Role for EC2 not defined

aws-samples / amazon-guardduty-multiaccount-scripts

This script automates the process of running the GuardDuty multi-account workflow across a group of accounts that are in your control

Apache License 2.0

130 stars 71 forks source link

Role for EC2 not defined #12

Closed jasonabradley closed 6 years ago

jasonabradley commented 6 years ago

It's unclear what role the EC2 instance running the script would need linked to it in deployment option 1, step 2.

msusta commented 6 years ago

The script calls sts:AssumeRole both for the master account and linked accounts. Without testing it the IAM policy should look like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "*"
        }
    ]
}

ryanholland commented 6 years ago

Jason, Please see the updated documentation as well as the EnableGuardDuty.yaml CloudFormation template that was added. The template will create a role with the permissions needed by the script as well as an instance role and profile that can be attached to an instance. The instance does need AssumeRole but you should scope that down to only allow it to assume the role that will be used.