AWS Configurations

AWS Configurations

Amazon Web Services Integration – Step-by-Step Requirements

To integrate FSProtect with Amazon Web Services, specific IAM permissions must be granted to the IAM user or role used for scanning. This guide outlines how to create the required IAM user and permissions using the AWS Console, as well as an optional AWS CLI alternative.

Step 1: Sign in to the AWS Console

Navigate to IAM (Identity and Access Management) from the Services menu.

Step 2: Create an IAM User for FSProtect

Go to IAM > Users and click Add users.

Enter a username (e.g., forestall-collector).

Select Access key – Programmatic access as the credential type.

Click Next: Permissions.

Step 3: Create and Attach an IAM Policy

Select Attach existing policies directly and click Create policy.

Switch to the JSON tab and paste the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "FSProtectRequired",
      "Effect": "Allow",
      "Action": [
        "iam:ListUsers",
        "iam:ListGroups",
        "iam:ListRoles",
        "iam:ListPolicies",
        "iam:GetUser",
        "iam:GetGroup",
        "iam:GetRole",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:ListGroupsForUser",
        "iam:ListAttachedUserPolicies",
        "iam:ListAttachedGroupPolicies",
        "iam:ListAttachedRolePolicies",
        "iam:ListUserPolicies",
        "iam:ListGroupPolicies",
        "iam:ListRolePolicies",
        "iam:GetUserPolicy",
        "iam:GetGroupPolicy",
        "iam:GetRolePolicy",
        "iam:ListPolicyVersions",
        "iam:ListRoleTags",
        "iam:ListUserTags"
      ],
      "Resource": "*"
    },
    {
      "Sid": "FSProtectOptional",
      "Effect": "Allow",
      "Action": [
        "iam:ListAccessKeys",
        "iam:GetAccessKeyLastUsed"
      ],
      "Resource": "*"
    }
  ]
}

Click Next: Tags, then Next: Review.

Give the policy a name (e.g., FSProtectScanPolicy) and click Create policy.

Go back to the user creation, search for and attach the FSProtectScanPolicy.

Click Next: Review and then Create user.

Step 4: Copy Access Key Credentials

After the user is created, copy the Access Key ID and Secret Access Key.

⚠️ The Secret Access Key is only shown once. Save it securely before closing the page.

Step 5: (Optional) Set Up Cross-Account Role for Assume Role

If you want to use Assume Role instead of direct access keys:

Go to IAM > Roles and click Create role.

Select Another AWS account and enter the account ID of the account where FSProtect runs.

Optionally enable Require external ID and enter a unique value.

Attach the FSProtectScanPolicy to the role.

Name the role (e.g., FSProtectAssumeRole) and click Create role.

Copy the Role ARN — you will use this in the FSProtect AWS Configuration as the Assume Role ARN.

Step 6: AWS Configuration in FSProtect

Navigate to Settings > AWS Configuration in FSProtect and fill in the fields.

AWS Configuration Fields

Field

Description

Region

The AWS region type of the account (Commercial, GovCloud, or China).

Account ID

The 12-digit AWS account ID to be scanned.

Access Key ID

The access key ID of the IAM user created for FSProtect.

Secret Access Key

The secret access key associated with the provided Access Key ID.

Assume Role ARN (optional)

The ARN of the IAM role to assume for cross-account access.

External ID (optional)

An optional external ID used for additional security when assuming a role.

Session Name

The session name used when assuming a role. Defaults to FSProtect.

Account Display Name

A friendly name to identify this AWS account within FSProtect.

Actions

Test — Validates the AWS configuration by attempting to authenticate and verify permissions. Use this to ensure your configuration is correct before saving.

Save — Saves the current configuration settings to the application.

(Optional) AWS CLI Alternative

If you prefer to automate IAM user and policy creation using the AWS CLI:

# Create IAM user
aws iam create-user --user-name forestall-collector

# Create policy file (save above JSON as fsprotect-policy.json)
aws iam create-policy \
  --policy-name FSProtectScanPolicy \
  --policy-document file://fsprotect-policy.json

# Attach policy to user (replace ACCOUNT_ID)
aws iam attach-user-policy \
  --user-name forestall-collector \
  --policy-arn arn:aws:iam::ACCOUNT_ID:policy/FSProtectScanPolicy

# Create access key
aws iam create-access-key --user-name forestall-collector

The output will include the AccessKeyId and SecretAccessKey. Save these values before proceeding.

Best Practices

Least Privilege — Only grant the minimum permissions required for FSProtect to function.
Key Rotation — Regularly rotate access keys (recommended every 90 days or per your security policy).
Use Assume Role — Where possible, prefer Assume Role over long-lived access keys for improved security.
Permission Review — Periodically review granted permissions and remove any that are no longer needed.
Testing — Always use the "Test" button to validate configuration before saving changes.

Troubleshooting

Authentication Fails

Verify the Access Key ID and Secret Access Key are correct and have not been deactivated.
Ensure the IAM user is active and not restricted by an SCP (Service Control Policy).

Permission Denied Errors

Confirm all required permissions are included in the attached policy.
Check if an SCP at the AWS Organization level is blocking the actions.
Verify the IAM user or role has the policy correctly attached.

Configuration Won't Save

Ensure all required fields are filled.
Verify the Account ID is a valid 12-digit number.
Check that the Test passes successfully before saving.

Required AWS IAM Permissions

1. iam:ListUsers / iam:GetUser Grants read access to IAM user objects across the account. Required to enumerate all users and retrieve their attributes for identity analysis.

2. iam:ListGroups / iam:GetGroup Grants read access to IAM groups. Required to map group memberships and evaluate group-level access control.

3. iam:ListRoles / iam:GetRole Grants read access to IAM roles. Required to enumerate roles, their trust policies, and assess privilege escalation paths.

4. iam:ListPolicies / iam:GetPolicy / iam:GetPolicyVersion Grants read access to IAM managed policies and their document content. Required to analyze effective permissions and identify overly permissive policies.

5. iam:ListGroupsForUser Allows retrieval of the groups a specific IAM user belongs to. Required to build complete user-to-group-to-policy relationships.

6. iam:ListAttachedUserPolicies / iam:ListAttachedGroupPolicies / iam:ListAttachedRolePolicies Grants access to the list of managed policies attached to users, groups, and roles. Required for full policy coverage analysis.

7. iam:GetUserPolicy / iam:GetGroupPolicy / iam:GetRolePolicy Grants read access to inline policies embedded in users, groups, and roles. Required to detect hidden or non-standard permission grants.

Optional AWS IAM Permissions for Enhanced Functionality

1. iam:ListAccessKeys Grants read access to access key metadata for IAM users. Required to detect inactive, unused, or overly aged access keys as a security risk indicator.

2. iam:GetAccessKeyLastUsed Provides the last used date and service information for each access key. Required to identify stale credentials that may pose a security risk.

⚠️ These permissions are optional but strongly recommended for complete IAM access key visibility and security assessment coverage.

PreviousLogin With Client Secret NextGCP Configurations

Last updated 6 days ago

Was this helpful?