AWS
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
By integrating Shisho Cloud with AWS, you can perform security scanning on your AWS account. This integration takes two steps:
- Create an IAM role in the target AWS account that Shisho Cloud can assume, along with the corresponding identity provider.
- Register the ARN of the created IAM role with Shisho Cloud.
Shisho Cloud does not require an IAM access key. Instead, it accesses AWS using Web Identity Federation with sts:AssumeRoleWithWebIdentity
, issuing short-lived authentication credentials as needed.
This is essentially the same mechanism used by GitHub Actions for OIDC-based AWS/Google Cloud integration.
Creating an IAM Role
Create an IAM role using one of the following methods:
The s3:GetObject
action on certain resources is restricted so that Shisho Cloud cannot access S3 objects within the AWS account you link. Therefore, even if you link your AWS account to Shisho Cloud, Shisho Cloud will not read the data stored in your S3 buckets.
However, Shisho Cloud has read access to some S3 objects outside the AWS account you link. Specifically, it has access to S3 objects where s3:ResourceAccount
, which represents the account containing the resources, is different from the account where the role used by Shisho Cloud exists. This is necessary for inspecting Elastic Beanstalk settings. AWS internally stores Elastic Beanstalk configuration information in an S3 bucket (arn:aws:s3:::elasticbeanstalk-env-resources-*/*
, etc.) managed by a separate AWS account. When using some Elastic Beanstalk APIs, the caller must have relevant permissions to access the bucket. You can verify that the AWS-managed IAM policy AWSElasticBeanstalkRoleCore includes such permissions.
- Terraform
- AWS CLI
- CloudFormation
After changing the value of the variable shisho_cloud_org_id
to your Shisho Cloud organization ID, add the following Terraform code to your Terraform project and run terraform apply
.
locals {
# Replace this with your Shisho Cloud org ID
shisho_cloud_org_id = "your-organization-id"
}
# The `aws_caller_identity` data is used to fetch the current AWS account ID.
data "aws_caller_identity" "shisho_cloud" {}
# Shisho Cloud connects to your AWS account via OIDC federation.
# The following `tls_certificate` resource will fetch the required certificate.
data "tls_certificate" "shisho_cloud_tokens_endpoint" {
url = "https://tokens.cloud.shisho.dev/.well-known/openid-configuration"
}
# The following `aws_iam_openid_connect_provider` resource will create the OIDC provider.
resource "aws_iam_openid_connect_provider" "shisho_cloud" {
url = "https://tokens.cloud.shisho.dev"
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = data.tls_certificate.shisho_cloud_tokens_endpoint.certificates[*].sha1_fingerprint
}
# The following `aws_iam_role` resource will create the IAM role that Shisho Cloud will assume.
resource "aws_iam_role" "shisho_cloud_audit" {
name = "ShishoCloudSecurityAudit"
description = "IAM role for Shisho Cloud"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Federated" : aws_iam_openid_connect_provider.shisho_cloud.arn,
},
"Action" : "sts:AssumeRoleWithWebIdentity",
"Condition" : {
"StringLike" : {
# Allow AssumeRole for any job in the Shisho Cloud org
"tokens.cloud.shisho.dev:sub" : "job:${local.shisho_cloud_org_id}:*"
},
"StringEquals" : {
"tokens.cloud.shisho.dev:aud" : "sts.amazonaws.com"
}
}
}
]
})
}
resource "aws_iam_role_policy" "shisho_cloud_audit" {
role = aws_iam_role.shisho_cloud_audit.id
name = "ResourceAccessPolicy"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"access-analyzer:ListAnalyzers",
"account:GetAlternateContact",
"acm:DescribeCertificate",
"acm:ListCertificates",
"apigateway:GET",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeNotificationConfigurations",
