Configuring a trusting AWS account

Allow the trusted account to assume a role in the trusting account that you're configuring. In this procedure, you create one role, a policy, and then attach the policy to the role in AWS.

About this task

You must follow this procedure for all the trusted and trusting accounts. For example, if you have three accounts, follow this procedure once per account.

Procedure

  1. Log in to the AWS console (https://console.aws.amazon.com) of the trusting account.
  2. Go to the IAM service.
  3. Click Roles > Create role.
  4. From the Select type of trusted entity list, select Another AWS Account, and enter the Account ID of the trusted account.
  5. Click Next: Permissions > Next: Tags > Next: Review.
  6. Give the role a name, CVAppAssumeRole, and click Create role.
  7. Click Policies > Create policy > JSON, and paste the following JSON: 
    {
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
                "cloudtrail:DescribeTrails",
                "ec2:DescribeInstances",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeVpcs",
                "iam:GenerateCredentialReport",
                "iam:GetCredentialReport",
                "iam:GetPolicyVersion",
                "iam:GetPolicy",
                "iam:ListAccessKeys",
                "iam:ListAttachedRolePolicies",
                "iam:ListUsers",
                "logs:DescribeLogGroups",
                "logs:FilterLogEvents",
                "s3:GetBucketLocation",
                "s3:GetBucketNotification",
                "s3:ListAllMyBuckets",
                "sns:ListSubscriptionsByTopic"             
           ],
           "Resource": "*"
       }
   ]
}
    Note:

    Use the following JSON instead of the preceding JSON only if you are following this procedure for the trusted account. 

    {
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
                "cloudtrail:DescribeTrails",
                "ec2:DescribeInstances",
                "ec2:DescribeFlowLogs",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeVpcs",
                "iam:GenerateCredentialReport",
                "iam:GetCredentialReport",
                "iam:GetPolicyVersion",
                "iam:GetPolicy",
                "iam:ListAccessKeys",
                "iam:ListAttachedRolePolicies",
                "iam:ListUsers",
                "logs:DescribeLogGroups",
                "logs:FilterLogEvents",
                "s3:GetBucketLocation",
                "s3:GetBucketNotification",
                "s3:ListAllMyBuckets",
                "sns:ListSubscriptionsByTopic",
                "securityhub:BatchImportFindings",
                "securityhub:EnableImportFindingsForProduct"		            
           ],
           "Resource": "*"
       }
   ]
}
  8. Click Review Policy, call the policy CVAPIAccessPolicy, and click Create policy to save it.
  9. Go to Roles and select CVAppAssumeRole.
  10. In the Permissions tab, click Attach policies, select CVAPIAccessPolicy, and click Attach policy.
  11. From the summary page of the role, copy the Role ARN and save it to use later in the workflow. The role ARN looks like the following example: arn:aws:iam::<trusting_account_id>:role/CVAppAssumeRole.

What to do next

Setup for this trusting account is now complete.

Important: Repeat the procedure for all the AWS accounts that you want to configure for QRadar® Cloud Visibility.

After you configure the trusting account setup for all the accounts, continue with the procedure for configuring a trusted AWS account.