Sentinel 360‎ > ‎

Quickstart Guide

IAM Role Setup on AWS

We need to create two roles for Sentinel 360. The first role will be an instance profile that we will launch Sentinel 360 into. The permissions on this role allow the monkey to use STS to assume to other roles as well as use SES to send email.

Creating the SecurityMonkeyInstanceProfile IAM Role

SecurityMonkeyInstanceProfile is an IAM role that the Sentinel 360 instance will operate as. This role has a limited set of permissions. The SecurityMonkey role (created later) will have the majority of permissions, and will be placed in all AWS accounts that you wish to manage (including the account that the Sentinel 360 app operates in).

  1. To create a new Role, navigate to the IAM section of the AWS console. Once there, select "Roles": image

  2. Once there, click "Create Role": image

  3. You will be asked to select the type of role to create. We are going to create an AWS Service Role for Amazon EC2: image

  4. You will be asked to attach a (managed) policy (Attach Policy page). Please skip this step by clicking Next Step. image

  5. At the next screen, you will type in the name of the IAM role and provide a description. Please name the role SecurityMonkeyInstanceProfile. Then, click Create Role See the following screenshot: image

At this point, you now have a new IAM role named SecurityMonkeyInstanceProfile. This is the IAM role that the Sentinel 360 application will operate as. However, the role lacks permissions. We will need to add some permissions to make this role useful.

Grant the SecurityMonkeyInstanceProfile Permissions

  1. In the IAM Role section of the AWS console, search for the SecurityMonkeyInstanceProfile, and click on the IAM role name. You should see something similar to: image

  2. You will need to create an inline policy, to do this, select Inline Policies, then click here: image

  3. Next, we are going to copy and paste in an IAM policy. So, you want to select Custom Policy: image

  4. Finally, you will add in the policy. Under Policy Name, supply: SecurityMonkeyLaunchPerms, and for the Policy Document, paste in:

  5. {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": "ses:SendEmail",
               "Resource": "*"
           },
           {
               "Effect": "Allow",
               "Action": "sts:AssumeRole",
               "Resource": "arn:aws:iam::*:role/SecurityMonkey"
           }
       ]
    }

  6. Click Apply Policy.

Creating SecurityMonkey Role

You must now create the SecurityMonkey role that will actually be used to fetch the details about your AWS account. You will need to create this role in all AWS accounts that you want to monitor.

The instructions below assume you now know how to create IAM roles from the above instructions:

  1. Create a new IAM role with the AWS Service Role type for Amazon EC2.

  2. Skip attaching a managed policy (simply click Next Step at the Attach Policy page).

  3. Create a new IAM role and name it SecurityMonkey: image

  4. Once you create the role, you will need to add a new inline policy to it. Search for the SecurityMonkey IAM role, and select it for editing.

