Templates#
StackSet Template#
{
"Parameters": {
"PrimaryAccountID": {
"AllowedPattern": "\\d{12}",
"ConstraintDescription": "\"PrimaryAccountID\" must be a valid AWS Account ID (12 digits).",
"Description": "Enter the AWS Account ID where your Censys Cloud Connector will run.",
"MaxLength": 12,
"MinLength": 12,
"Type": "String"
},
"Principal": {
"AllowedPattern": "[a-zA-Z_0-9+=,.@\\-_/]+",
"ConstraintDescription": "\"Principal\" must be a valid AWS IAM Principal name.",
"Description": "Enter the account principal.",
"MaxLength": 64,
"MinLength": 1,
"Type": "String",
"Default": "root"
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Censys AWS Cloud Connector cross-account Role deployment.",
"Resources": {
"CensysCloudConnectorSetup": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:aws:iam::${PrimaryAccountID}:${Principal}"
}
},
"Action": ["sts:AssumeRole"]
}
]
},
"Description": "This role was created by the Censys Cloud Connector. The Censys Cloud Connector utilizes this role to enumerate assets in this account.",
"ManagedPolicyArns": ["arn:aws:iam::aws:policy/SecurityAudit"],
"Policies": [
{
"PolicyName": "CensysAPIGatewayPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CensysCloudConnectorPolicy",
"Effect": "Allow",
"Action": ["apigateway:GET"],
"Resource": "*"
}
]
}
}
],
"Path": "/",
"RoleName": "CensysCloudConnectorRole"
}
}
}
}
IAM Policies#
Note
As a security best-practice, the connector also supports creation of temporary credentials via Secure Token Service (STS).
Recommended#
In order to ease the burden of maintaining an evolving list of policies, it’s possible to run the Censys Cloud Connector using a role with the following policies:
censysCloudConnectorPolicy
(below)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "censysCloudConnectorPolicy",
"Effect": "Allow",
"Action": ["apigateway:GET"],
"Resource": "*"
}
]
}
Least Privilege#
Use this policy to follow the AWS best-practice of least-privilege.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "censysLeastPrivilegeCloudConnector",
"Effect": "Allow",
"Action": [
"apigateway:GET",
"ec2:DescribeTags",
"ec2:DescribeNetworkInterfaces",
"ecs:ListContainerInstances",
"ecs:ListClusters",
"elasticloadbalancing:DescribeLoadBalancers",
"rds:DescribeDBInstances",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53domains:ListDomains",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket"
],
"Resource": "*"
}
]
}