1 Reply Latest reply on Feb 17, 2020 1:58 AM by Anuparn Padalia

    AWS Cloud KM

    Ravi Nayan
      Share This:

      Hi All,

       

      I am in challenging situation where I have deployed BMC AWS Cloud KM.

       

      But the in the configuration of the AWS Cloud KM it needs Access Key and Secret key

       

      Where as AWS Cloud security team is looking for the usage of AWS Role which splunk or other tools can do. or some methodology where it should accept the the changing of Access key and secret key automatically with out human intervention should not be there.

       

      Please suggest or BMC would lose the opportunities.

       

      Thanks & Regards,

      Ravi Nayan

      Ph no: +919538585550

        • 1. Re: AWS Cloud KM
          Anuparn Padalia

          Hi Ravi,

           

          You can use IAM user account instead of using Access Key or Secret Key.

           

          If  you are using IAM user then you need following rights in IAM policy.


          {
              "Version": "2012-10-17",
              "Statement": [
                  {
                      "Sid": "Stmt1433933070000",
                      "Effect": "Allow",
                      "Action": [
                          "cloudwatch:*",
                          "ec2:Describe*",
                          "cloudwatch:GetMetricStatistics",
                          "cloudwatch:ListMetrics",
                          "cloudwatch:Describe*",
                          "elasticache:Describe*",
                          "elasticloadbalancing:Describe*",
                          "rds:Describe*",
                          "rds:List*",
                          "sns:List*",
                          "sns:Get*",
                          "sqs:List*",
                          "sqs:Get*"
                      ],
                      "Resource": [
                          "*"
                      ]
                  }
              ]
          }







          {
              "Version": "2012-10-17",
              "Statement": [
                  {
                      "Sid": "Stmt1433934024000",
                      "Effect": "Allow",
                      "Action": [
                          "iam:GetUser"
                      ],
                      "Resource": [
                          "arn:aws:iam:: 240443348280"
                      ]
                  }
              ]
          }


          The policy can be changed to IAMReadOnlyPolicy.

           

          Regards,

          Anuparn Padalia