  5. You will add in the following custom inline custom policy named SecurityMonkeyReadOnly:

  6. {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Action": [
                   "acm:describecertificate",
                   "acm:listcertificates",
                   "cloudtrail:describetrails",
                   "cloudtrail:gettrailstatus",
                   "config:describeconfigrules",
                   "config:describeconfigurationrecorders",
                   "directconnect:describeconnections",
                   "ec2:describeaddresses",
                   "ec2:describedhcpoptions",
                   "ec2:describeflowlogs",
                   "ec2:describeimages",
                   "ec2:describeinstances",
                   "ec2:describeinternetgateways",
                   "ec2:describekeypairs",
                   "ec2:describenatgateways",
                   "ec2:describenetworkacls",
                   "ec2:describenetworkinterfaces",
                   "ec2:describeregions",
                   "ec2:describeroutetables",
                   "ec2:describesecuritygroups",
                   "ec2:describesnapshots",
                   "ec2:describesubnets",
                   "ec2:describetags",
                   "ec2:describevolumes",
                   "ec2:describevpcendpoints",
                   "ec2:describevpcpeeringconnections",
                   "ec2:describevpcs",
                   "ec2:describevpnconnections",
                   "ec2:describevpngateways",
                   "elasticloadbalancing:describeloadbalancerattributes",
                   "elasticloadbalancing:describeloadbalancerpolicies",
                   "elasticloadbalancing:describeloadbalancers",
                   "elasticloadbalancing:describelisteners",
                   "elasticloadbalancing:describerules",
                   "elasticloadbalancing:describesslpolicies",
                   "elasticloadbalancing:describetags",
                   "elasticloadbalancing:describetargetgroups",
                   "elasticloadbalancing:describetargetgroupattributes",
                   "elasticloadbalancing:describetargethealth",
                   "es:describeelasticsearchdomainconfig",
                   "es:listdomainnames",
                   "iam:getaccesskeylastused",
                   "iam:getgroup",
                   "iam:getgrouppolicy",
                   "iam:getloginprofile",
                   "iam:getpolicyversion",
                   "iam:getrole",
                   "iam:getrolepolicy",
                   "iam:getservercertificate",
                   "iam:getuser",
                   "iam:getuserpolicy",
                   "iam:listaccesskeys",
                   "iam:listattachedgrouppolicies",
                   "iam:listattachedrolepolicies",
                   "iam:listattacheduserpolicies",
                   "iam:listentitiesforpolicy",
                   "iam:listgrouppolicies",
                   "iam:listgroups",
                   "iam:listinstanceprofilesforrole",
                   "iam:listmfadevices",
                   "iam:listpolicies",
                   "iam:listrolepolicies",
                   "iam:listroles",
                   "iam:listsamlproviders",
                   "iam:listservercertificates",
                   "iam:listsigningcertificates",
                   "iam:listuserpolicies",
                   "iam:listusers",
                   "kms:describekey",
                   "kms:getkeypolicy",
                   "kms:getkeyrotationstatus",
                   "kms:listaliases",
                   "kms:listgrants",
                   "kms:listkeypolicies",
                   "kms:listkeys",
                   "lambda:listfunctions",
                   "rds:describedbclusters",
                   "rds:describedbclustersnapshots",
                   "rds:describedbinstances",
                   "rds:describedbsecuritygroups",
                   "rds:describedbsnapshots",
                   "rds:describedbsubnetgroups",
                   "redshift:describeclusters",
                   "route53:listhostedzones",
                   "route53:listresourcerecordsets",
                   "route53domains:listdomains",
                   "route53domains:getdomaindetail",
                   "s3:getaccelerateconfiguration",
                   "s3:getbucketacl",
                   "s3:getbucketcors",
                   "s3:getbucketlocation",
                   "s3:getbucketlogging",
                   "s3:getbucketnotification",
                   "s3:getbucketpolicy",
                   "s3:getbuckettagging",
                   "s3:getbucketversioning",
                   "s3:getbucketwebsite",
                   "s3:getlifecycleconfiguration",
                   "s3:listbucket",
                   "s3:listallmybuckets",
                   "s3:getreplicationconfiguration",
                   "s3:getanalyticsconfiguration",
                   "s3:getmetricsconfiguration",
                   "s3:getinventoryconfiguration",
                   "ses:getidentityverificationattributes",
                   "ses:listidentities",
                   "ses:listverifiedemailaddresses",
                   "ses:sendemail",
                   "sns:gettopicattributes",
                   "sns:listsubscriptionsbytopic",
                   "sns:listtopics",
                   "sqs:getqueueattributes",
                   "sqs:listqueues"
               ],
               "Effect": "Allow",
               "Resource": "*"
           }
       ]
    }

  7. Review and create the new role.

Allow SecurityMonkeyInstanceProfile to "Assume" to the SecurityMonkeyRole.

For Sentinel 360 to make use of the SecurityMonkey IAM role, it needs to have the ability to Assume into it. The SecurityMonkeyInstanceProfile has sts:AssumeRole permissions for all AWS account roles named SecurityMonkey, however, the destination IAM roles also need to permit the source role access to it. This is specified in a role's AssumeRolePolicyDocument. You must alter this to permit the Sentinel 360 instance the ability from assuming the roles.

At this point, you should have 2 Sentinel 360 related IAM roles in your account: SecurityMonkeyInstanceProfile, and SecurityMonkey.: image

  1. Select the SecurityMonkey role for modification.

  2. On the IAM role page for SecurityMonkey, select Trust Relationships, and select Edit trust relationship: image

  3. Paste in the following Policy Document:

  4. {
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::<YOUR ACCOUNTID GOES HERE>:role/SecurityMonkeyInstanceProfile"
               },
               "Action": "sts:AssumeRole"
           }
       ]
    }

  5. Don't forget to replace <YOUR AWS ACCOUNT ID GOES HERE> with your AWS account ID (the account running Sentinel 360)!

  6. Click Update Trust Policy

Adding more accounts

To have your instance of Sentinel 360 monitor additional accounts, you must add the SecurityMonkey role in each account you want to monitor. Follow the instructions above to create the new SecurityMonkey role. The Trust Relationshippolicy should have the account ID of the account where the Sentinel 360 instance is running.

Note

Additional SecurityMonkeyInstanceProfile roles are not required. You only need to create new SecurityMonkey roles.

Note

You will also need to add the new account in the Web UI, and restart the scheduler. More information on how do to this will be presented later in this guide.


Click here for Admin Setup