"
        ]
      }
    },
    "KmsPolicyId": {
      "Description": "The ID of the IAM policy for AWS KMS ReadOnly permission",
      "Value": {
        "Ref": "FortanixKmsReadOnlyPolicy"
      }
    },
    "S3PolicyId": {
      "Description": "The ID of the IAM policy for AWS S3 ReadOnly permission",
      "Value": {
        "Ref": "FortanixS3ReadOnlyPolicy"
      }
    },
    "RdsPolicyId": {
      "Description": "The ID of the IAM policy for AWS RDS ReadOnly permission",
      "Value": {
        "Ref": "FortanixRdsReadOnlyPolicy"
      }
    },
    "EbsPolicyId": {
      "Description": "The ID of the IAM policy for AWS EBS ReadOnly permission",
      "Value": {
        "Ref": "FortanixEbsReadOnlyPolicy"
      }
    }
  }
}

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful