DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

Instance Assume Role (AWS)

Overview

When deploying DivvyCloud on to one or more virtual private servers within Amazon Web Services (AWS), then we strongly recommend using Instance Assume Role. Authentication using this mechanism leverages temporary API credentials that are rotated every 60 minutes.

The steps below describe how to configure Instance Assume Role for your AWS-hosted DivvyCloud instances. Once you have given your DivvyCloud instances this role, adding additional AWS clouds is straightforward.

🚧

Before Getting Started

These instructions assume you have added two IAM Policies., i.e., Read-Only + STS or Power User + STS, as described here.

Steps for DivvyCloud Instance(s)

1. Login as an Admin to the AWS console in the account where DivvyCloud is deployed. Access the Identity & Access Management service.

2. Select Roles and click "Create role".

AWS Console - Create Role

3. Under AWS Service, select AWS service, EC2, and then click "Next: Permissions".

AWS - Select EC2

4. To attach your policy, search for your newly created policies, e.g., DivvyCloud-PowerUser-Policy and STS-Policy, one at a time.

  • You can find them by filtering your results by name.

5. Check the box next to the policy name. Repeat for the second policy.

AWS Console - Attach Policy

6. Click on "Next: Review".

AWS Console - Review

7. To create the Role complete the following:

  • Name: Use a descriptive name, e.g., DivvyCloud-PowerUser-Role.
  • Description: Add a description, e.g., ‘This role can be used by DivvyCloud to access a PowerUser policy to manage AWS services in this account and any AWS accounts with one-to-one trusted relationships.’

8. Confirm that both policies are attached and click on "Create role".

AWS Console - Create the Role

9. Search for your role and select.

AWS Console - Locate Your Role and Select

10. Copy the Role ARN and save it for later use. You will use this Amazon Resource Name (ARN) to configure DivvyCloud and connect to your AWS account.

AWS Console - Sample ARN

11. Either during launch or after, assign the role you created, e.g., DivvyCloud-PowerUser-Role, to your EC2 instances that are running DivvyCloud.

  • (Of note, we recommend at least 4 cores, 8GB of memory and 30 GB of disk space for DivvyCloud instances.)

AWS Console - Assign Your Role

12. From your DivvyCloud account, navigate to Clouds on the main navigation and select "Add Cloud" in the upper right.

DivvyCloud Platform - Add Cloud

13. Complete the form as follows:

  • Choose “Instance Assume Role” for the authentication type.
  • Paste in the Role ARN from the AWS Console above and enter an intuitive nickname for the session name. (This session name is only used for CloudTrail API audit purposes. Recommended name is DivvyCloud.)

DivvyCloud Platform - Add Cloud

❗️

External ID & Security

While the External ID field is optional and only relevant if you are adding a trusted AWS account we strongly recommend including an external ID to ensure additional security for this account.

14. Select the Harvesting Strategies you wish to use for your cloud account.

15. Add any "Badges" to this cloud account.

  • Badges are key/value pairs which can be used for filtering and identifying resources from parent cloud account. They provide a way to assign additional metadata about resources within the DivvyCloud platform.

DivvyCloud Platform - Add Badges

Steps for Additional AWS Accounts

1. Login as an Admin to the AWS console in the account that you would like to add to DivvyCloud.

  • Access the Identity & Access Management service.
  • Add the appropriate IAM policy

2. Select Roles and click "Create role".

AWS Console - Create Role

3. Select Another AWS Account and complete the details as follows:

❗️

External ID & Security

We strongly recommend that you include an external ID (as specified below) to ensure additional security for this account.

  • Account ID: Enter the account ID of AWS account that is hosting DivvyCloud
  • Options: Require External ID. Add an external ID that will function like a password and that you will use later when adding the account to DivvyCloud.

4. Click on "Next: Permissions".

AWS Console - External ID

5. Repeat the steps above to:

  • Attach either the read-only policy or the power-user policy (the STS policy is not necessary) to the role,
  • Finish creating the role by copying the account ID and Role ARN, and then using that information in DivvyCloud to add the account.

Updated 2 months ago


Instance Assume Role (AWS)


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.