"cloudformation:DescribeStacks",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate",
"cloudformation:ListStacks",
"cloudformation:ListStackResources",
"cloudfront:ListDistributions",
"cloudfront:GetDistributionConfig",
"cloudfront:GetResponseHeadersPolicy",
"cloudfront:GetCachePolicy",
"cloudfront:GetOriginRequestPolicy",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"cloudwatch:DescribeAlarms",
"codebuild:ListProjects",
"codebuild:ListSourceCredentials",
"codebuild:BatchGetProjects",
"cognito-identity:DescribeIdentityPool",
"cognito-identity:ListIdentityPools",
"cognito-identity:GetIdentityPoolRoles",
"cognito-identity:GetPrincipalTagAttributeMap",
"cognito-idp:ListUserPoolClients",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:GetGroup",
"cognito-idp:ListGroups",
"cognito-idp:DescribeUserPoolDomain",
"cognito-idp:DescribeRiskConfiguration",
"cognito-idp:GetUserPoolMfaConfig",
"cognito-idp:ListIdentityProviders",
"cognito-idp:DescribeIdentityProvider",
"cognito-idp:GetIdentityProviderByIdentifier",
"cognito-idp:DescribeResourceServer",
"cognito-idp:ListResourceServers",
"cognito-idp:DescribeRiskConfiguration",
"cognito-idp:GetUICustomization",
"cognito-idp:GetSigningCertificate",
"cognito-idp:GetLogDeliveryConfiguration",
"cognito-idp:DescribeUserPool",
"cognito-idp:ListUserPools",
"cognito-idp:GetWebACLForResource",
"config:DescribeConfigRules",
"config:DescribeConfigurationRecorderStatus",
"config:DescribeConfigurationRecorders",
"directconnect:DescribeConnections",
"dms:DescribeReplicationInstances",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeTable",
"dynamodb:DescribeExport",
"dynamodb:DescribeKinesisStreamingDestination",
"dynamodb:ListBackups",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"dynamodb:ListExports",
"ec2:DescribeAddresses",
"ec2:DescribeCustomerGateways",
"ec2:DescribeFlowLogs",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTransitGateways",
"ec2:DescribeVolumes",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:GetEbsEncryptionByDefault",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListServices",
"ecs:DescribeServices",
"ecs:ListTasks",
"ecs:DescribeTasks",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition",
"ecs:ListAccountSettings",
"eks:DescribeCluster",
"eks:ListClusters",
"eks:ListNodegroups",
"eks:DescribeNodegroup",
"eks:ListFargateProfiles",
"eks:DescribeFargateProfile",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheParameterGroups",
"elasticache:DescribeCacheParameters",
"elasticache:DescribeCacheSecurityGroups",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeReplicationGroups",
"elasticache:DescribeUsers",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeTags",
"elasticfilesystem:DescribeBackupPolicy",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListClusters",
"es:ListDomainNames",
"es:DescribeElasticsearchDomains",
"es:DescribeDomains",
"dax:DescribeClusters",
"dax:DescribeSubnetGroups",
"events:ListEndpoints",
"events:ListEventBuses",
"events:DescribeEventBus",
"guardduty:GetDetector",
"guardduty:ListDetectors",
"iam:GenerateCredentialReport",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetLoginProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUserPolicy",
"iam:GetAccountSummary",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountAuthorizationDetails",
"iam:ListAccessKeys",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfilesForRole",
"iam:ListInstanceProfiles",
"iam:GetInstanceProfile",
"iam:ListMFADevices",
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListUserTags",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:ListServerCertificates",
"iam:ListAccountAliases",
"kinesis:ListStreams",
