AWS
info
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
By integrating Shisho Cloud and AWS, you may carry out security scanning on your AWS account. The integration can be achieved in two steps:
- Create an IAM role in the target AWS account that Shisho Cloud can use (assume), along with the corresponding Identity Provider.
- Register the ARN of the created IAM role with Shisho Cloud.
info
Shisho Cloud does not require an IAM access key. Instead, it accesses AWS using a mechanism called Web Identity Federation with sts:AssumeRoleWithWebIdentity, issuing short-lived authentication credentials as needed.
This mechanism is essentially equivalent to the OIDC-based AWS/Google Cloud integration used by GitHub Action.
Creating an IAM Role
Follow one of the procedures below to create an IAM role:
info
The s3:GetObject action for certain resources is restricted not to allow access to S3 objects within the AWS account you link. Therefore, even if you link your AWS account to Shisho Cloud, Shisho Cloud will not read data from the S3 managed by you.
Conversely, read access is allowed only for S3 objects (those where the account containing resources s3:ResourceAccount differs from the account where the role used by Shisho Cloud exists) outside the AWS account you link. This is necessary for inspecting Elastic Beanstalk settings. AWS internally stores Elastic Beanstalk configuration information in an S3 bucket (arn:aws:s3:::elasticbeanstalk-env-resources-*/*, etc.) managed by a separate AWS account. Therefore, when using some of the Elastic Beanstalk APIs, the API caller must have relevant permissions for the specified bucket. You can verify that the AWS-managed IAM policy AWSElasticBeanstalkRoleCore includes such permissions.
- Terraform
- AWS CLI
- CloudFormation
After replacing the value of the variable shisho_cloud_org_id with your Shisho Cloud organization ID, include the following Terraform implementation into your Terraform project and execute terraform apply.
locals {
# Replace this with your Shisho Cloud org ID
shisho_cloud_org_id = "your-organization-id"
}
# The `aws_caller_identity` data is used to fetch the current AWS account ID.
data "aws_caller_identity" "shisho_cloud" {}
# Shisho Cloud connects to your AWS account via OIDC federation.
# The following `tls_certificate` resource will fetch the required certificate.
data "tls_certificate" "shisho_cloud_tokens_endpoint" {
url = "https://tokens.cloud.shisho.dev/.well-known/openid-configuration"
}
# The following `aws_iam_openid_connect_provider` resource will create the OIDC provider.
resource "aws_iam_openid_connect_provider" "shisho_cloud" {
url = "https://tokens.cloud.shisho.dev"
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = data.tls_certificate.shisho_cloud_tokens_endpoint.certificates[*].sha1_fingerprint
}
# The following `aws_iam_role` resource will create the IAM role that Shisho Cloud will assume.
resource "aws_iam_role" "shisho_cloud_audit" {
name = "ShishoCloudSecurityAudit"
description = "IAM role for Shisho Cloud"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Federated" : aws_iam_openid_connect_provider.shisho_cloud.arn,
},
"Action" : "sts:AssumeRoleWithWebIdentity",
"Condition" : {
"StringLike" : {
# Allow AssumeRole for any job in the Shisho Cloud org
"tokens.cloud.shisho.dev:sub" : "job:${local.shisho_cloud_org_id}:*"
},
"StringEquals" : {
"tokens.cloud.shisho.dev:aud" : "sts.amazonaws.com"
}
}
}
]
})
inline_policy {
