Getting the Access keys

You can either use an existing IAM user or create a new IAM user exclusively for Cloud Security Plus (Recommended).

Creating a new IAM user

An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. An AWS user consists of a name and credentials.

To create a new IAM user, follow these steps.

• Login to the AWS console.
• Go to IAM -> Add User. To know more refer:
  http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html
• Give an appropriate User Name and enable Programmatic access.
• If you are using the provided sample inline policies (Recommended), click on "Attach existing policies directly."
• Click on Create Policy -> Create your Own Policy.
• Provide an appropriate policy name like "policycsp."
• Copy and paste the below inline policy in the "Policy document."
• Click on "Create Policy."
• Create the user and save the Access key and Secret key pair.

The generated access key and secret key pair should be used inside Cloud Security Plus to configure the AWS account.

Adding permissions to an existing IAM user

To add permissions to an existing user, follow these steps.

• Login to the AWS console.
• Go to IAM and select the user that you want to use in Cloud Security Plus.
• Click on "Permissions -> Add Permissions."
• Click on "Attach existing policies directly -> Create Policy -> Create your Own Policy"
• Provide an appropriate policy name like "policycsp."
• Copy and paste the below inline policy in the "Policy document."
• Click on "Create Policy."

The necessary permissions have been added to the existing IAM user and you can use the access keys for this IAM user in Cloud Security Plus.

The Sample Inline Policy

The below policy document has all the necessary permissions required by the IAM user designated to Cloud Security Plus to collect logs.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1486278063000",
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1486278045000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1486278214000",
"Effect": "Allow",
"Action": [
"sns:GetEndpointAttributes",
"
sns:GetPlatformApplicationAttributes",
"sns:GetSMSAttributes",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListEndpointsByPlatformApplication",
"sns:ListPhoneNumbersOptedOut",
"sns:ListPlatformApplications",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Publish"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1486278276000",
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:DeleteMessageBatch",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListQueues",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1490256161000",
"Effect": "Allow",
"Action": [
"iam:GenerateCredentialReport",
"iam:GetAccountAuthorizationDetails",
"iam:GetCredentialReport"
],
"Resource": [
"*"
]
}
]
}