Least-Privileged Access (LPA) - Setup & Config

Prior to getting started with the Access Explorer's User Activity capability Cloud IAM Governance users will be required to complete configuration to enable the system to properly import and display the associated data.

These settings are displayed as "LPA (Least-Privileged Access) Configuration" within InsightCloudSec as the User Activity capability is the first component of our future LPA feature.

These requirements consist of the following:

  • Creating/Validating the appropriate IAM Roles and Permissions
  • Creating CloudTrails (this step is optional if you have an existing CloudTrail you plan to use with User Activity/LPA)
  • Updating Data Settings & Configuration within InsightCloudSec

Steps for each of those individual items are outlined below. Check out the Access Explorer - Setup or Access Explorer - Configuration and Settings pages for configuration details on the main Access Explorer feature.

If you have any questions or issues with User Activity reach out through any of the options outlined on the Getting Support page.

IAM Roles and Permissions

Permissions

User Activity (LPA) requires multiple services and different roles to work correctly. The permissions from the following AWS services are required:

  • Athena: Main Query Executor
  • Glue: Used for retrieving the schema information
  • S3: CloudTrail source inputs, and Working bucket outputs

Policies

There are two policies that are required:

  • Cloudtrail Source Policy: This policy is applied to the credentials configured when specifying a
    • Cloudtrail Source: This credential reads CloudTrail source data and invokes Athena.
  • Working Bucket Policy: This policy is applied to the credentials configured to interact with the working bucket. It’s used for housekeeping of the working bucket as well as data retrieval.

In the below policies, there are fields you will need to update to reflect your specific environment.

Cloudtrail Source Policy

📘

Additional CloudTrail Policy Considerations

We recommend that you choose a role for the CloudTrail source that shares an account with the CloudTrail S3 Bucket. If the role reading the CloudTrail source is in a separate account from the S3 bucket where the CloudTrail data is located, you may need to adjust object ownership permissions on the data, otherwise aggregations will fail with a “Forbidden” error when attempting to execute Athena queries.

If you choose not to configure this policy based on our recommendations you can address this potential error by:

  • Navigating to the CloudTrail bucket, selecting “Permissions” and changing the Object ownership from “Object Writer” to “Bucket Owner Preferred”. Note: This does NOT change existing permissions and additional configuration will be required to revise permissions/ownership of existing files, refer to the AWS docs on how to do so.

If you have questions or issues with these configuration requirements reach out to us through any of the options identified under Getting Support.

🚧

Update Sample Policy Fields

The fields in this policy that need to be updated with your data are:

  • <region>:<account_id>
  • <cloudtrail_source_bucket>
  • <working_bucket>
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DescribeRegionsForSetup",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeRegions"
            ],
            "Resource": "*"
          },
        {
            "Sid": "AthenaPermissionsForLPA",
            "Effect": "Allow",
            "Action": [
                "athena:StartQueryExecution",
                "athena:GetQueryExecution",
                "athena:GetQueryResults",
                "athena:GetWorkGroup",
                "athena:UpdateWorkGroup",
                "athena:CreateWorkGroup"
            ],
            "Resource": [
                "arn:aws:athena:<region>:<account_id>:workgroup/ics-iam-lpa"
            ]
        },
        {
            "Sid": "AthenaPermissionsForGlue",
            "Effect": "Allow",
            "Action": [
                "glue:GetDatabase",
                "glue:CreateTable",
                "glue:GetPartitions",
                "glue:CreateDatabase",
                "glue:DeleteTable",
                "glue:GetTable"
            ],
            "Resource": [
                "arn:aws:glue:<region>:<account_id>:catalog",
                "arn:aws:glue:<region>:<account_id>:database/ics-iam-lpa",
                "arn:aws:glue:<region>:<account_id>:table/ics-iam-lpa/*"
            ]
        },
        {
            "Sid": "AllowReadsFromSourceBucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<cloudtrail_source_bucket>",
                "arn:aws:s3:::<cloudtrail_source_bucket>/*"
            ]
        },
        {
            "Sid": "AllowAthenaToWriteToWorkingBucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:PutLifecycleConfiguration",
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::<working_bucket>",
                "arn:aws:s3:::<working_bucket>/*"
            ]
        }
    ]
}

Working Bucket Policy

📘

Additional Bucket Policy Considerations

You must allow the source account the same access as below via bucket policy, in the case that the working S3 bucket and CloudTrail source S3 buckets are not in the same account, which is most likely to be the case.