name = "ResourceAccessPolicy"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"access-analyzer:ListAnalyzers",
"account:GetAlternateContact",
"acm:DescribeCertificate",
"acm:ListCertificates",
"apigateway:GET",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"cloudformation:DescribeStacks",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate",
"cloudformation:ListStacks",
"cloudformation:ListStackResources",
"cloudfront:ListDistributions",
"cloudfront:GetDistributionConfig",
"cloudfront:GetResponseHeadersPolicy",
"cloudfront:GetCachePolicy",
"cloudfront:GetOriginRequestPolicy",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"cloudwatch:DescribeAlarms",
"codebuild:ListProjects",
"codebuild:ListSourceCredentials",
"codebuild:BatchGetProjects",
"cognito-identity:DescribeIdentityPool",
"cognito-identity:ListIdentityPools",
"cognito-identity:GetIdentityPoolRoles",
"cognito-identity:GetPrincipalTagAttributeMap",
"cognito-idp:ListUserPoolClients",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:GetGroup",
"cognito-idp:ListGroups",
"cognito-idp:DescribeUserPoolDomain",
"cognito-idp:DescribeRiskConfiguration",
"cognito-idp:GetUserPoolMfaConfig",
"cognito-idp:ListIdentityProviders",
"cognito-idp:DescribeIdentityProvider",
"cognito-idp:GetIdentityProviderByIdentifier",
"cognito-idp:DescribeResourceServer",
"cognito-idp:ListResourceServers",
"cognito-idp:DescribeRiskConfiguration",
"cognito-idp:GetUICustomization",
"cognito-idp:GetSigningCertificate",
"cognito-idp:GetLogDeliveryConfiguration",
"cognito-idp:DescribeUserPool",
"cognito-idp:ListUserPools",
"config:DescribeConfigRules",
"config:DescribeConfigurationRecorderStatus",
"config:DescribeConfigurationRecorders",
"directconnect:DescribeConnections",
"dms:DescribeReplicationInstances",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeTable",
"dynamodb:ListBackups",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:DescribeAddresses",
"ec2:DescribeCustomerGateways",
"ec2:DescribeFlowLogs",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTransitGateways",
"ec2:DescribeVolumes",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:GetEbsEncryptionByDefault",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListServices",
"ecs:DescribeServices",
"ecs:ListTasks",
"ecs:DescribeTasks",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition",
"ecs:ListAccountSettings",
"eks:DescribeCluster",
"eks:ListClusters",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheParameterGroups",
"elasticache:DescribeCacheParameters",
"elasticache:DescribeCacheSecurityGroups",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeReplicationGroups",
"elasticache:DescribeUsers",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeTags",
"elasticfilesystem:DescribeBackupPolicy",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListClusters",
"es:ListDomainNames",
"es:DescribeElasticsearchDomains",
"es:DescribeDomains",
"events:ListEndpoints",
"events:ListEventBuses",
"events:DescribeEventBus",
"dax:DescribeClusters",
"dax:DescribeSubnetGroups",
"guardduty:GetDetector",
"guardduty:ListDetectors",
"iam:GenerateCredentialReport",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetLoginProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUserPolicy",
"iam:GetAccountSummary",
"iam:GetAccessKeyLastUsed",
"iam:ListAccessKeys",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfilesForRole",
"iam:ListMFADevices",
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListUserTags",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:ListServerCertificates",