"kinesis:DescribeStream",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeys",
"network-firewall:ListFirewallPolicies",
"network-firewall:ListFirewalls",
"network-firewall:ListRuleGroups",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeFirewallPolicy",
"network-firewall:DescribeRuleGroup",
"lambda:GetFunctionConfiguration",
"lambda:GetFunctionEventInvokeConfig",
"lambda:GetPolicy",
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"logs:DescribeLogGroups",
"logs:DescribeMetricFilters",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSubnetGroups",
"rds:DescribeEventSubscriptions",
"rds:ListTagsForResource",
"redshift:DescribeClusterParameterGroups",
"redshift:DescribeClusterParameters",
"redshift:DescribeClusterSecurityGroups",
"redshift:DescribeClusterSubnetGroups",
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"route53domains:ListDomains",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"sagemaker:ListNotebookInstances",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"secretsmanager:ListSecrets",
"secretsmanager:DescribeSecret",
"securityhub:DescribeHub",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityPolicies",
"ses:ListIdentities",
"ses:ListIdentityPolicies",
"states:ListStateMachines",
"states:DescribeStateMachine",
"ssm:DescribeParameters",
"ssm:GetParameters",
"ssm:ListComplianceItems",
"ssm:ListDocuments",
"ssm:DescribeDocument",
"ssm:DescribeDocumentPermission",
"ssm:DescribeInstanceInformation",
"sns:GetTopicAttributes",
"sns:GetSubscriptionAttributes",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListQueues",
"waf:ListActivatedRulesInRuleGroup",
"waf:ListRuleGroups",
"waf:ListRules",
"waf:ListWebACLs",
"waf:GetLoggingConfiguration",
"waf:GetRateBasedRule",
"waf:GetRuleGroup",
"waf:GetRule",
"waf:GetWebACL",
"wafv2:ListWebACLs",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:GetLoggingConfiguration",
"wafv2:ListIPSets",
"wafv2:GetIPSet",
"wafv2:ListRuleGroups",
"wafv2:GetRuleGroup",
"waf-regional:ListActivatedRulesInRuleGroup",
"waf-regional:ListWebACLs",
"waf-regional:ListRuleGroups",
"waf-regional:ListRules",
"waf-regional:GetLoggingConfiguration",
"waf-regional:GetRateBasedRule",
"waf-regional:GetRuleGroup",
"waf-regional:GetRule",
"waf-regional:GetWebACL",
"tag:Get*"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : ["s3:GetObject"],
"Resource" : [
"arn:aws:s3:::elasticbeanstalk-env-resources-*/*"
],
"Condition" : {
"StringNotLike" : {
"s3:ResourceAccount" : "${data.aws_caller_identity.shisho_cloud.account_id}"
}
}
}
]
})
}
To create the required resources (identity provider and IAM role), run the following script, after modifying the value of SHISHO_ORG_ID
at the beginning (required) and the value of AWS_CLI_OPTS
(optional) as needed:
#!/bin/bash
set -eu
# Input values
############
# Any additional values for your AWS CLI
# Example: --profile your-profile-name
AWS_CLI_OPTS=""
# Your Shisho Cloud organization ID
SHISHO_ORG_ID="your-organization-id"
# AWS Account ID to be reviewed by Shisho Cloud
AWS_ACCOUNT_ID="$(aws sts get-caller-identity $AWS_CLI_OPTS --query "Account" --output "text")"
# Constants
############
TOKEN_ENDPOINT_URL="https://tokens.cloud.shisho.dev"
TOKEN_ENDPOINT_HOST="tokens.cloud.shisho.dev"
OIDC_THUMBPRINT="9e99a48a9960b14926bb7f3b02e22da2b0ab7280"
# The name of an IAM role to create for Shisho Cloud
ROLE_NAME="ShishoCloudSecurityAudit"
# Setting up all resouces
############
echo "[*] Create an OIDC provider: $TOKEN_ENDPOINT_URL"
aws iam create-open-id-connect-provider \
$AWS_CLI_OPTS \
--url "$TOKEN_ENDPOINT_URL" \
--client-id-list "sts.amazonaws.com" \
--thumbprint-list "$OIDC_THUMBPRINT"
echo "[*] Create a role assumable by the OIDC provider: $ROLE_NAME"
PROVIDER_ARN="arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${TOKEN_ENDPOINT_HOST}"
