Creating an IAM Access Key for CloudCheckr

Please Note: 

We strongly recommend you use Roles for Cross-Account Access instead of IAM Access Keys. IAM Access Keys require periodic rotation and can be shared or stolen. Roles for Cross-Account Access are a more secure way of granting programmatic access to your AWS accounts. Only use IAM Access Keys if you absolutely must

To analyze your Amazon Web Services (AWS) account, CloudCheckr needs credentials for the account. The credentials consist of an AWS Access Key and Secret Key. These credentials can be created and obtained using the Identity and Access Management (IAM) service in AWS.

You must also attach an IAM policy to the IAM user that provides access permissions for CloudCheckr to query your AWS account.  We recommend that you attach the default AWS Read-Only policy to the user, and then add a secondary policy for the remaining permissions that CloudCheckr needs that are not included in the AWS Read-Only policy.  This will prevent you from having to update your policy every time CloudCheckr adds support for additional services and features, as they will most likely already be covered by the default IAM policy. If a new feature is not supported by the IAM policy, CloudCheckr will notify you and recommend that you add the needed permission(s) to the secondary policy.

This guide will walk you through the process of creating a Read-Only group, and user within AWS, as well as the secondary policy.

CREATE AN IAM GROUP AND ATTACH POLICY

As a best practice, it’s recommended that all IAM users belong to IAM groups.  This streamlines the user management process and allows you to easily see who has which level of permissions within your AWS account, as the permissions can be managed at the group level instead of at the user level.

The first step is to create the IAM group and attach the policy.

Step 1:

Log in to the Amazon Web Services Management Console.

Step 2:

From the AWS Services screen, select Security, Identity & ComplianceIAM.

Step 3:

Click the Groups link on the left side of the console.

Step 4:

Click the Create Group button.

Step 5:

Type a group name. We recommend naming the group CloudCheckr for easy identification and click Next Step.

Step 6:

Navigate to and select the ReadOnlyAccess policy from the list of policies. Click the Next Step button.

Step 7:

Review the details of the new group and click Create Group.


CREATE AN IAM USER AND ADD TO IAM GROUP

Now that you have created the IAM group and attached a policy to that group, you need to create an IAM user whose access key and secret key will be used to connect CloudCheckr to your AWS account. You will then add the IAM user to the IAM group you created in the previous procedure.

 

Step 1:

Click the Users link on the left side of the console.

iam users

 

Step 2:

Click the Add user button.

 

Step 3:

On the Add user screen:

  • Type the user name. We recommend CloudCheckr for easy identification.
  • Select the Programmatic access check box to generate an access key ID.
  • Click Next: Permissions.

Step 4:

Click Add user to group and select the Cloudcheckr group you just created in the previous procedure.

Step 6:

Click Next: Review.

Step 7:

Review your choices and click Create user.

Step 8: Click Download .csv to save the security credentials as a CSV export.

Step 9: Click Close.

 


ADDING ADDITIONAL CLOUDCHECKR POLICY

Now you will need to add the secondary policy to cover the items that CloudCheckr reports on which are not covered by the Amazon default Read-Only policy. Follow these steps to add that policy.

 

Step 1:

Click the Policies link on the left side of the console.

iam policies

 

Step 2:

Click Create Policy.

 

Step 3:

In the Create Your Own Policy section, click Select.

 

Step 4:

Type a name for your policy. We recommend you name your policy CloudCheckr for easy identification.

Step 5:

Type a description for your policy.

Step 6:

Copy the secondary policy into the Policy Document text box.

You can download the secondary IAM policy here, or copy below.
Updated 2015-12-28

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AdditionalPermissions",
            "Effect": "Allow",
            "Action": [
                "cloudformation:GetStackPolicy",
                "cloudhsm:Describe*",
                "cloudhsm:List*",
                "glacier:List*",
                "glacier:DescribeVault",
                "glacier:GetVaultNotifications",
                "glacier:DescribeJob",
                "glacier:GetJobOutput",
                "sdb:DomainMetadata",
                "support:*",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaceBundles",
                "workspaces:DescribeWorkspaces"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchLogsSpecific",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        }
    ]
}

Step 7:

Click Validate Policy.

 

Step 8:

A message, This policy is valid, will display at the top of the screen. Click Create Policy.

A message will display at the top of the screen, indicating that the secondary policy has been created successfully.

Note:

For information on how to modify a secondary policy, go to Creating A Role For Cross-Account Access.

 


ATTACH ADDITIONAL CLOUDCHECKR POLICY TO GROUP

 

Step 1:

Click the Policies link on the left side of the console.

 

Step 2:

From the list of policies, select the secondary policy you created earlier. You can click the Filter drop-down menu and select Customer Managed Policies to narrow the list of policies to those that you have created.

 

Step 3:

From the Policy actions drop-down menu, select Attach.

Step 4:

On the Attach Policy screen, select the CloudCheckr group you created earlier and click Attach Policy.

That’s it! The CloudCheckr IAM user created is now properly assigned to the CloudCheckr group, which contains both the read-only and CloudCheckr policies. Next take the AWS access key and secret key that are saved in the CSV file and add those as your AWS credentials to your CloudCheckr account.