Creating an AWS IAM User (with EKS) Cloud Account

A Cloud Account is a cloud environment that Configuration Manager monitors. For more information about monitoring Cloud Accounts, see Getting Started with Configuration Manager.

Tip:  

An AWS IAM User (with EKS) account is identical to an AWS IAM User account but requires additional configuration to support scanning of an EKS cluster.

You can re-use the Access Key and Secret Key values from an existing AWS IAM User if you want to create a separate Configuration Manager account for scanning EKS clusters.

Quick Start Video

This video provides a simplified overview of the procedure below.

For IAM-based AWS authentication, you must first create a user that Configuration Manager will use for scanning.

  1. Log in to the AWS IAM Management Console and select the Users tab.
  2. Select Add User.
  3. Enter a User Name, select Programmatic Access as the access type and select Next: Permissions.
  4. Select Create Group.
  5. Enter a Group Name, select SecurityAudit as the policy type, and select Create Group.

    Remember this group name to be used below.

  6. Select Next: Tags, then Next: Review and then Create User to finalize user creation.
  7. Copy the Access Key ID and Secret Access Key from the user page. You will need these values to create a Cloud Account in Tripwire Configuration Manager.

Next you will create a policy to enable Configuration Manager to scan and (optionally) remediate the system for configuration errors.

  1. In the IAM Management Console, select Close to close the User page.
  2. Select Groups, and select the Group you just created.
  3. On the Permission tab, expand Inline Policies and click to create an inline policy.
  4. Select Custom Policy and enter a Policy Name.
  5. Paste one of the following JSON scripts into the policy document editor.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudtrail:DescribeTrails", "cloudtrail:GetEventSelectors", "cloudtrail:GetTrailStatus", "cloudwatch:DescribeAlarms", "config:DescribeConfigurationRecorderStatus", "config:DescribeConfigurationRecorders", "ec2:DescribeFlowLogs", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ecr:DescribeRepositories", "eks:DescribeCluster", "eks:ListClusters", "eks:ListFargateProfiles", "iam:GenerateCredentialReport", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:GetCredentialReport", "iam:GetPolicyVersion", "iam:ListAttachedUserPolicies", "iam:ListEntitiesForPolicy", "iam:ListPolicies", "iam:ListUserPolicies", "iam:ListUsers", "iam:ListVirtualMFADevices", "kms:DescribeKey", "kms:GetKeyRotationStatus", "kms:ListKeys", "logs:DescribeMetricFilters", "s3:GetAccessPoint", "s3:GetAccessPointPolicy", "s3:GetAccessPointPolicyStatus", "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketLogging", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetEncryptionConfiguration", "s3:ListAccessPoints", "s3:ListAllMyBuckets", "s3:ListBucket", "sns:ListSubscriptionsByTopic" ], "Resource": "*" } ] }

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudtrail:CreateTrail", "cloudtrail:DescribeTrails", "cloudtrail:GetEventSelectors", "cloudtrail:GetTrailStatus", "cloudtrail:ListTrails", "cloudtrail:PutEventSelectors", "cloudtrail:StartLogging", "cloudtrail:UpdateTrail", "cloudwatch:DescribeAlarms", "config:DescribeConfigurationRecorderStatus", "config:DescribeConfigurationRecorders", "ec2:DescribeFlowLogs", "ec2:DescribeInstances", "ec2:DescribeRegions", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ecr:DescribeRepositories", "eks:DescribeCluster", "eks:ListClusters", "eks:ListFargateProfiles", "iam:GenerateCredentialReport", "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:GetCredentialReport", "iam:GetPolicyVersion", "iam:ListAccessKeys", "iam:ListAttachedUserPolicies", "iam:ListEntitiesForPolicy", "iam:ListPolicies", "iam:ListUserPolicies", "iam:ListUsers", "iam:ListVirtualMFADevices", "iam:UpdateAccessKey", "iam:UpdateAccountPasswordPolicy", "kms:DescribeKey", "kms:EnableKeyRotation", "kms:GetKeyRotationStatus", "kms:ListKeys", "logs:DescribeMetricFilters", "s3:CreateBucket", "s3:GetAccessPoint", "s3:GetAccessPointPolicy", "s3:GetAccessPointPolicyStatus", "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketLogging", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:GetEncryptionConfiguration", "s3:ListAccessPoints", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:PutAccessPointPolicy", "s3:PutAccountPublicAccessBlock", "s3:PutBucketAcl", "s3:PutBucketLogging", "s3:PutBucketPolicy", "s3:PutBucketPublicAccessBlock", "s3:PutEncryptionConfiguration", "sns:ListSubscriptionsByTopic", "sts:GetCallerIdentity" ], "Resource": "*" } ] }

  6. Select Validate Policy to ensure that the policy JSON evaluates properly.
  7. Select Apply Policy.
  8. Close the IAM Management Console.
  9. Next configure the user to monitor EKS by doing one of the following:

Now that you have created an IAM account, assigned the appropriate policies, and configured EKS, you can create the new Cloud Account.

  1. In Configuration Manager, navigate to Environment > Cloud Accounts and click New.

  2. In the New Cloud Account pane, enter a Name and Description to identify this account.

  3. Select AWS IAM User (with EKS) as the account Type and specify a Region for the account.

  4. Paste the Access Key and Secret Key you copied from the IAM Management Console into the appropriate fields.

  5. Enter the EKS Cluster Name and EKS Role ARN (if necessary).

  6. Click Save to create the new cloud account.