ASSUME_ROLE_POLICY_DOCUMENT="$(cat <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "$PROVIDER_ARN"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"${TOKEN_ENDPOINT_HOST}:sub": "job:${SHISHO_ORG_ID}:*"
},
"StringEquals": {
"${TOKEN_ENDPOINT_HOST}:aud": "sts.amazonaws.com"
}
}
}
]
}
EOF
)"
aws iam create-role \
$AWS_CLI_OPTS \
--role-name "$ROLE_NAME" \
--assume-role-policy-document "$ASSUME_ROLE_POLICY_DOCUMENT"
# Give the role permissions to access AWS resources according to $POLICY_DOCUMENT
echo "[*] Give the role permissions to access AWS resources"
POLICY_DOCUMENT="$(cat <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"access-analyzer:ListAnalyzers",
"account:GetAlternateContact",
"acm:DescribeCertificate",
"acm:ListCertificates",
"apigateway:GET",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeNotificationConfigurations",
"cloudformation:DescribeStacks",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate",
"cloudformation:ListStackResources",
"cloudformation:ListStacks",
"cloudfront:GetCachePolicy",
"cloudfront:GetDistributionConfig",
"cloudfront:GetOriginRequestPolicy",
"cloudfront:GetResponseHeadersPolicy",
"cloudfront:ListDistributions",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"cloudwatch:DescribeAlarms",
"codebuild:BatchGetProjects",
"codebuild:ListProjects",
"codebuild:ListSourceCredentials",
"cognito-identity:DescribeIdentityPool",
"cognito-identity:GetIdentityPoolRoles",
"cognito-identity:GetPrincipalTagAttributeMap",
"cognito-identity:ListIdentityPools",
"cognito-idp:DescribeIdentityProvider",
"cognito-idp:DescribeResourceServer",
"cognito-idp:DescribeRiskConfiguration",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:DescribeUserPoolDomain",
"cognito-idp:GetGroup",
"cognito-idp:GetIdentityProviderByIdentifier",
"cognito-idp:GetLogDeliveryConfiguration",
"cognito-idp:GetSigningCertificate",
"cognito-idp:GetUICustomization",
"cognito-idp:GetUserPoolMfaConfig",
"cognito-idp:GetWebACLForResource",
"cognito-idp:ListGroups",
"cognito-idp:ListIdentityProviders",
"cognito-idp:ListResourceServers",
"cognito-idp:ListUserPoolClients",
"cognito-idp:ListUserPools",
"config:DescribeConfigRules",
"config:DescribeConfigurationRecorderStatus",
"config:DescribeConfigurationRecorders",
"dax:DescribeClusters",
"dax:DescribeSubnetGroups",
"directconnect:DescribeConnections",
"dms:DescribeReplicationInstances",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeExport",
"dynamodb:DescribeKinesisStreamingDestination",
"dynamodb:DescribeTable",
"dynamodb:ListBackups",
"dynamodb:ListExports",
"dynamodb:ListTables",
"dynamodb:ListTagsOfResource",
"ec2:DescribeAddresses",
"ec2:DescribeCustomerGateways",
"ec2:DescribeFlowLogs",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTransitGateways",
"ec2:DescribeVolumes",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:GetEbsEncryptionByDefault",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecs:DescribeClusters",
"ecs:DescribeServices",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:ListAccountSettings",
"ecs:ListClusters",
"ecs:ListServices",
"ecs:ListTaskDefinitions",
"ecs:ListTasks",
"eks:DescribeCluster",
"eks:DescribeFargateProfile",
"eks:DescribeNodegroup",
"eks:ListClusters",
"eks:ListFargateProfiles",
"eks:ListNodegroups",
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheParameterGroups",
"elasticache:DescribeCacheParameters",
"elasticache:DescribeCacheSecurityGroups",
"elasticache:DescribeCacheSubnetGroups",
"elasticache:DescribeReplicationGroups",
"elasticache:DescribeUsers",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeBackupPolicy",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeTags",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListClusters",
"es:DescribeDomains",
