We need to create two roles for security monkey. The first role will be an instance profile that we will launch security monkey into. The permissions on this role allow the monkey to use STS to assume to other roles as well as use SES to send email.
Create a new role and name it "SecurityMonkeyInstanceProfile":
Select "Amazon EC2" under "AWS Service Roles".
Select "Custom Policy":
Paste in this JSON with the name "SecurityMonkeyLaunchPerms":
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:SendEmail"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/SecurityMonkey"
}
]
}
Review and create your new role:
Create a new role and name it "SecurityMonkey":
Select "Amazon EC2" under "AWS Service Roles".
Select "Custom Policy":
Paste in this JSON with the name "SecurityMonkeyReadOnly":
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"acm:describecertificate",
"acm:listcertificates",
"cloudtrail:describetrails",
"cloudtrail:gettrailstatus",
"config:describeconfigrules",
"config:describeconfigurationrecorders",
"directconnect:describeconnections",
"ec2:describeaddresses",
"ec2:describedhcpoptions",
"ec2:describeflowlogs",
"ec2:describeimages",
"ec2:describeinstances",
"ec2:describeinternetgateways",
"ec2:describekeypairs",
"ec2:describenatgateways",
"ec2:describenetworkacls",
"ec2:describenetworkinterfaces",
"ec2:describeregions",
"ec2:describeroutetables",
"ec2:describesecuritygroups",
"ec2:describesnapshots",
"ec2:describesubnets",
"ec2:describetags",
"ec2:describevolumes",
"ec2:describevpcendpoints",
"ec2:describevpcpeeringconnections",
"ec2:describevpcs",
"ec2:describevpngateways",
"elasticloadbalancing:describeloadbalancerattributes",
"elasticloadbalancing:describeloadbalancerpolicies",
"elasticloadbalancing:describeloadbalancers",
"es:describeelasticsearchdomainconfig",
"es:listdomainnames",
"iam:getaccesskeylastused",
"iam:getgroup",
"iam:getgrouppolicy",
"iam:getloginprofile",
"iam:getpolicyversion",
"iam:getrole",
"iam:getrolepolicy",
"iam:getservercertificate",
"iam:getuser",
"iam:getuserpolicy",
"iam:listaccesskeys",
"iam:listattachedgrouppolicies",
"iam:listattachedrolepolicies",
"iam:listattacheduserpolicies",
"iam:listentitiesforpolicy",
"iam:listgrouppolicies",
"iam:listgroups",
"iam:listinstanceprofilesforrole",
"iam:listmfadevices",
"iam:listpolicies",
"iam:listrolepolicies",
"iam:listroles",
"iam:listservercertificates",
"iam:listsigningcertificates",
"iam:listuserpolicies",
"iam:listusers",
"kms:describekey",
"kms:getkeypolicy",
"kms:listaliases",
"kms:listgrants",
"kms:listkeypolicies",
"kms:listkeys",
"lambda:listfunctions",
"rds:describedbclusters",
"rds:describedbclustersnapshots",
"rds:describedbinstances",
"rds:describedbsecuritygroups",
"rds:describedbsnapshots",
"rds:describedbsubnetgroups",
"redshift:describeclusters",
"route53:listhostedzones",
"route53:listresourcerecordsets",
"route53domains:listdomains",
"route53domains:getdomaindetail",
"s3:getaccelerateconfiguration",
"s3:getbucketacl",
"s3:getbucketcors",
"s3:getbucketlocation",
"s3:getbucketlogging",
"s3:getbucketnotification",
"s3:getbucketpolicy",
"s3:getbuckettagging",
"s3:getbucketversioning",
"s3:getbucketwebsite",
"s3:getlifecycleconfiguration",
"s3:listbucket",
"s3:listallmybuckets",
"s3:getreplicationconfiguration",
"s3:getanalyticsconfiguration",
"s3:getmetricsconfiguration",
"s3:getinventoryconfiguration",
"ses:getidentityverificationattributes",
"ses:listidentities",
"ses:listverifiedemailaddresses",
"ses:sendemail",
"sns:gettopicattributes",
"sns:listsubscriptionsbytopic",
"sns:listtopics",
"sqs:getqueueattributes",
"sqs:listqueues"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Review and create the new role.
You should now have two roles available in your AWS Console:
Select the "SecurityMonkey" role and open the "Trust Relationships" tab.
Edit the Trust Relationship and paste this in:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<YOUR ACCOUNTID GOES HERE>:role/SecurityMonkeyInstanceProfile"
]
},
"Action": "sts:AssumeRole"
}
]
}
To have your instance of security monkey monitor additional accounts, you must add a SecurityMonkey role in the new account. Follow the instructions above to create the new SecurityMonkey role. The Trust Relationship policy should have the account ID of the account where the security monkey instance is running.
Note
Additional SecurityMonkeyInstanceProfile roles are not required. You only need to create a new SecurityMonkey role.
Note
You will also need to add the new account in the Web UI, and restart the scheduler. More information on how do to this will be presented later in this guide.