"iam:ListAccountAliases",
"kinesis:ListStreams",
"kinesis:DescribeStream",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeys",
"network-firewall:ListFirewallPolicies",
"network-firewall:ListFirewalls",
"network-firewall:ListRuleGroups",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeFirewallPolicy",
"network-firewall:DescribeRuleGroup",
"lambda:GetFunctionConfiguration",
"lambda:GetPolicy",
"lambda:ListFunctions",
"logs:DescribeLogGroups",
"logs:DescribeMetricFilters",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSubnetGroups",
"rds:DescribeEventSubscriptions",
"rds:ListTagsForResource",
"redshift:DescribeClusterParameterGroups",
"redshift:DescribeClusterParameters",
"redshift:DescribeClusterSecurityGroups",
"redshift:DescribeClusterSubnetGroups",
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"route53domains:ListDomains",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"sagemaker:ListNotebookInstances",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"secretsmanager:ListSecrets",
"secretsmanager:DescribeSecret",
"securityhub:DescribeHub",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityPolicies",
"ses:ListIdentities",
"ses:ListIdentityPolicies",
"states:ListStateMachines",
"states:DescribeStateMachine",
"ssm:DescribeParameters",
"ssm:GetParameters",
"ssm:ListComplianceItems",
"ssm:ListDocuments",
"ssm:DescribeDocument",
"ssm:DescribeDocumentPermission",
"ssm:DescribeInstanceInformation",
"sns:GetTopicAttributes",
"sns:GetSubscriptionAttributes",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"waf:ListActivatedRulesInRuleGroup",
"waf:ListRuleGroups",
"waf:ListRules",
"waf:ListWebACLs",
"waf:GetLoggingConfiguration",
"waf:GetRateBasedRule",
"waf:GetRuleGroup",
"waf:GetRule",
"waf:GetWebACL",
"wafv2:ListWebACLs",
"wafv2:GetWebACL",
"wafv2:GetLoggingConfiguration",
"waf-regional:ListActivatedRulesInRuleGroup",
"waf-regional:ListWebACLs",
"waf-regional:ListRuleGroups",
"waf-regional:ListRules",
"waf-regional:GetLoggingConfiguration",
"waf-regional:GetRateBasedRule",
"waf-regional:GetRuleGroup",
"waf-regional:GetRule",
"waf-regional:GetWebACL",
"tag:Get*"
],
"Resource" : "*"
},
{
"Effect": "Allow",
"Action": [ "s3:GetObject" ],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-env-resources-*/*"
],
"Condition": {
"StringNotLike": {
"s3:ResourceAccount": "${data.aws_caller_identity.shisho_cloud.account_id}"
}
}
}
]
})
}
}
Run the following script after changing the variables defined in the top of the script to create required resources:
#!/bin/bash
set -eu
# Input values
############
# Any additional values for your AWS CLI
# Example: --profile your-profile-name
AWS_CLI_OPTS="--profile demo02"
# AWS Account ID to be reviewed by Shisho Cloud
AWS_ACCOUNT_ID="1234567890"
# Your Shisho Cloud organization ID
SHISHO_ORG_ID="flatt-security"
# Constants
############
TOKEN_ENDPOINT_URL="https://tokens.cloud.shisho.dev"
TOKEN_ENDPOINT_HOST="tokens.cloud.shisho.dev"
OIDC_THUMBPRINT="9e99a48a9960b14926bb7f3b02e22da2b0ab7280"
# The name of an IAM role to create for Shisho Cloud
ROLE_NAME="ShishoCloudSecurityAudit"
# Setting up all resouces
############
echo "[*] Create an OIDC provider: $TOKEN_ENDPOINT_URL"
aws iam create-open-id-connect-provider \
$AWS_CLI_OPTS \
--url "$TOKEN_ENDPOINT_URL" \
--client-id-list "sts.amazonaws.com" \
--thumbprint-list "$OIDC_THUMBPRINT"
echo "[*] Create a role assumable by the OIDC provider: $ROLE_NAME"
PROVIDER_ARN="arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${TOKEN_ENDPOINT_HOST}"
