In this procedure, you create one IAM user and two policies to attach to the IAM user in
the trusted account.
You must configure the trusting account procedure for all of your accounts before
proceeding.
About this task
You must follow this procedure for only the trusted account. For example, if you have three
accounts, follow this procedure only for the trusted account, not for the other two accounts.
-
Create an IAM user called IAMUserA_WithCrossAccountAccess in the trusted AWS
account on the IAM console.
-
Log in to the AWS
console (https://console.aws.amazon.com) of the trusted account.
-
Go to the IAM service, and click .
-
Name the user IAMUserA_WithCrossAccountAccess.
-
Select the checkbox on the Add User page. For more information, see the
vendor documentation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html).
-
Click .
-
Copy the Access key ID and Secret access key to a text editor to use later in “Configuring the
AWS account in the Cloud Visibility app".
-
Allow the IAM user IAMUserA_WithCrossAccountAccess in the trusted account to
assume the roles that you created in the trusting accounts in the previous procedure, t_Qapps_CSA_configure_trusting_AWS_account.html#task_xdl_1kd_fhb.
-
Go to the IAM service of the trusted account.
-
Click and paste the following JSON. The example is for configuring 3 AWS accounts. The ID
of the trusted account is Trusted_Account_ID, and the IDs of the two trusting
accounts are Trusting_Account_1_ID and Trusting_Account_2_ID.
Edit this example JSON by replacing the account IDs with the account IDs from your own AWS
environment.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::Trusted_Account_ID:role/CVAppAssumeRole"
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::Trusting_Account_1_ID:role/CVAppAssumeRole"
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::Trusting_Account_2_ID:role/CVAppAssumeRole"
}
]
}
Note: If you configure only one AWS account, the JSON looks like the following
example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::Trusted_Account_ID:role/CVAppAssumeRole"
}
]
}
-
Click Review policy, call the policy
CVAssumeRolePolicy, and click Create policy to save
it.
If you have many accounts, you might exceed AWS IAM's limit of 6144 characters per
policy. You must create multiple policies by repeating steps 2a - 2c. For example, if you have 100
AWS accounts, the first policy might contain accounts 1-60 (until the character limit of 6144 is
reached), and the second one might contain accounts 61-100.
-
Click Policies and select the policy that you created.
-
From the Summary page, copy the Policy ARN to a
text editor to use when you configure QRadar® Cloud
Visibility.
QRadar Cloud
Visibility 1.4.0 or later supports
multiple "Assume role policy" ARNs.
-
Go to Users and select the
IAMUserA_WithCrossAccountAccess user.
-
Click , select the CVAssumeRolePolicy policy that you created, and click .
-
Allow the IAM user IAMUserA_WithCrossAccountAccess in the trusted account to
access the policy you created in step 2.
-
Go to the IAM service of the trusted account.
-
Click and paste the following JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetPolicy",
"iam:GetPolicyVersion"
],
"Resource": "*"
}
]
}
-
Click Review policy, call the policy
CVAllowReadPolicy, and click Create policy to save
it.
-
Go to Users and select the
IAMUserA_WithCrossAccountAccess user.
-
Click , select the CVAllowReadPolicy policy that you created, and click .
What to do next
Setup for configuring a trusted account is now complete. Update the Amazon AWS account
configuration. Important: Repeat the procedure for all the AWS accounts that you
want to configure for QRadar Cloud
Visibility.