"es:DescribeElasticsearchDomains",
"es:ListDomainNames",
"events:DescribeEventBus",
"events:ListEndpoints",
"events:ListEventBuses",
"guardduty:GetDetector",
"guardduty:ListDetectors",
"iam:GenerateCredentialReport",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountAuthorizationDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetLoginProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfilesForRole",
"iam:ListInstanceProfiles",
"iam:GetInstanceProfile",
"iam:ListMFADevices",
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:ListRoles",
"iam:ListServerCertificates",
"iam:ListUserPolicies",
"iam:ListUserTags",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"kinesis:DescribeStream",
"kinesis:ListStreams",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListGrants",
"kms:ListKeys",
"lambda:GetFunctionConfiguration",
"lambda:GetFunctionEventInvokeConfig",
"lambda:GetPolicy",
"lambda:ListEventSourceMappings",
"lambda:ListFunctions",
"logs:DescribeLogGroups",
"logs:DescribeMetricFilters",
"network-firewall:DescribeFirewall",
"network-firewall:DescribeFirewallPolicy",
"network-firewall:DescribeRuleGroup",
"network-firewall:ListFirewallPolicies",
"network-firewall:ListFirewalls",
"network-firewall:ListRuleGroups",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:DescribeDBClusterSnapshots",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSubnetGroups",
"rds:DescribeEventSubscriptions",
"rds:ListTagsForResource",
"redshift:DescribeClusterParameterGroups",
"redshift:DescribeClusterParameters",
"redshift:DescribeClusterSecurityGroups",
"redshift:DescribeClusterSubnetGroups",
"redshift:DescribeClusters",
"redshift:DescribeLoggingStatus",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"route53domains:ListDomains",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetReplicationConfiguration",
"s3:ListAllMyBuckets",
"sagemaker:DescribeNotebookInstance",
"sagemaker:DescribeNotebookInstanceLifecycleConfig",
"sagemaker:ListNotebookInstances",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecrets",
"securityhub:DescribeHub",
"ses:GetIdentityDkimAttributes",
"ses:GetIdentityPolicies",
"ses:ListIdentities",
"ses:ListIdentityPolicies",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListQueues",
"ssm:DescribeDocument",
"ssm:DescribeDocumentPermission",
"ssm:DescribeInstanceInformation",
"ssm:DescribeParameters",
"ssm:GetParameters",
"ssm:ListComplianceItems",
"ssm:ListDocuments",
"states:DescribeStateMachine",
"states:ListStateMachines",
"waf-regional:GetLoggingConfiguration",
"waf-regional:GetRateBasedRule",
"waf-regional:GetRule",
"waf-regional:GetRuleGroup",
"waf-regional:GetWebACL",
"waf-regional:ListActivatedRulesInRuleGroup",
"waf-regional:ListRuleGroups",
"waf-regional:ListRules",
"waf-regional:ListWebACLs",
"waf:GetLoggingConfiguration",
"waf:GetRateBasedRule",
"waf:GetRule",
"waf:GetRuleGroup",
"waf:GetWebACL",
"waf:ListActivatedRulesInRuleGroup",
"waf:ListRuleGroups",
"waf:ListRules",
"waf:ListWebACLs",
"wafv2:GetLoggingConfiguration",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:ListWebACLs",
"wafv2:ListIPSets",
"wafv2:GetIPSet",
"wafv2:ListRuleGroups",
"wafv2:GetRuleGroup",
"tag:Get*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [ "s3:GetObject" ],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-env-resources-*/*"
],
"Condition": {
"StringNotLike": {
"s3:ResourceAccount": "$AWS_ACCOUNT_ID"
}
}
}
]
}
EOF
)"
aws iam put-role-policy \
$AWS_CLI_OPTS \
--role-name "$ROLE_NAME" \
--policy-name "ResourceAccessPolicy" \
--policy-document "$POLICY_DOCUMENT"
# Postprocessing
############
echo "[*] Visit https://cloud.shisho.dev/${SHISHO_ORG_ID}/settings/integrations/aws and add a federation with:"
echo "- Role ARN: arn:aws:iam::${AWS_ACCOUNT_ID}:role/${ROLE_NAME}"
