Creating Read Only Policy

To take a snapshot of an Amazon Web Services (AWS) account, CloudCheckr needs the credentials from that account. The credentials consist of the AWS Access Key and the Secret Key. These credentials can be created and obtained within Identity and Access Management (IAM) in AWS.

We strongly recommend that you create a new Read Only AWS user in IAM, and use that user’s credentials within CloudCheckr. This guide will walk you through the process of creating a Read Only group and user within AWS.

CREATING READ ONLY POLICY

Before creating your IAM user and group, you will want to create a new IAM policy. This policy is tailored to what CloudCheckr uses to fully report on your AWS deployment.

Step 1: Log in to your Amazon Web Services Management Console.

Step 2: Load the Identity and Access Management (IAM) Dashboard.

AWS_IAM

Step 3: Click the Policies link on the left side of the console.


iam policies

Step 4: Click the Create Policy button.

create policy

Step 5: Choose Create Your Own Policy.

create your own policy

Step 6: Add a name of your Policy. We recommend you name your policy “CloudCheckr” so you know its purpose.

Step 7: Add the CloudCheckr policy into the Policy Document. You can download the full IAM policy here, or copy below.

Updated on 2017-06-19

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FullPolicy",
            "Action": [
                "acm:DescribeCertificate",
                "acm:ListCertificates",
                "acm:GetCertificate",
                "autoscaling:Describe*",
                "cloudformation:DescribeStacks",
                "cloudformation:GetStackPolicy",
                "cloudformation:GetTemplate",
                "cloudformation:ListStackResources",
                "cloudfront:List*",
                "cloudfront:GetDistributionConfig",
                "cloudfront:GetStreamingDistributionConfig",
                "cloudhsm:Describe*",
                "cloudhsm:List*",
                "cloudsearch:Describe*",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "config:DescribeConfigRules",
                "config:GetComplianceDetailsByConfigRule",
                "config:Describe*",
                "datapipeline:ListPipelines",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:DescribePipelines",
                "directconnect:DescribeLocations",
                "directconnect:DescribeConnections",
                "directconnect:DescribeVirtualInterfaces",
                "dynamodb:ListTables",
                "dynamodb:DescribeTable",
                "ec2:Describe*",
                "ec2:GetConsoleOutput",
                "ecs:ListClusters",
                "ecs:DescribeClusters",
                "ecs:ListContainerInstances",
                "ecs:DescribeContainerInstances",
                "ecs:ListServices",
                "ecs:DescribeServices",
                "ecs:ListTaskDefinitions",
                "ecs:DescribeTaskDefinition",
                "ecs:ListTasks",
                "ecs:DescribeTasks",
                "elasticache:Describe*",
                "elasticbeanstalk:Describe*",
		"elasticfilesystem:Describe*",
                "elasticloadbalancing:Describe*",
                "elasticmapreduce:Describe*",
                "elasticmapreduce:ListSteps",
                "elasticmapreduce:ListInstanceGroups",
                "elasticmapreduce:ListBootstrapActions",
                "elasticmapreduce:ListClusters",
                "elasticmapreduce:ListInstances",
                "es:ListDomainNames",
                "es:DescribeElasticsearchDomains",
                "glacier:List*",
                "glacier:DescribeVault",
                "glacier:GetVaultNotifications",
                "glacier:DescribeJob",
                "glacier:GetJobOutput",
                "iam:Get*",
                "iam:List*",
                "iot:DescribeThing",
                "iot:ListThings",
                "iam:GenerateCredentialReport",
                "kinesis:ListStreams",
                "kinesis:DescribeStream",
                "kinesis:GetShardIterator",
                "kinesis:GetRecords",
                "kms:Describe*",
                "kms:Get*",
                "kms:List*",
                "lambda:ListFunctions",
                "rds:Describe*",
                "rds:ListTagsForResource",
                "redshift:Describe*",
                "redshift:ViewQueriesInConsole",
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets",
                "s3:GetBucketACL",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketPolicy",
                "s3:GetBucketTagging",
                "s3:GetBucketWebsite",
                "s3:GetBucketNotification",
                "s3:GetLifecycleConfiguration",
                "s3:GetNotificationConfiguration",
                "s3:GetObject",
                "s3:GetObjectMetadata",
                "s3:List*",
                "ses:ListIdentities",
                "ses:GetSendStatistics",
                "ses:GetIdentityDkimAttributes",
                "ses:GetIdentityVerificationAttributes",
                "ses:GetSendQuota",
                "sdb:ListDomains",
                "sdb:DomainMetadata",
                "support:*",
                "swf:ListClosedWorkflowExecutions",
                "swf:ListDomains",
                "swf:ListActivityTypes",
                "swf:ListWorkflowTypes",
                "sns:GetSnsTopic",
                "sns:GetTopicAttributes",
                "sns:GetSubscriptionAttributes",
                "sns:ListTopics",
                "sns:ListSubscriptionsByTopic",
                "sqs:ListQueues",
                "sqs:GetQueueAttributes",
                "storagegateway:Describe*",
                "storagegateway:List*",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaceBundles",
                "workspaces:DescribeWorkspaces"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchLogsSpecific",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        }
    ]
}

Step 8: Select Validate Policy and then Click the Create Policy button.

validate and create policy


CREATING IAM USER

Now that the policy is created we will want to create an IAM user whose Access Key and Secret Key will be used to connect CloudCheckr to your AWS account.

Step 1: Click the Users link on the left side of the console.

iam users

Step 2: Click the Create New Users button.

create new users

Step 3: Enter the User Name. We recommend naming the user “CloudCheckr” so you know the purpose for that user. Ensure the “Generate an access key for each user” box is checked.

add names

Step 4: Click Continue.

Step 5: Click the Download Credentials button, save the CSV export. These Credentials contain both the Access Key and the Secret Key that will be added to CloudCheckr.

download creds

Step 6: Click the Close button on the bottom of the console.


CREATING IAM GROUP

Now that we have the policy and user created, we will want to create the IAM group that will house both.

Step 1: Click the Groups link on the left side of the console.

iam groups

Step 2: Click the Create Group button.

create new group

Step 3: Enter the Group Name. We recommend naming the group “CloudCheckr” so you can easily identify its purpose.

set group name

Step 4: Locate the CloudCheckr policy we added earlier. You can use the Filter dropdown in the console and select ‘Customer Managed Policies’ to narrow the list of policies to those that you have created. Select the Policy and click the Next Step button.

add policy cloudcheckr

Step 5: Create Group


ADD USER TO GROUP

Now that we have the user, group, and policy created, we will need to add the user to the group.

Step 1: If you are not still in the Groups page, click the Groups link on the left side of the console.

Step 2: Select the CloudCheckr group we just created.

IAMGroupCC

Step 3: Click the ‘Add Users to Group’ button.

IAMGroupAddUsers

Step 4: Locate and select the CloudCheckr user we created.

IAMGroupCCU

Step 5: Click the ‘Add Users’ button on the bottom of the console.

IAMGroupAddU


That’s it! The CloudCheckr IAM user we have created is now properly assigned to the CloudCheckr Group, which contains the Read Only policy. Next take the AWS Access Key and Secret Key that are saved in the CSV file and add those as your AWS Credentials to your CloudCheckr account.

NOTE: If you intend to use this Read Only Access user for any other purposes, such as logging into the AWS Management Console, you will want to apply other settings, such as enabling a password and multi-factor authentication.