ASSUME_ROLE_POLICY_DOCUMENT="$(cat <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "$PROVIDER_ARN"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"${TOKEN_ENDPOINT_HOST}:sub": "job:${SHISHO_ORG_ID}:*"
},
"StringEquals": {
"${TOKEN_ENDPOINT_HOST}:aud": "sts.amazonaws.com"
}
}
}
]
}
EOF
)"
aws iam create-role \
$AWS_CLI_OPTS \
--role-name "$ROLE_NAME" \
--assume-role-policy-document "$ASSUME_ROLE_POLICY_DOCUMENT"
# Give the role permissions to access AWS resources according to $POLICY_DOCUMENT
echo "[*] Give the role permissions to access AWS resources"
POLICY_DOCUMENT="$(cat <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"access-analyzer:ListAnalyzers",
"account:GetAlternateContact",
"acm:DescribeCertificate",
"acm:ListCertificates",
"apigateway:GET",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"cloudformation:DescribeStacks",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate",
"cloudformation:ListStacks",
"cloudformation:ListStackResources",
"cloudfront:ListDistributions",
"cloudfront:GetDistributionConfig",
"cloudfront:GetResponseHeadersPolicy",
"cloudfront:GetCachePolicy",
"cloudfront:GetOriginRequestPolicy",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"cloudwatch:DescribeAlarms",
"codebuild:ListProjects",
"codebuild:ListSourceCredentials",
"codebuild:BatchGetProjects",
"cognito-identity:DescribeIdentityPool",
"cognito-identity:ListIdentityPools",
"cognito-identity:GetIdentityPoolRoles",
"cognito-identity:GetPrincipalTagAttributeMap",
"cognito-idp:ListUserPoolClients",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:GetGroup",
"cognito-idp:ListGroups",
"cognito-idp:DescribeUserPoolDomain",
"cognito-idp:DescribeRiskConfiguration",
"cognito-idp:GetUserPoolMfaConfig",
"cognito-idp:ListIdentityProviders",
"cognito-idp:DescribeIdentityProvider",
"cognito-idp:GetIdentityProviderByIdentifier",
"cognito-idp:DescribeResourceServer",
"cognito-idp:ListResourceServers",
"cognito-idp:DescribeRiskConfiguration",
"cognito-idp:GetUICustomization",
"cognito-idp:GetSigningCertificate",
"cognito-idp:GetLogDeliveryConfiguration",
"cognito-idp:DescribeUserPool",
"cognito-idp:ListUserPools",
"config:DescribeConfigRules",
"config:DescribeConfigurationRecorderStatus",
"config:DescribeConfigurationRecorders",
"directconnect:DescribeConnections",
"dms:DescribeReplicationInstances",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeTable",
"dynamodb:ListBackups",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:DescribeAddresses",
"ec2:DescribeCustomerGateways",
"ec2:DescribeFlowLogs",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTransitGateways",
"ec2:DescribeVolumes",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:GetEbsEncryptionByDefault",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListServices",
"ecs:DescribeServices",
"ecs:ListTasks",
"ecs:DescribeTasks",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition",
"ecs:ListAccountSettings",
"eks:DescribeCluster",
"eks:ListClusters",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheParameterGroups",
"elasticache:DescribeCacheParameters",
"elasticache:DescribeCacheSecurityGroups",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeReplicationGroups",
"elasticache:DescribeUsers",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeTags",
"elasticfilesystem:DescribeBackupPolicy",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListClusters",
"es:ListDomainNames",
"es:DescribeElasticsearchDomains",