Create an IAM role using the following CloudFormation template.
When using this template, specify your Shisho Cloud organization ID for the ShishoCloudOrgId
parameter.
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
ShishoCloudOrgId:
Type: String
Description: "Your Shisho Cloud org ID"
Resources:
ShishoCloudAuditRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: "ShishoCloudSecurityAuditByCloudFormationTemplate"
Description: "IAM role for Shisho Cloud"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:oidc-provider/tokens.cloud.shisho.dev"
Action: "sts:AssumeRoleWithWebIdentity"
Condition:
StringLike:
"tokens.cloud.shisho.dev:sub": !Sub "job:${ShishoCloudOrgId}:*"
StringEquals:
"tokens.cloud.shisho.dev:aud": "sts.amazonaws.com"
Policies:
- PolicyName: "ResourceAccessPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "access-analyzer:ListAnalyzers"
- "account:GetAlternateContact"
- "acm:DescribeCertificate"
- "acm:ListCertificates"
- "apigateway:GET"
- "autoscaling:DescribeAutoScalingGroups"
- "autoscaling:DescribeLaunchConfigurations"
- "autoscaling:DescribeNotificationConfigurations"
- "cloudformation:DescribeStacks"
- "cloudformation:GetStackPolicy"
- "cloudformation:GetTemplate"
- "cloudformation:ListStacks"
- "cloudformation:ListStackResources"
- "cloudfront:ListDistributions"
- "cloudfront:GetDistributionConfig"
- "cloudfront:GetResponseHeadersPolicy"
- "cloudfront:GetCachePolicy"
- "cloudfront:GetOriginRequestPolicy"
- "cloudtrail:DescribeTrails"
- "cloudtrail:GetEventSelectors"
- "cloudtrail:GetTrailStatus"
- "cloudwatch:DescribeAlarms"
- "codebuild:ListProjects"
- "codebuild:ListSourceCredentials"
- "codebuild:BatchGetProjects"
- "cognito-identity:DescribeIdentityPool"
- "cognito-identity:ListIdentityPools"
- "cognito-identity:GetIdentityPoolRoles"
- "cognito-identity:GetPrincipalTagAttributeMap"
- "cognito-idp:ListUserPoolClients"
- "cognito-idp:DescribeUserPoolClient"
- "cognito-idp:GetGroup"
- "cognito-idp:ListGroups"
- "cognito-idp:DescribeUserPoolDomain"
- "cognito-idp:DescribeRiskConfiguration"
- "cognito-idp:GetUserPoolMfaConfig"
- "cognito-idp:ListIdentityProviders"
- "cognito-idp:DescribeIdentityProvider"
- "cognito-idp:GetIdentityProviderByIdentifier"
- "cognito-idp:DescribeResourceServer"
- "cognito-idp:ListResourceServers"
- "cognito-idp:DescribeRiskConfiguration"
- "cognito-idp:GetUICustomization"
- "cognito-idp:GetSigningCertificate"
- "cognito-idp:GetLogDeliveryConfiguration"
- "cognito-idp:DescribeUserPool"
- "cognito-idp:ListUserPools"
- "cognito-idp:GetWebACLForResource"
- "config:DescribeConfigRules"
- "config:DescribeConfigurationRecorderStatus"
- "config:DescribeConfigurationRecorders"
- "directconnect:DescribeConnections"
- "dms:DescribeReplicationInstances"
- "dynamodb:DescribeContinuousBackups"
- "dynamodb:DescribeTable"
- "dynamodb:DescribeExport"
- "dynamodb:DescribeKinesisStreamingDestination"
- "dynamodb:ListBackups"
- "dynamodb:ListTables"
- "dynamodb:ListTagsOfResource"
- "dynamodb:ListExports"
- "ec2:DescribeAddresses"
- "ec2:DescribeCustomerGateways"
- "ec2:DescribeFlowLogs"
- "ec2:DescribeImages"
- "ec2:DescribeInstanceAttribute"
- "ec2:DescribeInstances"
- "ec2:DescribeLaunchTemplates"
- "ec2:DescribeLaunchTemplateVersions"
- "ec2:DescribeNetworkAcls"
- "ec2:DescribeNetworkInterfaceAttribute"
- "ec2:DescribeNetworkInterfaces"
- "ec2:DescribeRegions"
- "ec2:DescribeRouteTables"
- "ec2:DescribeSecurityGroups"
- "ec2:DescribeSecurityGroupRules"
- "ec2:DescribeSnapshotAttribute"
- "ec2:DescribeSnapshots"
- "ec2:DescribeSubnets"
- "ec2:DescribeTransitGateways"
- "ec2:DescribeVolumes"
- "ec2:DescribeIamInstanceProfileAssociations"
- "ec2:DescribeVpcEndpoints"
- "ec2:DescribeVpcPeeringConnections"
- "ec2:DescribeVpcs"
- "ec2:DescribeVpnConnections"
- "ec2:DescribeVpnGateways"