🚧

Update Sample Policy Fields

The field in this policy that needs to be updated with your data is:

  • <working_bucket>
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DescribeRegionsForSetup",
            "Effect": "Allow",
            "Action": "ec2:DescribeRegions",
            "Resource": "*"
        },
        {
            "Sid": "ManageObjectsForAggregation",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:PutLifecycleConfiguration"
            ],
            "Resource": [
                "arn:aws:s3:::working_bucket",
                "arn:aws:s3:::working_bucket/*"
            ]
        }
    ]
}

Creating a CloudTrail

Before getting started with User Activity you will need to have CloudTrail configured to enable User Activity (LPA). Refer to the steps below and refer to the AWS documentation on how to create a new CloudTrail

Steps for Creating a New CloudTrail

1. Navigate to the the CloudTrail service in the AWS Console for the account that the trail should be created in.

2. Select “Create Trail”.

3. Complete the trail attributes as follows:

  • Trail name: Your desired CloudTrail name
  • Storage location: Create new s3 bucket
    • Create a new log bucket and folder
  • Log file SSE-KMS encryption: enabled (recommended)
  • Customer managed AWS KMS key: your desired AWS KMS key
    • AWS KMS alias: your desired KMS alias
  • Additional settings
    • Log file validation: not required
    • SNS notification delivery: not required
  • CloudWatch Logs (optional): not required
  • Tags (optional): not required
Example CloudTrail SetupExample CloudTrail Setup

Example CloudTrail Setup

4. Click "Next" once you have completed the form with your desired information.

5. Click "Create trail" to complete.

Settings & Configuration

These steps assume you have all of the appropriate configuration details on hand to complete the User Activity (LPA) configuration within InsightCloudSec.

1. Navigate to "Security --> Access Explorer" and select the gear icon on the top right of the page.

2. On the Settings page, select "LPA Configuration".

Access Explorer - LPA ConfigurationAccess Explorer - LPA Configuration

Access Explorer - LPA Configuration

3. Complete the form/fields as follows:

Working Directory Location

  • S3 URI: Update with the S3 bucket details associated with the bucket where your LPA (User Activity) will be stored. We recommend that:
    • You create an S3 bucket that is dedicated to storage of the LPA (User Activity) data
    • This dedicated bucket resides in the same location as your InsightCloudSec installation

Working Directory Authentication

  • Authentication Type: Select the credentials associated with the bucket you have configured to store LPA (User Activity) data
    • The fields will vary based on the credential type (e.g., Use Cloud Credentials, Assume Role, or STS Role)
    • Note: The selected credentials must have read/write access to the specified S3 bucket URI.

Test Settings
This button allows you to confirm that you have supplied a valid configuration. If you receive an error the issues may be the result of an incorrect S3 URI, misconfigured policies, or invalid IAM credentials.

Success - Valid Test SettingsSuccess - Valid Test Settings

Success - Valid Test Settings

LPA CloudTrail Sources

  • S3 URI: Update with the S3 bucket details associated with the CloudTrail you want to use
LPA Settings - Sample Source ConfigLPA Settings - Sample Source Config

LPA Settings - Sample Source Config

📘

Notes on LPA CloudTrail Sources

This section supports a list of sources of CloudTrail data, and there can be more than one. Each source must contain the following:

  • A unique name for identification purposes
  • An S3 URI that points at the CloudTrail source. Note: This directory MUST POINT TO A DIRECTORY OF ACCOUNT IDS. (i.e. The prefix specified, when viewed in the S3 management console, must show a list of directories representing account ids.)
  • Credentials with READ access to the above S3 URI, WRITE access to the working LPA BUCKET, and Athena query read/execute permissions.

After these fields are successfully configured you should be able to access the User Activity (LPA) functionality from the "Access Explorer --> Principals" view through the context menu "User Activity" option.

Refer to specific details on viewing/accessing under the Using Access Explorer - Feature Guide in the User Activity section


Did this page help you?