"es:DescribeDomains",
"dax:DescribeClusters",
"dax:DescribeSubnetGroups",
"events:ListEndpoints",
"events:ListEventBuses",
"events:DescribeEventBus",
"guardduty:GetDetector",
"guardduty:ListDetectors",
"iam:GenerateCredentialReport",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetLoginProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUserPolicy",
"iam:GetAccountSummary",
"iam:GetAccessKeyLastUsed",
"iam:ListAccessKeys",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfilesForRole",
"iam:ListMFADevices",
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListUserTags",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:ListServerCertificates",
"iam:ListAccountAliases",
"kinesis:ListStreams",
"kinesis:DescribeStream",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeys",
"network-firewall:ListFirewallPolicies",
"network-firewall:ListFirewalls",
"network-firewall:ListRuleGroups",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeFirewallPolicy",
"network-firewall:DescribeRuleGroup",
"lambda:GetFunctionConfiguration",
"lambda:GetPolicy",
"lambda:ListFunctions",
"logs:DescribeLogGroups",
"logs:DescribeMetricFilters",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSubnetGroups",
"rds:DescribeEventSubscriptions",
"rds:ListTagsForResource",
"redshift:DescribeClusterParameterGroups",
"redshift:DescribeClusterParameters",
"redshift:DescribeClusterSecurityGroups",
"redshift:DescribeClusterSubnetGroups",
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"route53domains:ListDomains",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"sagemaker:ListNotebookInstances",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"secretsmanager:ListSecrets",
"secretsmanager:DescribeSecret",
"securityhub:DescribeHub",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityPolicies",
"ses:ListIdentities",
"ses:ListIdentityPolicies",
"states:ListStateMachines",
"states:DescribeStateMachine",
"ssm:DescribeParameters",
"ssm:GetParameters",
"ssm:ListComplianceItems",
"ssm:ListDocuments",
"ssm:DescribeDocument",
"ssm:DescribeDocumentPermission",
"ssm:DescribeInstanceInformation",
"sns:GetTopicAttributes",
"sns:GetSubscriptionAttributes",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:ListQueues",
"waf:ListActivatedRulesInRuleGroup",
"waf:ListRuleGroups",
"waf:ListRules",
"waf:ListWebACLs",
"waf:GetLoggingConfiguration",
"waf:GetRateBasedRule",
"waf:GetRuleGroup",
"waf:GetRule",
"waf:GetWebACL",
"wafv2:ListWebACLs",
"wafv2:GetWebACL",
"wafv2:GetLoggingConfiguration",
"waf-regional:ListActivatedRulesInRuleGroup",
"waf-regional:ListWebACLs",
"waf-regional:ListRuleGroups",
"waf-regional:ListRules",
"waf-regional:GetLoggingConfiguration",
"waf-regional:GetRateBasedRule",
"waf-regional:GetRuleGroup",
"waf-regional:GetRule",
"waf-regional:GetWebACL",
"tag:Get*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [ "s3:GetObject" ],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-env-resources-*/*"
],
"Condition": {
"StringNotLike": {
"s3:ResourceAccount": "$AWS_ACCOUNT_ID"
}
}
}
]
}
EOF
)"
aws iam put-role-policy \
$AWS_CLI_OPTS \
--role-name "$ROLE_NAME" \
--policy-name "ResourceAccessPolicy" \
--policy-document "$POLICY_DOCUMENT"
# Postprocessing
############
echo "[*] Visit https://cloud.shisho.dev/${SHISHO_ORG_ID}/settings/integrations/aws and add a federation with:"
echo "- Role ARN: arn:aws:iam::${AWS_ACCOUNT_ID}:role/${ROLE_NAME}"
Create a CloudFormation stack with the following template, where ShishoCloudOrgId is your Shisho Cloud organization ID:
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
ShishoCloudOrgId:
Type: String
Description: "Your Shisho Cloud org ID"
Resources:
ShishoCloudAuditRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: "ShishoCloudSecurityAuditByCloudFormationTemplate"
Description: "IAM role for Shisho Cloud"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:oidc-provider/tokens.cloud.shisho.dev"
Action: "sts:AssumeRoleWithWebIdentity"
Condition:
StringLike:
"tokens.cloud.shisho.dev:sub": !Sub "job:${ShishoCloudOrgId}:*"
StringEquals:
"tokens.cloud.shisho.dev:aud": "sts.amazonaws.com"
Policies:
- PolicyName: "ResourceAccessPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "access-analyzer:ListAnalyzers"
- "account:GetAlternateContact"
- "acm:DescribeCertificate"
- "acm:ListCertificates"
- "apigateway:GET"
- "autoscaling:DescribeAutoScalingGroups"
- "autoscaling:DescribeLaunchConfigurations"
- "cloudformation:DescribeStacks"
- "cloudformation:GetStackPolicy"
- "cloudformation:GetTemplate"
- "cloudformation:ListStacks"
- "cloudformation:ListStackResources"
- "cloudfront:ListDistributions"
- "cloudfront:GetDistributionConfig"
- "cloudfront:GetResponseHeadersPolicy"
- "cloudfront:GetCachePolicy"
- "cloudfront:GetOriginRequestPolicy"
- "cloudtrail:DescribeTrails"
- "cloudtrail:GetEventSelectors"
- "cloudtrail:GetTrailStatus"
- "cloudwatch:DescribeAlarms"
- "codebuild:ListProjects"
- "codebuild:ListSourceCredentials"
- "codebuild:BatchGetProjects"
- "cognito-identity:DescribeIdentityPool"
- "cognito-identity:ListIdentityPools"
- "cognito-identity:GetIdentityPoolRoles"
- "cognito-identity:GetPrincipalTagAttributeMap"
- "cognito-idp:ListUserPoolClients"
- "cognito-idp:DescribeUserPoolClient"
- "cognito-idp:GetGroup"
- "cognito-idp:ListGroups"
- "cognito-idp:DescribeUserPoolDomain"
- "cognito-idp:DescribeRiskConfiguration"
- "cognito-idp:GetUserPoolMfaConfig"
- "cognito-idp:ListIdentityProviders"
- "cognito-idp:DescribeIdentityProvider"
- "cognito-idp:GetIdentityProviderByIdentifier"
- "cognito-idp:DescribeResourceServer"
- "cognito-idp:ListResourceServers"
- "cognito-idp:DescribeRiskConfiguration"
- "cognito-idp:GetUICustomization"
- "cognito-idp:GetSigningCertificate"
- "cognito-idp:GetLogDeliveryConfiguration"
- "cognito-idp:DescribeUserPool"
- "cognito-idp:ListUserPools"
- "config:DescribeConfigRules"
- "config:DescribeConfigurationRecorderStatus"
- "config:DescribeConfigurationRecorders"
- "directconnect:DescribeConnections"
- "dms:DescribeReplicationInstances"
- "dynamodb:DescribeContinuousBackups"
- "dynamodb:DescribeTable"
- "dynamodb:ListBackups"
- "dynamodb:ListTables"
- "dynamodb:ListTagsOfResource"
- "ec2:DescribeAddresses"
- "ec2:DescribeCustomerGateways"
- "ec2:DescribeFlowLogs"
- "ec2:DescribeImages"
- "ec2:DescribeInstanceAttribute"
- "ec2:DescribeInstances"
- "ec2:DescribeLaunchTemplates"
- "ec2:DescribeLaunchTemplateVersions"
- "ec2:DescribeNetworkAcls"
- "ec2:DescribeNetworkInterfaceAttribute"
- "ec2:DescribeNetworkInterfaces"
- "ec2:DescribeRegions"
- "ec2:DescribeRouteTables"
- "ec2:DescribeSecurityGroups"
- "ec2:DescribeSecurityGroupRules"
- "ec2:DescribeSnapshotAttribute"
- "ec2:DescribeSnapshots"
- "ec2:DescribeSubnets"
- "ec2:DescribeTransitGateways"
- "ec2:DescribeVolumes"
- "ec2:DescribeVpcEndpoints"
- "ec2:DescribeVpcPeeringConnections"
- "ec2:DescribeVpcs"
- "ec2:DescribeVpnConnections"
- "ec2:DescribeVpnGateways"
- "ec2:GetEbsEncryptionByDefault"
- "ecr:DescribeImages"
- "ecr:DescribeRepositories"
- "ecr:GetLifecyclePolicy"