- "ec2:GetEbsEncryptionByDefault"
- "ecr:DescribeImages"
- "ecr:DescribeRepositories"
- "ecr:GetLifecyclePolicy"
- "ecr:GetRepositoryPolicy"
- "ecr:ListImages"
- "ecs:ListClusters"
- "ecs:DescribeClusters"
- "ecs:ListServices"
- "ecs:DescribeServices"
- "ecs:ListTasks"
- "ecs:DescribeTasks"
- "ecs:ListTaskDefinitions"
- "ecs:DescribeTaskDefinition"
- "ecs:ListAccountSettings"
- "eks:DescribeCluster"
- "eks:ListClusters"
- "eks:ListNodegroups"
- "eks:DescribeNodegroup"
- "eks:ListFargateProfiles"
- "eks:DescribeFargateProfile"
- "elasticbeanstalk:DescribeConfigurationSettings"
- "elasticbeanstalk:DescribeEnvironmentResources"
- "elasticbeanstalk:DescribeEnvironments"
- "elasticache:DescribeCacheClusters"
- "elasticache:DescribeCacheParameterGroups"
- "elasticache:DescribeCacheParameters"
- "elasticache:DescribeCacheSecurityGroups"
- "elasticache:DescribeCacheSubnetGroups"
- "elasticache:DescribeReplicationGroups"
- "elasticache:DescribeUsers"
- "elasticfilesystem:DescribeAccessPoints"
- "elasticfilesystem:DescribeFileSystems"
- "elasticfilesystem:DescribeMountTargetSecurityGroups"
- "elasticfilesystem:DescribeMountTargets"
- "elasticfilesystem:DescribeTags"
- "elasticfilesystem:DescribeBackupPolicy"
- "elasticfilesystem:DescribeFileSystemPolicy"
- "elasticloadbalancing:DescribeListeners"
- "elasticloadbalancing:DescribeLoadBalancerAttributes"
- "elasticloadbalancing:DescribeLoadBalancerPolicies"
- "elasticloadbalancing:DescribeLoadBalancers"
- "elasticloadbalancing:DescribeSSLPolicies"
- "elasticloadbalancing:DescribeTags"
- "elasticloadbalancing:DescribeTargetGroups"
- "elasticloadbalancing:DescribeTargetHealth"
- "elasticloadbalancing:DescribeInstanceHealth"
- "elasticmapreduce:DescribeCluster"
- "elasticmapreduce:ListClusters"
- "es:ListDomainNames"
- "es:DescribeElasticsearchDomains"
- "es:DescribeDomains"
- "dax:DescribeClusters"
- "dax:DescribeSubnetGroups"
- "events:ListEndpoints"
- "events:ListEventBuses"
- "events:DescribeEventBus"
- "guardduty:GetDetector"
- "guardduty:ListDetectors"
- "iam:GenerateCredentialReport"
- "iam:GetAccountPasswordPolicy"
- "iam:GetCredentialReport"
- "iam:GetGroup"
- "iam:GetGroupPolicy"
- "iam:GetLoginProfile"
- "iam:GetPolicy"
- "iam:GetPolicyVersion"
- "iam:GetRole"
- "iam:GetRolePolicy"
- "iam:GetUserPolicy"
- "iam:GetAccountSummary"
- "iam:GetAccessKeyLastUsed"
- "iam:GetAccountAuthorizationDetails"
- "iam:ListAccessKeys"
- "iam:ListAttachedRolePolicies"
- "iam:ListAttachedUserPolicies"
- "iam:ListEntitiesForPolicy"
- "iam:ListGroupPolicies"
- "iam:ListGroups"
- "iam:ListGroupsForUser"
- "iam:ListInstanceProfilesForRole"
- "iam:ListInstanceProfiles"
- "iam:GetInstanceProfile"
- "iam:ListMFADevices"
- "iam:ListPolicies"
- "iam:ListRolePolicies"
- "iam:ListRoleTags"
- "iam:ListRoles"
- "iam:ListUserPolicies"
- "iam:ListUserTags"
- "iam:ListUsers"
- "iam:ListVirtualMFADevices"
- "iam:ListServerCertificates"
- "iam:ListAccountAliases"
- "kinesis:ListStreams"
- "kinesis:DescribeStream"
- "kms:DescribeKey"
- "kms:GetKeyPolicy"
- "kms:GetKeyRotationStatus"
- "kms:ListAliases"
- "kms:ListGrants"
- "kms:ListKeys"
- "network-firewall:ListFirewallPolicies"
- "network-firewall:ListFirewalls"
- "network-firewall:ListRuleGroups"
- "network-firewall:DescribeFirewall"
- "network-firewall:DescribeFirewallPolicy"
- "network-firewall:DescribeRuleGroup"
- "lambda:GetFunctionConfiguration"
- "lambda:GetFunctionEventInvokeConfig"
- "lambda:GetPolicy"
- "lambda:ListFunctions"
- "lambda:ListEventSourceMappings"
- "logs:DescribeLogGroups"
- "logs:DescribeMetricFilters"
- "rds:DescribeDBClusterSnapshotAttributes"
- "rds:DescribeDBClusterSnapshots"
- "rds:DescribeDBClusters"
- "rds:DescribeDBInstances"
- "rds:DescribeDBParameterGroups"
- "rds:DescribeDBParameters"
- "rds:DescribeDBSecurityGroups"
