In this article you will find:

  1. Overview

  2. How to configure AWS Cross-Account

  3. Training video

1. Overview

Cross-account access enables IAM user in one AWS account to access the AWS resources of another AWS account.
If you have several AWS accounts in your organization it is recommended to use cross-account, instead of configuring several AWS connectors within Vulcan.

Role Permissions needed for all the relevant services-

  • EC2: DescribeInstances, DescribeSecurityGroups

  • Elastic LoadBalancing: DescribeTargetGroups, DescribeLoadBalancers, DescribeTargetHealth

  • Inspector: ListFindings, ListAssessmentRuns, DescribeAssessmentRuns, DescribeFindings, ListAssessmentTemplates, PreviewAgents

  • ECR:ListTagsForResource, ListImages, DescribeImages, DescribeRepositories

  • ECS: DescribeClusters, ListContainerInstances, DescribeContainerInstances, ListClusters

  • SecurityHub: DescribeProducts, GetFindings, GetInsightResults, ListTagsForResource, DescribeHub, GetInsights

2. How to Configure AWS Cross Account

In the AWS connector, choose AWS Cross Account option

Part 1 - Choose Regions and AWS Services

  1. Select Region - For each account, the connector will try to pull data for all selected regions. 

  2. Choose AWS Services - Choose which AWS services the connector will pull data from. Note that each AWS requires different levels

Step 2 - AWS Configuration through AWS Console
Note that this step need to re-occur in each AWS account you want to enable access to.

1. Log in to AWS console for the targeted account with user who has permission to create an IAM role.

2. Navigate to IAM --> Policies --> Create policy --> JSON

3. Via Vulcan platform, click on Download Policy and paste the content of the JSON file in AWS console (where you stopped in step 2). Note that the JSON derives from the AWS services you chose earlier.

4. Click Review policy

5. Copy from Vulcan the Account ID: 346856321778

6. Navigate to IAM --> Roles ---> Create role --> Another AWS account --> Paste the Account ID from previous step

7. Copy from Vulcan the External ID from the connector page:

In IAM, Check Require external ID and paste the external ID from the previous step

8. Uncheck Require MFA

9. Click Next: Permissions and attach the policy created on step 4

10. Review the policy and copy the generated ARN - You will use all of the ARNs in next step

Step 3 - Upload ARNs List

  1. Download the CSV template from Vulcan platform

  2. Add all the ARNs from step 2. Make sure to follow the format as in the template.

  3. Upload the ARNs CSV

  4. Click on Create

3. Training video

Did this answer your question?