fbpx

Knowledge Base

You are here:
Print

AWS – EC2 Desktop Cross-Account Use-case Setup

Introduction

The purpose of this document is to provide the detailed steps to install and configure Cloudockit Desktop in an optimal way so you can get going as quickly as possible with your automated documentation generation for your AWS environment.

Cloudockit desktop can be installed in many ways. On a workstation, on a server, on a virtual machine.

Based on our experience we have identified that the optimal way is to create an EC2 instance and install Cloudockit desktop to automate your document generation.

Step 1 – Create the IAM User in the source Account

To log into Cloudockit and list the Accounts to scan, you need to enter the Access Key ID and Secret Access Key of the IAM User located in a source Account with the corresponding permissions to list the accounts.

In AWS Console 🡺 IAM 🡺 Users

  • Create an IAM user, create an Access Key for this user and save it (with the Secret Access Key) to be used later
  • In the user ‘Permissions’ tab, attach the following Inline Policy to the user permissions :
{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "VisualEditor0",
          "Effect": "Allow",
          "Action": [
              "organizations:ListAccountsForParent",
              "organizations:ListAccounts"
          ],
          "Resource": "*"
      }
  ]
}

Step 2 – Create the EC2 instance Role in Source Account (CloudockitEC2RoleCrossAccount)

The EC2 instance where Cloudockit is installed needs to have a role attached to it.

This role’s only purpose will be to assume the role actually used for the scans and for the storage access.

It will allow the EC2 to authenticate as the scan role.

In AWS Console 🡺 IAM 🡺 Roles

  • Create an IAM Role (you can name it CloudockitEC2RoleCrossAccount)
  • Attach the following Policy to the role’s Permissions :
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "*"
    }
}
  • Trust relationships
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Step 3 – Create the Scan Role (CloudockitScanRole) in the targeted Accounts

This is the main role which will be used to scan the resources and access the storage account.

In every account you want to scan (including the source account where the IAM user & EC2 instance Role & EC2 Instance are created), do the following:

  • Create an IAM Role (you can name it CloudockitScanRole)
  • Attach the following 2 Policies to the role’s Permissions :
    • ReadOnlyAccess (Type : AWS managed – job function)
    • Inline Policy S3BucketAccess (Type : Customer inline)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutBucketCORS",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "*"
        }
    ]
}

OR if you want to limit the access to a specific S3 storage account, you can specify it as follows :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutBucketCORS",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::NameOfYourS3Bucket",
                "arn:aws:s3:::NameOfYourS3Bucket/*"
            ]
        }
    ]
}
  • Trust relationships :
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::SourceAccount:role/CloudockitEC2RoleCrossAccount"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

Step 4 – Create the EC2 Instance

Connect to the AWS Console and go to the EC2.

From the EC2 Dashboard page click on the Launch instance button.

CHOOSE AN AMAZON MACHINE IMAGE (AMI)

Select Microsoft Windows Server Base (Linux is not supported).

CHOOSE AN INSTANCE TYPE

We have identified that Cloudockit Desktop performs at its best with 4 CPUs and 16 GiB of memory. You can however choose the type that you prefer.

CONFIGURE INSTANCE DETAILS

Configure the instance based on your organization’s best practices and make sure to select the CrossAccount IAM role created in the previous step.

ADD STORAGE

You can leave the default parameters.

ADD TAGS

Add the tags based on your organization’s tagging policy.

CONFIGURE SECURITY GROUP

Create or assign a security group based on your organization’s security policies.

REVIEW INSTANCE LAUNCH

Review the parameters that have been set and press Launch to create the instance.

Step 5 – Install Cloudockit Desktop

DOWNLOADING THE INSTALLATION FILE

You can get the Cloudockit installation file from our website at https://generate.cloudockit.com/.

Click on the Download Now button to get the MSI file.

Step 6 – Launch Cloudockit Desktop and Test

Once the setup is done, you can start Cloudockit Desktop on the EC2 Instance.

Login :

AWS 🡺 Use cross-account role

  • Enter the Access Key ID and Secret Access Key of the IAM User (created at step 1)
  • Role to assume : CloudockitScanRole (created at step 3)
  • Select the accounts in which you have created the role at step 3.

STORAGE VALIDATION

Drop-Off 🡺 Your Storage.

If the S3 bucket you want to validate is in the account displayed at the top-right corner of the screen (Current Account : ..) you can enter the S3 bucket name only and validate.

If the S3 bucket is in another account (among the ones you want to scan), you should enter the arn of the S3 bucket including the corresponding account number, in the following format : arn:aws:s3::AccountNumber:S3BucketName

Table of Contents