In this article you will find:
Cross-account access enables IAM user in one AWS account to access the AWS resources of another AWS account.
If you have several AWS accounts in your organization it is recommended to use cross-account, instead of configuring several AWS connectors within Vulcan.
Role Permissions needed for all the relevant services-
EC2: DescribeInstances, DescribeSecurityGroups
Elastic LoadBalancing: DescribeTargetGroups, DescribeLoadBalancers, DescribeTargetHealth
Inspector: ListFindings, ListAssessmentRuns, DescribeAssessmentRuns, DescribeFindings, ListAssessmentTemplates, PreviewAgents
ECR:ListTagsForResource, ListImages, DescribeImages, DescribeRepositories
ECS: DescribeClusters, ListContainerInstances, DescribeContainerInstances, ListClusters
SecurityHub: DescribeProducts, GetFindings, GetInsightResults, ListTagsForResource, DescribeHub, GetInsights
2. How to Configure AWS Cross Account
In the AWS connector, choose AWS Cross Account option
Part 1 - Choose Regions and AWS Services
Select Region - For each account, the connector will try to pull data for all selected regions.
Choose AWS Services - Choose which AWS services the connector will pull data from. Note that each AWS requires different levels
Step 2 - AWS Configuration through AWS Console
Note that this step need to re-occur in each AWS account you want to enable access to.
1. Log in to AWS console for the targeted account with user who has permission to create an IAM role.
2. Navigate to IAM --> Policies --> Create policy --> JSON
3. Via Vulcan platform, click on Download Policy and paste the content of the JSON file in AWS console (where you stopped in step 2). Note that the JSON derives from the AWS services you chose earlier.
4. Click Review policy
5. Copy from Vulcan the Account ID:
6. Navigate to IAM --> Roles ---> Create role --> Another AWS account --> Paste the Account ID from previous step
7. Copy from Vulcan the External ID from the connector page:
In IAM, Check Require external ID and paste the external ID from the previous step
8. Uncheck Require MFA
9. Click Next: Permissions and attach the policy created on step 4
10. Review the policy and copy the generated ARN - You will use all of the ARNs in next step
Step 3 - Upload ARNs List
Download the CSV template from Vulcan platform
Add all the ARNs from step 2. Make sure to follow the format as in the template.
Upload the ARNs CSV
Click on Create