Configure k9 Access to AWS Accounts

How-to Configure k9 Access to AWS Accounts

 

This document describes how to configure k9’s access to your AWS accounts so that it can audit the accounts and deliver the reports to you. Here is a logical view of what we are creating:

    In this process, we will create:

    • Auditor Role(s) in your monitored AWS accounts
    • Secure Inbox Bucket and Encryption Key in your security account

    It’s ok if you have a single AWS account.  Go ahead and create both the audit and secure inbox resources in that account.

    These resources will be created automatically by the CloudFormation templates referenced in the steps that follow.

    Step-by-step guide

      General Notes

      Please use the us-east-1 AWS region for these steps.  Security policies for using KMS encryption have region-specific details and the automation is only supported for us-east-1 currently.

      The resource creation steps that follow require an Environment parameter.  This parameter identifies the k9 environment you will be using and ultimately the AWS account ID that your AWS accounts will trust to monitor and deliver reports.  The values of the Environment parameter are:

      k9 Environment Name
      k9 Environment Parameter Value
      Trusted k9 Account ID and Alias
      Production prod 826438284864 (k9-prod)
      Customer Debugging dev
      139710491120 (k9-dev)

      Customers should use the production k9 environment unless debugging an issue with the k9 Operations team.

      Step 0 – Gather Information

      Please gather this information before starting the resource provisioning process.

      KeyAdministratorARN – The ARN of IAM user or role in the Security account that will administer the encryption key used to protect the k9 reports.  This can be any user or role that you trust with this sensitive data.

      Step 1 – Create Auditor Roles

      The first step is to create a k9-auditor role for each AWS account you would like k9 to monitor.  This auditor role uses the AWS-defined SecurityAudit managed policy purpose built for security audits (arn:aws:iam::aws:policy/SecurityAudit).

      This step asks you to specify an External ID that k9 will use to assume the auditor role created in your monitored AWS account(s).  The External ID improves the security of the trust relationship between k9 and the monitored account. Details available at: https://aws.amazon.com/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/

      Create your External IDs by generating a random 8-character alphanumeric string (0-9, a-z, A-Z) using your favorite password generator.

      You should use a unique External ID for each role you create in a monitored account.

      While logged into your AWS account, you can grant k9 access by clicking on this link:

      Once you have created (or updated) the k9 account auditor stack, go to the ‘Outputs’ tab and record the k9-auditor role’s ARN and ExternalID in the onboarding spreadsheet.

      Alternatively, you can download the template from S3 (source), review it, and and deploy using the aws cli directly:

      # Configure the '<replace me>' values appropriately
      /usr/local/bin/aws cloudformation deploy \
        --stack-name k9-account-auditor \
       --template-file $(pwd)/configure-k9-resources-for-monitored-account.template \
        --capabilities CAPABILITY_NAMED_IAM \
        --parameter-overrides \
        Environment=prod \
        K9RoleAssumePolicyExternalId=<replace me>

      Step 2 – Create Resources for Report Delivery

      The second step is to create an S3 bucket and KMS encryption key in the security account where your reports will be delivered to.

      While logged into your Security or ‘Secure Inbox’ AWS account, you can grant k9 access by clicking on this link:

      Once you have created (or updated) the k9 account auditor stack, go to the ‘Outputs’ tab and record the Secure Inbox bucket ARN and Encryption Key ARN in the onboarding spreadsheet. 

      Alternatively, you can download the template from S3 (source), review it, and and deploy using the aws cli directly:

      # Configure the '<replace me>' values appropriately
      /usr/local/bin/aws cloudformation deploy \
        --stack-name k9-report-publisher \
        --template-file $(pwd)/configure-k9-resources-for-report-delivery.template \
        --capabilities CAPABILITY_NAMED_IAM \
        --parameter-overrides \
        Environment=prod \
        SecureInboxBucketName=<replace me> \
        KeyAdministratorARN=<replace me>

      Step 3 – Share Resource Info with k9

      Share the following AWS resource information with your k9 onboarding contact using the k9 Customer Account Config – Template (Google Sheet):

      Report Delivery

      • Report Encryption Key ARN
      • Secure Inbox S3 Report Destination – Bucket Name
      • Secure Inbox S3 Report Destination – Object Root

      Account Monitoring

      For each monitored account, record in a spreadsheet:

      • AWS Account Id
      • AWS Account Alias
      • Auditor – IAM Role ARN
      • Auditor – ExternalID