Templates

StackSet Template

download

{
  "Parameters": {
    "PrimaryAccountID": {
      "AllowedPattern": "\\d{12}",
      "ConstraintDescription": "\"PrimaryAccountID\" must be a valid AWS Account ID (12 digits).",
      "Description": "Enter the AWS Account ID where your Censys Cloud Connector will run.",
      "MaxLength": 12,
      "MinLength": 12,
      "Type": "String"
    },
    "Principal": {
      "AllowedPattern": "[a-zA-Z_0-9+=,.@\\-_/]+",
      "ConstraintDescription": "\"Principal\" must be a valid AWS IAM Principal name.",
      "Description": "Enter the account principal.",
      "MaxLength": 64,
      "MinLength": 1,
      "Type": "String",
      "Default": "root"
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Censys AWS Cloud Connector cross-account Role deployment.",
  "Resources": {
    "CensysCloudConnectorSetup": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": {
                  "Fn::Sub": "arn:aws:iam::${PrimaryAccountID}:${Principal}"
                }
              },
              "Action": ["sts:AssumeRole"]
            }
          ]
        },
        "Description": "This role was created by the Censys Cloud Connector. The Censys Cloud Connector utilizes this role to enumerate assets in this account.",
        "ManagedPolicyArns": ["arn:aws:iam::aws:policy/SecurityAudit"],
        "Policies": [
          {
            "PolicyName": "CensysAPIGatewayPolicy",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Sid": "CensysCloudConnectorPolicy",
                  "Effect": "Allow",
                  "Action": ["apigateway:GET"],
                  "Resource": "*"
                }
              ]
            }
          }
        ],
        "Path": "/",
        "RoleName": "CensysCloudConnectorRole"
      }
    }
  }
}

IAM Policies

Note

As a security best-practice, the connector also supports creation of temporary credentials via Secure Token Service (STS).

Recommended

In order to ease the burden of maintaining an evolving list of policies, it’s possible to run the Censys Cloud Connector using a role with the following policies:

1. AWS arn:aws:iam::aws:policy/SecurityAudit

2. censysCloudConnectorPolicy (below)

download

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "censysCloudConnectorPolicy",
      "Effect": "Allow",
      "Action": ["apigateway:GET"],
      "Resource": "*"
    }
  ]
}

Least Privilege

Use this policy to follow the AWS best-practice of least-privilege.

download

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "censysLeastPrivilegeCloudConnector",
      "Effect": "Allow",
      "Action": [
        "apigateway:GET",
        "ec2:DescribeTags",
        "ec2:DescribeNetworkInterfaces",
        "ecs:ListContainerInstances",
        "ecs:ListClusters",
        "elasticloadbalancing:DescribeLoadBalancers",
        "rds:DescribeDBInstances",
        "route53:ListHostedZones",
        "route53:ListResourceRecordSets",
        "route53domains:ListDomains",
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets",
        "s3:ListBucket"
      ],
      "Resource": "*"
    }
  ]
}