- "rds:DescribeDBSnapshotAttributes"
- "rds:DescribeDBSnapshots"
- "rds:DescribeDBSubnetGroups"
- "rds:DescribeEventSubscriptions"
- "rds:ListTagsForResource"
- "redshift:DescribeClusterParameterGroups"
- "redshift:DescribeClusterParameters"
- "redshift:DescribeClusterSecurityGroups"
- "redshift:DescribeClusterSubnetGroups"
- "redshift:DescribeClusters"
- "redshift:DescribeLoggingStatus"
- "route53:GetHostedZone"
- "route53:ListHostedZones"
- "route53:ListResourceRecordSets"
- "route53:ListTagsForResource"
- "route53domains:ListDomains"
- "s3:GetAccountPublicAccessBlock"
- "s3:GetBucketAcl"
- "s3:GetBucketLocation"
- "s3:GetBucketLogging"
- "s3:GetBucketNotification"
- "s3:GetBucketObjectLockConfiguration"
- "s3:GetBucketOwnershipControls"
- "s3:GetBucketPolicy"
- "s3:GetBucketPublicAccessBlock"
- "s3:GetBucketTagging"
- "s3:GetBucketVersioning"
- "s3:GetBucketWebsite"
- "s3:GetEncryptionConfiguration"
- "s3:GetLifecycleConfiguration"
- "s3:GetReplicationConfiguration"
- "s3:ListAllMyBuckets"
- "sagemaker:ListNotebookInstances"
- "sagemaker:DescribeNotebookInstance"
- "sagemaker:DescribeNotebookInstanceLifecycleConfig"
- "secretsmanager:ListSecrets"
- "secretsmanager:DescribeSecret"
- "securityhub:DescribeHub"
- "ses:GetIdentityDkimAttributes"
- "ses:GetIdentityPolicies"
- "ses:ListIdentities"
- "ses:ListIdentityPolicies"
- "states:ListStateMachines"
- "states:DescribeStateMachine"
- "ssm:DescribeParameters"
- "ssm:GetParameters"
- "ssm:ListComplianceItems"
- "ssm:ListDocuments"
- "ssm:DescribeDocument"
- "ssm:DescribeDocumentPermission"
- "ssm:DescribeInstanceInformation"
- "sns:GetTopicAttributes"
- "sns:GetSubscriptionAttributes"
- "sns:ListSubscriptions"
- "sns:ListSubscriptionsByTopic"
- "sns:ListTopics"
- "sqs:GetQueueAttributes"
- "sqs:GetQueueUrl"
- "sqs:ListQueues"
- "waf:ListActivatedRulesInRuleGroup"
- "waf:ListRuleGroups"
- "waf:ListRules"
- "waf:ListWebACLs"
- "waf:GetLoggingConfiguration"
- "waf:GetRateBasedRule"
- "waf:GetRuleGroup"
- "waf:GetRule"
- "waf:GetWebACL"
- "wafv2:ListWebACLs"
- "wafv2:GetWebACL"
- "wafv2:GetWebACLForResource"
- "wafv2:GetLoggingConfiguration"
- "wafv2:ListIPSets"
- "wafv2:GetIPSet"
- "wafv2:ListRuleGroups"
- "wafv2:GetRuleGroup"
- "waf-regional:ListActivatedRulesInRuleGroup"
- "waf-regional:ListWebACLs"
- "waf-regional:ListRuleGroups"
- "waf-regional:ListRules"
- "waf-regional:GetLoggingConfiguration"
- "waf-regional:GetRateBasedRule"
- "waf-regional:GetRuleGroup"
- "waf-regional:GetRule"
- "waf-regional:GetWebACL"
- "tag:Get*"
Resource: "*"
- Effect: "Allow"
Action:
- "s3:GetObject"
Resource:
- "arn:aws:s3:::elasticbeanstalk-env-resources-*/*"
Condition:
StringNotLike:
"s3:ResourceAccount": !Ref "AWS::AccountId"
ShishoCloudOpenIdConnectProvider:
Type: "AWS::IAM::OIDCProvider"
Properties:
Url: "https://tokens.cloud.shisho.dev"
ClientIdList:
- "sts.amazonaws.com"
ThumbprintList:
- "9e99a48a9960b14926bb7f3b02e22da2b0ab7280"
Make a note of the ARN of the created IAM role. If you used the default settings above, the ARN should look like arn:aws:iam::123456789012:role/ShishoCloudSecurityAudit
.
Registering the ARN with Shisho Cloud
Click the "Settings" button on the "AWS" card in the "⚙ > Integrations" screen, and follow the on-screen instructions to enter the ARN.
Once you have completed the input, the role ARN should appear on the settings page with a check mark, as shown below:
This completes the AWS integration setup. Shisho Cloud can now access your AWS account.
Due to AWS caching, Shisho Cloud may not be able to access AWS for a few minutes after integration. If the settings are not applied immediately, please wait up to 5 minutes.
If you are unable to integrate with AWS correctly by following the above steps, please contact the service provider (Flatt Security).