Add a FortMesa Trust to Your AWS Account

Posted by James Hilton on Jul 10, 2020 5:29:52 PM
James Hilton

Summary

Adding a trust between your AWS account and FortMesa will allow us to:

 

  1. Read information about your EC2 instances.
  2. Write resource tags to help track assets.
  3. Use AWS Systems Manager to inventory software.
  4. Run AWS Inspector to scan for vulnerabilities.

 

Our software will not have permissions to run arbitrary commands or read stored data.

For AWS's recommendations on granting third party access to your account review their documentation.

Creating a Restricted Access Policy for FortMesa

Find the IAM Dashboard

Screenshot 2018-07-27 at 13.11.43 - Edited

Create a New Policy

Screenshot 2018-07-27 at 13.13.30 - Edited

Input the FortMesa Policy JSON

Screenshot inline, copy-and-paste the JSON policy below.

Screenshot 2018-07-27 at 15.42.21

The below least-access JSON policy allows us to:

  1. Validate this policy.
  2. Read EC2 metadata and write tags to assist with inventory tracking.
  3. Configure and call AWS Inspector to scan for vulnerabilities.
  4. Configure and collect basic system telemetry and software inventory using AWS Systems Manager.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FortMesaInspectorPolicy",
"Effect": "Allow",
"Action": [
"inspector:ListAssessmentRunAgents",
"inspector:ListAssessmentRuns",
"inspector:ListAssessmentTargets",
"inspector:ListAssessmentTemplates",
"inspector:ListFindings",
"inspector:ListRulesPackages",
"inspector:ListTagsForResource",
"inspector:DescribeAssessmentRuns",
"inspector:DescribeAssessmentTargets",
"inspector:DescribeAssessmentTemplates",
"inspector:DescribeCrossAccountAccessRole",
"inspector:DescribeFindings",
"inspector:DescribeResourceGroups",
"inspector:DescribeRulesPackages",
"inspector:GetTelemetryMetadata",
"inspector:CreateAssessmentTarget",
"inspector:CreateAssessmentTemplate",
"inspector:CreateResourceGroup",
"inspector:DeleteAssessmentRun",
"inspector:DeleteAssessmentTarget",
"inspector:DeleteAssessmentTemplate",
"inspector:RegisterCrossAccountAccessRole",
"inspector:SetTagsForResource",
"inspector:StartAssessmentRun",
"inspector:StopAssessmentRun",
"inspector:UpdateAssessmentTarget"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"inspector.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/inspector.amazonaws.com/AWSServiceRoleForAmazonInspector",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "inspector.amazonaws.com"
}
}
},
{
"Sid": "FortMesaEC2Policy",
"Effect": "Allow",
"Action": [
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeRegions",
"ec2:DescribeAvailabilityZones",
"ec2messages:GetMessages"
],
"Resource": "*"
},
{
"Sid": "FortMesaReadPolicy",
"Effect": "Allow",
"Action": [
"iam:GetPolicyVersion",
"iam:GetPolicy"
],
"Resource": [
"arn:aws:iam::*:policy/FortMesa*"
]
},
{
"Sid": "FortMesaReadRole",
"Effect": "Allow",
"Action": [
"iam:ListAttachedRolePolicies"
],
"Resource": [
"arn:aws:iam::*:role/FortMesa*"
]
},
{
"Sid": "FortMesaSSMPolicy",
"Effect": "Allow",
"Action": [
"ssm:ListInventoryEntries",
"ssm:UpdateAssociation",
"ssm:StopAutomationExecution",
"ssm:DeleteAssociation",
"ssm:StartAutomationExecution",
"ssm:StartAssociationsOnce",
"ssm:DescribeInstanceInformation",
"ssm:RemoveTagsFromResource",
"ssm:DescribeInstancePatchStates",
"ssm:CreateAssociation",
"ssm:AddTagsToResource",
"ssm:DeleteResourceDataSync",
"ssm:ListTagsForResource",
"ssm:ListResourceDataSync",
"ssm:CreateResourceDataSync",
"ssm:ListAssociations",
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:GetManifest",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation",
"ssm:ListDocuments",
"ssm:ListDocumentVersions",
"ssm:describeDocument",
"ssm:describeInstanceAssociationsStatus"
],
"Resource": "*"
},
{
"Sid": "FortMesaS3Policy",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "FortMesaS3Policy2",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:GetBucketPolicy"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "FortMesaRDSPolicy",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:ListTagsForResource"
],
"Resource": "*"
}
]
}

Review and Name Policy

The name should always be FortMesa-Trust-Policy for us to properly validate the trust configuration.

 

Screenshot 2018-07-27 at 15.43.38

Add a 3rd Party Role we can Assume

Create Role

Still in the IAM Dashboard you need to create a role for FortMesa.

  1. Select the "Another AWS Account" type.
  2. Input our AWS account number 869756787046.
  3. The External ID generated by the FortMesa software.
Screenshot 2018-07-27 at 15.50.12-1

Attach Trust Policy

Attach the access policy you already created in the previous step. Use the search box to quickly find it.

Screenshot 2018-07-27 at 15.48.22

Name the Role

As instructed in our software input the Role name: FortMesa-Trust-Role-[scopename].

You can see in the example below the security scope was barsoomcorp with a company login page of barsoomcorp.fortmesa.com.

Make sure to name the role appropriately so we can validate the trust properly. This field is case sensitive.

Screenshot 2018-07-30 at 10.51.02

Role Created!

Screenshot 2018-07-30 at 10.51.16 - Edited

 

Recent Posts

Posts by Tag

Headquarters

FortMesa, Inc.
PO BOX 262
Spencertown, NY 12165

+1 617-233-7323

sales-ops@fortmesa.com