Amazon Web Services Integration Guide
This guide will walk you through the process of integrating Amazon Web Services with the OneClickComply platform.
In order to establish a connection between the OneClickComply platform and your AWS environment, we require the use of an IAM (Identity and Access Management) user with read-only permissions, which you can either create manually, or through the use of CLI commands.
This support article has been created to guide you through the process of setting up the IAM user, and integrating your AWS environment with the OneClickComply platform.
Note: Please ensure you follow the instructions provided in this guide carefully, as configuring your AWS environment incorrectly will result in an unsuccessful integration.
Manually creating an IAM user within AWS
Important: There are multiple IAM User areas within AWS. Please ensure you follow the guide below carefully, otherwise you may configure your AWS account incorrectly, delaying integration.
From your AWS dashboard, type 'IAM' into the search.
Select Users from the Access Management dropdown on the left-hand side.
From here, please select Create User. (You may use a pre-existing account for this process, however we would recommend creating a new IAM user to make tracking and troubleshooting easier).
Add a memorable name for this account. We suggest something such as 'OneClickComply-AWS-Connection'.
Once named, click the Next button to move to the Permissions page. (If you chose to use a pre-existing IAM user, go to the account, click the Permissions tab, then Add Permissions, and then Add Permissions again).
Select Attach policies directly.
Change the 'Filter by Type' to AWS managed - job function.
Type 'Read' into the search box and tick ReadOnlyAccess.
Next, search for Security, and tick SecurityAudit.
Click Next.
Once on the Review and create screen, please ensure that you have selected the correct permissions before continuing.
Select Create User.
Once the user has been successfully created (or you have assigned the correct permissions to the pre-existing account), select the user again.
Back on the user screen, click the Add Permissions dropdown (located within the Permissions tab in the middle of the page) and select Create Inline Policy.
Click the JSON button within the Policy Editor area.
Delete the current contents of the JSON editor, and paste in the content below.
Note - Please ensure that the formatting is also carried over. Incorrect formatting may lead to permissions being applied incorrectly.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"account:Get*",
"appstream:Describe*",
"appstream:List*",
"backup:List*",
"backup:Get*",
"bedrock:List*",
"bedrock:Get*",
"cloudtrail:GetInsightSelectors",
"codeartifact:List*",
"codebuild:BatchGet*",
"codebuild:ListReportGroups",
"cognito-idp:GetUserPoolMfaConfig",
"dlm:Get*",
"drs:Describe*",
"ds:Get*",
"ds:Describe*",
"ds:List*",
"dynamodb:GetResourcePolicy",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetSnapshotBlockPublicAccessState",
"ec2:GetInstanceMetadataDefaults",
"ecr:Describe*",
"ecr:GetRegistryScanningConfiguration",
"elasticfilesystem:DescribeBackupPolicy",
"glue:GetConnections",
"glue:GetSecurityConfiguration*",
"glue:SearchTables",
"glue:GetMLTransforms",
"lambda:GetFunction*",
"logs:FilterLogEvents",
"lightsail:GetRelationalDatabases",
"macie2:GetMacieSession",
"macie2:GetAutomatedDiscoveryConfiguration",
"s3:GetAccountPublicAccessBlock",
"shield:DescribeProtection",
"shield:GetSubscriptionState",
"securityhub:BatchImportFindings",
"securityhub:GetFindings",
"servicecatalog:Describe*",
"servicecatalog:List*",
"ssm:GetDocument",
"ssm-incidents:List*",
"states:ListTagsForResource",
"support:Describe*",
"tag:GetTagKeys",
"wellarchitected:List*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowMoreReadOnly"
},
{
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": [
"arn:*:apigateway:*::/restapis/*",
"arn:*:apigateway:*::/apis/*"
],
"Sid": "AllowAPIGatewayReadOnly"
}
]
}Click Next.
Now assign a name to this new policy. In the example below we have used the name OneClickComply-ReadOnly. We highly recommend using this name for the policy, as following your own naming convention may cause confusion should any troubleshooting or support be required.
Scroll down the page and select Create Policy.
Your IAM user should now look like the following:
Once you have created the necessary IAM user with the required permissions, re-open the user and navigate to the Access Keys section.
This new account should not have any existing access keys associated with it. Select Create access key button, the choose the option for Third-party service.
Click Next.
(Optional) Assign a short description for this access key. It can even be as simple as 'OneClickComply Access Key'.
Click Create Access Key
Note - Please keep the Retrieve Access Keys page open, as you will need both your Access Key ID and Secret Access Key for the integration process.
