Closed jasonabradley closed 6 years ago
The script calls sts:AssumeRole both for the master account and linked accounts. Without testing it the IAM policy should look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
]
}
Jason, Please see the updated documentation as well as the EnableGuardDuty.yaml CloudFormation template that was added. The template will create a role with the permissions needed by the script as well as an instance role and profile that can be attached to an instance. The instance does need AssumeRole but you should scope that down to only allow it to assume the role that will be used.
It's unclear what role the EC2 instance running the script would need linked to it in deployment option 1, step 2.