- "ecr:GetRepositoryPolicy"
- "ecr:ListImages"
- "ecs:ListClusters"
- "ecs:DescribeClusters"
- "ecs:ListServices"
- "ecs:DescribeServices"
- "ecs:ListTasks"
- "ecs:DescribeTasks"
- "ecs:ListTaskDefinitions"
- "ecs:DescribeTaskDefinition"
- "ecs:ListAccountSettings"
- "eks:DescribeCluster"
- "eks:ListClusters"
- "elasticbeanstalk:DescribeConfigurationSettings"
- "elasticbeanstalk:DescribeEnvironmentResources"
- "elasticbeanstalk:DescribeEnvironments"
- "elasticache:DescribeCacheClusters"
- "elasticache:DescribeCacheParameterGroups"
- "elasticache:DescribeCacheParameters"
- "elasticache:DescribeCacheSecurityGroups"
- "elasticache:DescribeCacheSubnetGroups"
- "elasticache:DescribeReplicationGroups"
- "elasticache:DescribeUsers"
- "elasticfilesystem:DescribeAccessPoints"
- "elasticfilesystem:DescribeFileSystems"
- "elasticfilesystem:DescribeMountTargetSecurityGroups"
- "elasticfilesystem:DescribeMountTargets"
- "elasticfilesystem:DescribeTags"
- "elasticfilesystem:DescribeBackupPolicy"
- "elasticfilesystem:DescribeFileSystemPolicy"
- "elasticloadbalancing:DescribeListeners"
- "elasticloadbalancing:DescribeLoadBalancerAttributes"
- "elasticloadbalancing:DescribeLoadBalancerPolicies"
- "elasticloadbalancing:DescribeLoadBalancers"
- "elasticloadbalancing:DescribeSSLPolicies"
- "elasticloadbalancing:DescribeTags"
- "elasticloadbalancing:DescribeTargetGroups"
- "elasticmapreduce:DescribeCluster"
- "elasticmapreduce:ListClusters"
- "es:ListDomainNames"
- "es:DescribeElasticsearchDomains"
- "es:DescribeDomains"
- "dax:DescribeClusters"
- "dax:DescribeSubnetGroups"
- "events:ListEndpoints"
- "events:ListEventBuses"
- "events:DescribeEventBus"
- "guardduty:GetDetector"
- "guardduty:ListDetectors"
- "iam:GenerateCredentialReport"
- "iam:GetAccountPasswordPolicy"
- "iam:GetCredentialReport"
- "iam:GetGroup"
- "iam:GetGroupPolicy"
- "iam:GetLoginProfile"
- "iam:GetPolicy"
- "iam:GetPolicyVersion"
- "iam:GetRole"
- "iam:GetRolePolicy"
- "iam:GetUserPolicy"
- "iam:GetAccountSummary"
- "iam:GetAccessKeyLastUsed"
- "iam:ListAccessKeys"
- "iam:ListAttachedRolePolicies"
- "iam:ListAttachedUserPolicies"
- "iam:ListEntitiesForPolicy"
- "iam:ListGroupPolicies"
- "iam:ListGroups"
- "iam:ListGroupsForUser"
- "iam:ListInstanceProfilesForRole"
- "iam:ListMFADevices"
- "iam:ListPolicies"
- "iam:ListRolePolicies"
- "iam:ListRoleTags"
- "iam:ListRoles"
- "iam:ListUserPolicies"
- "iam:ListUserTags"
- "iam:ListUsers"
- "iam:ListVirtualMFADevices"
- "iam:ListServerCertificates"
- "iam:ListAccountAliases"
- "kinesis:ListStreams"
- "kinesis:DescribeStream"
- "kms:DescribeKey"
- "kms:GetKeyPolicy"
- "kms:GetKeyRotationStatus"
- "kms:ListAliases"
- "kms:ListGrants"
- "kms:ListKeys"
- "network-firewall:ListFirewallPolicies"
- "network-firewall:ListFirewalls"
- "network-firewall:ListRuleGroups"
- "network-firewall:DescribeFirewall"
- "network-firewall:DescribeFirewallPolicy"
- "network-firewall:DescribeRuleGroup"
- "lambda:GetFunctionConfiguration"
- "lambda:GetPolicy"
- "lambda:ListFunctions"
- "logs:DescribeLogGroups"
- "logs:DescribeMetricFilters"
- "rds:DescribeDBClusterSnapshotAttributes"
- "rds:DescribeDBClusterSnapshots"
- "rds:DescribeDBClusters"
- "rds:DescribeDBInstances"
- "rds:DescribeDBParameterGroups"
- "rds:DescribeDBParameters"
- "rds:DescribeDBSecurityGroups"
- "rds:DescribeDBSnapshotAttributes"
- "rds:DescribeDBSnapshots"
- "rds:DescribeDBSubnetGroups"
- "rds:DescribeEventSubscriptions"
- "rds:ListTagsForResource"
- "redshift:DescribeClusterParameterGroups"