Using CLI commands to create an IAM user
If you would prefer a more automated process, we have provided a series of CLI commands that you can paste into your AWS terminal to create the IAM user, and assign the necessary permissions.
Note: We recommend keeping the user and policy names exactly as listed in the commands below. Changing them to fit your own naming conventions may make potential troubleshooting and support more difficult later on.
Creating the IAM user
aws iam create-user \
--user-name "OneClickComply-AWS-Connection"Attach AWS managed policies 'ReadOnly' and 'SecurityAudit'
aws iam attach-user-policy \
--user-name "OneClickComply-AWS-Connection" \
--policy-arn "arn:aws:iam::aws:policy/ReadOnlyAccess"aws iam attach-user-policy \
--user-name "OneClickComply-AWS-Connection" \
--policy-arn "arn:aws:iam::aws:policy/SecurityAudit"Creating the necessary inline policy
Creating the necessary inline policy
cat > oneclickcomply-inline-policy.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"account:Get*",
"appstream:Describe*",
"appstream:List*",
"backup:List*",
"backup:Get*",
"bedrock:List*",
"bedrock:Get*",
"cloudtrail:GetInsightSelectors",
"codeartifact:List*",
"codebuild:BatchGet*",
"codebuild:ListReportGroups",
"cognito-idp:GetUserPoolMfaConfig",
"dlm:Get*",
"drs:Describe*",
"ds:Get*",
"ds:Describe*",
"ds:List*",
"dynamodb:GetResourcePolicy",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetSnapshotBlockPublicAccessState",
"ec2:GetInstanceMetadataDefaults",
"ecr:Describe*",
"ecr:GetRegistryScanningConfiguration",
"elasticfilesystem:DescribeBackupPolicy",
"glue:GetConnections",
"glue:GetSecurityConfiguration*",
"glue:SearchTables",
"glue:GetMLTransforms",
"lambda:GetFunction*",
"logs:FilterLogEvents",
"lightsail:GetRelationalDatabases",
"macie2:GetMacieSession",
"macie2:GetAutomatedDiscoveryConfiguration",
"s3:GetAccountPublicAccessBlock",
"shield:DescribeProtection",
"shield:GetSubscriptionState",
"securityhub:BatchImportFindings",
"securityhub:GetFindings",
"servicecatalog:Describe*",
"servicecatalog:List*",
"ssm:GetDocument",
"ssm-incidents:List*",
"states:ListTagsForResource",
"support:Describe*",
"tag:GetTagKeys",
"wellarchitected:List*"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowMoreReadOnly"
},
{
"Effect": "Allow",
"Action": [
"apigateway:GET"
],
"Resource": [
"arn:*:apigateway:*::/restapis/*",
"arn:*:apigateway:*::/apis/*"
],
"Sid": "AllowAPIGatewayReadOnly"
}
]
}
EOFAttaching the JSON as an inline policy to the IAM user
aws iam put-user-policy \
--user-name "OneClickComply-AWS-Connection" \
--policy-name "OneClickComply-ReadOnly" \
--policy-document file://oneclickcomply-inline-policy.jsonCreating an access key for the IAM user
aws iam create-access-key \
--user-name "OneClickComply-AWS-Connection"This last command will print both an AccessKeyID and SecretAccessKey, which you will need to provide when connecting your AWS environment to the OneClickComply platform.
Integrating your AWS environment with OneClickComply
After you have successfully created the IAM user, assigned the correct permissions, and made a record of your AccessKeyID and SecretAccessKey, you may now connect your AWS environment to the OneClickComply platform.
Please follow the steps below to complete the integration process.
Select Integrations from the main navigation bar.
Once on the Integrations page, you will be shown a list of all integrations currently available on the OneClickComply platform. You can use the search bar at the top of the page to filter for the Amazon Web Services integration.
Select the Amazon Web Services integration to open a side window, and then select Connect Amazon Web Services. This will open a pop-up modal which will guide you through the connection process.
First, assign a Connection name. The name should be clearly recognisable, and one that you don’t mind seeing in various areas within the platform.
Note: If you have multiple connections within an integration, ensure the names are unique and can be easily distinguished.
Next, provide your AWS account ID. You can also optionally assign an Alias (e.g. Production)
Then provide your Access key ID and Secret access key.
If you have created a session token for temporary credentials, paste it here.
Finally, click Connect cloud account.
Once all of these steps are completed, the OneClickComply platform will have successfully paired with Amazon Web Services, and will begin scanning the connected environment for gaps and misconfigurations.