AWS

Set up AWS for automated tests with TrustCloud

Purpose

Once you set up your compliance program, TrustCloud TrustOps works to ensure that your systems remain compliant with your adopted controls. To do so, TrustCloud runs automated tests against systems in your product and business stack, and verifies that they are properly configured.

This document outlines the steps you can take to grant TrustCloud access to only read metadata about the configuration settings for your AWS account, so that TrustCloud can validate and generate evidence for your compliance program.

Instructions to grant TrustCloud limited access to AWS

1. AWS access can be granted through CloudFormation using the link found in your TrustOps create AWS connection:

The link includes a URL for a CloudFormation template, as well as TrustCloud’s account ID, so that only we can assume this role. If you inspect the CloudFormation template, you’ll see it only adds two policies — SecurityAudit and ViewOnlyAccess. Both those policies are AWS-managed, and are designed specifically for the purpose of helping security audits. These policies do not give us any data-related permissions. TrustCloud can only inspect your metadata/configurations.

2. Under Capabilities, check the box that says “I acknowledge that AWS CloudFormation might create IAM resources with custom names”, then click Create Stack.

3. Once stack creation is complete, click on the Outputs tab. The two key/value pairs you see will be used to set up the connection in TrustOps. These contain your account ID, allowing us to assume the role.

Additional Information

The following links to AWS documentation help explain how the access mechanism works, and the purpose of the external ID value.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html