Configuring a trusted AWS account

In this procedure, you create one IAM user and two policies to attach to the IAM user in the trusted account.

Before you begin

You must configure the trusting account procedure for all of your accounts before proceeding.

About this task

You must follow this procedure for only the trusted account. For example, if you have three accounts, follow this procedure only for the trusted account, not for the other two accounts.

Procedure

  1. Create an IAM user called IAMUserA_WithCrossAccountAccess in the trusted AWS account on the IAM console.
    1. Log in to the AWS console (https://console.aws.amazon.com) of the trusted account.
    2. Go to the IAM service, and click Users > Add user.
    3. Name the user IAMUserA_WithCrossAccountAccess.
    4. Select the Access Type > Programmatic Access checkbox on the Add User page. For more information, see the vendor documentation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html).
    5. Click Next: Permissions > Next: Tags > Next: Review > Create user.
    6. Copy the Access key ID and Secret access key to a text editor to use later in “Configuring the AWS account in the Cloud Visibility app".
  2. Allow the IAM user IAMUserA_WithCrossAccountAccess in the trusted account to assume the roles that you created in the trusting accounts in the previous procedure, t_Qapps_CSA_configure_trusting_AWS_account.html#task_xdl_1kd_fhb.
    1. Go to the IAM service of the trusted account.
    2. Click Policies > Create policy > JSON and paste the following JSON. The example is for configuring 3 AWS accounts. The ID of the trusted account is Trusted_Account_ID, and the IDs of the two trusting accounts are Trusting_Account_1_ID and Trusting_Account_2_ID. Edit this example JSON by replacing the account IDs with the account IDs from your own AWS environment.
      {
      	"Version": "2012-10-17",
      	"Statement": [
      		{
      			"Effect": "Allow",
      			"Action": "sts:AssumeRole",
      			"Resource": "arn:aws:iam::Trusted_Account_ID:role/CVAppAssumeRole"
      		},
      		{
      			"Effect": "Allow",
      			"Action": "sts:AssumeRole",
      			"Resource": "arn:aws:iam::Trusting_Account_1_ID:role/CVAppAssumeRole"
      		},
      		{
      			"Effect": "Allow",
      			"Action": "sts:AssumeRole",
      			"Resource": "arn:aws:iam::Trusting_Account_2_ID:role/CVAppAssumeRole"
      		}			
      	]
      }
      
      Note: If you configure only one AWS account, the JSON looks like the following example:
      {
      	"Version": "2012-10-17",
      	"Statement": [
      		{
      			"Effect": "Allow",
      			"Action": "sts:AssumeRole",
      			"Resource": "arn:aws:iam::Trusted_Account_ID:role/CVAppAssumeRole"
      		}
      	]
      }
      
    3. Click Review policy, call the policy CVAssumeRolePolicy, and click Create policy to save it.
      If you have many accounts, you might exceed AWS IAM's limit of 6144 characters per policy. You must create multiple policies by repeating steps 2a - 2c. For example, if you have 100 AWS accounts, the first policy might contain accounts 1-60 (until the character limit of 6144 is reached), and the second one might contain accounts 61-100.
    4. Click Policies and select the policy that you created.
    5. From the Summary page, copy the Policy ARN to a text editor to use when you configure QRadar® Cloud Visibility. QRadar Cloud Visibility 1.4.0 or later supports multiple "Assume role policy" ARNs.
    6. Go to Users and select the IAMUserA_WithCrossAccountAccess user.
    7. Click Add Permissions > Attach existing policies directly, select the CVAssumeRolePolicy policy that you created, and click Next: Review > Add permissions.
  3. Allow the IAM user IAMUserA_WithCrossAccountAccess in the trusted account to access the policy you created in step 2.
    1. Go to the IAM service of the trusted account.
    2. Click Policies > Create policy > JSON and paste the following JSON:
      {
      	"Version": "2012-10-17",
      	"Statement": [
      		{
      			"Sid": "VisualEditor0",
      			"Effect": "Allow",
      			"Action": [
      			       "iam:GetPolicy",
      			       "iam:GetPolicyVersion"
      			],
      			"Resource": "*"
      		}
      	]
      }
      
    3. Click Review policy, call the policy CVAllowReadPolicy, and click Create policy to save it.
    4. Go to Users and select the IAMUserA_WithCrossAccountAccess user.
    5. Click Add Permissions > Attach existing policies directly, select the CVAllowReadPolicy policy that you created, and click Next: Review > Add permissions.

What to do next

Setup for configuring a trusted account is now complete. Update the Amazon AWS account configuration.
Important: Repeat the procedure for all the AWS accounts that you want to configure for QRadar Cloud Visibility.