Creating an IAM Access Key for CloudCheckr

Please Note: 

We strongly recommend you use Roles for Cross-Account Access instead of IAM Access Keys. IAM Access Keys require periodic rotation and can be shared or stolen. Roles for Cross-Account Access are a more secure way of granting programmatic access to your AWS accounts. Only use IAM Access Keys if you absolutely must

To analyze your Amazon Web Services (AWS) account, CloudCheckr needs credentials for the account. The credentials consist of an AWS Access Key and Secret Key. These credentials can be created and obtained using the Identity and Access Management (IAM) service in AWS.

You must also attach an IAM policy to the IAM user which provides access permissions for CloudCheckr to query your AWS account.  We recommend that you attach the default AWS Read-Only policy to the user, and then add a second policy for the remaining permissions that CloudCheckr needs that are not included in the Read-Only policy.  This will prevent you from having to update your policy every time CloudCheckr adds support for additional services and features, as they will most likely already be covered by the default IAM policy.  In the scenario that a new feature is not supported by the IAM policy, CloudCheckr will notify you and recommend that you add the needed permission(s) to the secondary policy.

This guide will walk you through the process of creating a Read-Only group, and user within AWS, as well as the secondary policy.

CREATE AN IAM GROUP

As a best practice, it’s recommended that all IAM users belong to IAM groups.  This streamlines the user management process and allows you to easily see who has which level of permissions within your AWS account, as the permissions can be managed at the group level instead of at the user level.

The first step is to create the IAM group.

 

Step 1:

Log in to the Amazon Web Services Management Console.

 

Step 2:

Load the IAM Dashboard.

AWS_IAM

 

Step 3:

Click the Groups link on the left side of the console.

 

Step 4:

Click the ‘Create Group’ button.

 

Step 5:

Enter the Group Name. We recommend naming the group “CloudCheckr” so you can easily identify its purpose.

set group name

 

Step 6:

Locate the ReadOnlyAccess policy from the list of policies. Select the Policy and click the Next Step button.

IAMGroupPolicy

Note:

Another option for your CloudCheckr policy is to use our complete read-only access policy or a subset of it. By doing this, you can have discrete control over every permission in your policy. For more information, you can click on the following links:

 

Step 7:

Click ‘Create Group’.


CREATE AN IAM USER

Now that the group is created we will want to create an IAM user whose Access Key and Secret Key will be used to connect CloudCheckr to your AWS account.

 

Step 1:

Click the Users link on the left side of the console.

iam users

 

Step 2:

Click the ‘Create New Users’ button.

 

Step 3:

Enter the User Name. We recommend naming the user ‘CloudCheckr’ so you know the purpose for that user. Ensure the ‘Generate an access key for each user’ box is checked.

 

Step 4:

Click Continue.

 

Step 5:

Click the ‘Download Credentials’ button and save the CSV export. These credentials contain both the access Key and the secret Key that will be added to CloudCheckr.

download creds

 

Step 6:

Click the Close button on the bottom of the console.


ADD THE USER TO THE GROUP

Now that we have the user and group with a Read-Only policy, we will need to add the user to the group.

 

Step 1:

If you are not still in the Groups page, click the Groups link on the left side of the console.

 

Step 2:

Select the CloudCheckr group we just created.

IAMGroupCC

 

Step 3:

Click the ‘Add Users to Group’ button.

 

Step 4:

Locate and select the CloudCheckr user we created.

 

Step 5:

Click the ‘Add Users’ button on the bottom of the console.


ADDING ADDITIONAL CLOUDCHECKR POLICY

Note: If you used the CloudCheckr Complete IAM Policy, you can skip this section and proceed down to “Attach CloudCheckr Policy to Group”.

Now we will need to add the secondary policy to cover the items that CloudCheckr reports on that are not covered by the Amazon default Read-Only policy. Follow these steps to get that policy added:

 

Step 1:

Click the Policies link on the left side of the console.


iam policies

 

Step 2:

Click the Create Policy button.

 

Step 3:

Choose Create Your Own Policy.

 

Step 4:

Add a name of your Policy. We recommend you name your policy “CloudCheckr” so you know its purpose.

 

Step 5:

Add the CloudCheckr policy into the Policy Document.

You can download the secondary IAM policy here, or copy below.
Updated 2015-12-28

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AdditionalPermissions",
            "Effect": "Allow",
            "Action": [
                "cloudformation:GetStackPolicy",
                "cloudhsm:Describe*",
                "cloudhsm:List*",
                "glacier:List*",
                "glacier:DescribeVault",
                "glacier:GetVaultNotifications",
                "glacier:DescribeJob",
                "glacier:GetJobOutput",
                "sdb:DomainMetadata",
                "support:*",
                "workspaces:DescribeWorkspaceDirectories",
                "workspaces:DescribeWorkspaceBundles",
                "workspaces:DescribeWorkspaces"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchLogsSpecific",
            "Effect": "Allow",
            "Action": [
                "logs:GetLogEvents",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        }
    ]
}

 

Step 6:

Select Validate Policy and then Click the Create Policy button.



ATTACH CLOUDCHECKR POLICY TO GROUP

 

Step 1:

Click the Groups link on the left side of the console.

 

Step 2:

Select the CloudCheckr group we just created.

 

Step 3:

Click on the Permissions tab and select Attach Policy.

 

Step 4:

Locate the CloudCheckr policy we added earlier. You can use the Filter dropdown in the console and select ‘Customer Managed Policies’ to narrow the list of policies to those that you have created. Select the Policy and click the Attach Policy button on the bottom-right.

IAMGroupAttachPolicy

That’s it! The CloudCheckr IAM user created is now properly assigned to the CloudCheckr group, which contains both the read-only and CloudCheckr policies. Next take the AWS access key and secret key that are saved in the CSV file and add those as your AWS credentials to your CloudCheckr account.