AWS

Set up AWS for automated tests with TrustCloud!

Purpose

Once you set up your compliance program, TrustCloud TrustOps works to ensure that your systems remain compliant with your adopted controls. To do so, TrustCloud runs automated tests against systems in your product and business stack and verifies that they are properly configured.

This document outlines the steps you can take to grant TrustCloud access to only read metadata about the configuration settings for your AWS account so that TrustCloud can validate and generate evidence for your compliance program.

Instructions to grant TrustCloud limited access to AWS

1. AWS access can be granted through CloudFormation using the link found in your TrustOps account to create an AWS connection:
   The link includes a URL for a CloudFormation template as well as TrustCloud’s account ID, so that only TrustCloud can assume this role. If you inspect the CloudFormation template, it only adds two policies — SecurityAudit and ViewOnlyAccess. Both those policies are AWS-managed and are designed specifically for the purpose of helping security audits. These policies do not grant any data-related permissions. TrustCloud can only inspect your metadata/configurations.
2. Under the ‘Capabilities’ section, check the box that says “I acknowledge that AWS CloudFormation might create IAM resources with custom names”, then click on the “Create Stack” button.
3. Once stack creation is complete, click on the ‘Outputs’ tab. The two key/value pairs will be used to set up the connection in TrustOps. These contain your account ID, allowing TrustOps to assume the role.

Additional Information

The following links to AWS documentation help explain how the access mechanism works and the purpose of the external ID value.

• Providing access to AWS accounts owned by third parties
• How to use an external ID when granting access to your AWS resources to a third party