- "redshift:DescribeClusterParameters"
- "redshift:DescribeClusterSecurityGroups"
- "redshift:DescribeClusterSubnetGroups"
- "redshift:DescribeClusters"
- "redshift:DescribeLoggingStatus"
- "route53:ListHostedZones"
- "route53:ListResourceRecordSets"
- "route53:ListTagsForResource"
- "route53domains:ListDomains"
- "s3:GetAccountPublicAccessBlock"
- "s3:GetBucketAcl"
- "s3:GetBucketLocation"
- "s3:GetBucketLogging"
- "s3:GetBucketNotification"
- "s3:GetBucketObjectLockConfiguration"
- "s3:GetBucketOwnershipControls"
- "s3:GetBucketPolicy"
- "s3:GetBucketPublicAccessBlock"
- "s3:GetBucketTagging"
- "s3:GetBucketVersioning"
- "s3:GetBucketWebsite"
- "s3:GetEncryptionConfiguration"
- "s3:GetLifecycleConfiguration"
- "s3:GetReplicationConfiguration"
- "s3:ListAllMyBuckets"
- "sagemaker:ListNotebookInstances"
- "sagemaker:DescribeNotebookInstance"
- "sagemaker:DescribeNotebookInstanceLifecycleConfig"
- "secretsmanager:ListSecrets"
- "secretsmanager:DescribeSecret"
- "securityhub:DescribeHub"
- "ses:GetIdentityDkimAttributes"
- "ses:GetIdentityPolicies"
- "ses:ListIdentities"
- "ses:ListIdentityPolicies"
- "states:ListStateMachines"
- "states:DescribeStateMachine"
- "ssm:DescribeParameters"
- "ssm:GetParameters"
- "ssm:ListComplianceItems"
- "ssm:ListDocuments"
- "ssm:DescribeDocument"
- "ssm:DescribeDocumentPermission"
- "ssm:DescribeInstanceInformation"
- "sns:GetTopicAttributes"
- "sns:GetSubscriptionAttributes"
- "sns:ListSubscriptions"
- "sns:ListSubscriptionsByTopic"
- "sns:ListTopics"
- "sqs:GetQueueAttributes"
- "sqs:ListQueues"
- "waf:ListActivatedRulesInRuleGroup"
- "waf:ListRuleGroups"
- "waf:ListRules"
- "waf:ListWebACLs"
- "waf:GetLoggingConfiguration"
- "waf:GetRateBasedRule"
- "waf:GetRuleGroup"
- "waf:GetRule"
- "waf:GetWebACL"
- "wafv2:ListWebACLs"
- "wafv2:GetWebACL"
- "wafv2:GetLoggingConfiguration"
- "waf-regional:ListActivatedRulesInRuleGroup"
- "waf-regional:ListWebACLs"
- "waf-regional:ListRuleGroups"
- "waf-regional:ListRules"
- "waf-regional:GetLoggingConfiguration"
- "waf-regional:GetRateBasedRule"
- "waf-regional:GetRuleGroup"
- "waf-regional:GetRule"
- "waf-regional:GetWebACL"
- "tag:Get*"
Resource: "*"
- Effect: "Allow"
Action: "s3:GetObject"
Resource:
- "arn:aws:s3:::elasticbeanstalk-env-resources-*/*"
Condition:
StringNotLike:
"s3:ResourceAccount": !Ref "AWS::AccountId"
ShishoCloudOpenIdConnectProvider:
Type: "AWS::IAM::OIDCProvider"
Properties:
Url: "https://tokens.cloud.shisho.dev"
ClientIdList:
- "sts.amazonaws.com"
ThumbprintList:
- "9e99a48a9960b14926bb7f3b02e22da2b0ab7280"
Note the ARN of the created IAM role.
If you use the script above as it is, the ARN should be like arn:aws:iam::<Your AWS Account ID>:role/ShishoCloudSecurityAudit.
Registering the IAM role to Shisho Cloud
You've successfully completed the configuration of the service account. As a final step, please click the "Settings" button for the "AWS" card displayed on the "⚙️ > Integrations" screen. Then follow the on-screen instructions to enter the necessary information.
When you have completed the step, the role ARN should appear on the settings page with a check mark like the following:
info
Due to the cache behavior of AWS, Shisho Cloud may not be able to access AWS for a few minutes after the integration. Please wait one-two hours without removing service account settings and visit the dashboard again.
danger
If you are unable to successfully integrate AWS by following the above steps, please feel free to contact the service provider (Flatt Security).