IAM Configuration for vDiscovery
- Shirly Tsang
Analytics
In order to use the Infoblox vDiscovery for AWS feature described in the Configuration section of this guide, you will need an IAM user or role with some minimum permissions to view resources in AWS. Minimum permissions required in AWS to conduct vDiscovery are:
iam:GetUser
ec2:DescribeVpcs
ec2:DescribeSubnets
ec2:DescribeRouteTables
ec2:DescribeAddresses
ec2:DescribeNetworkInterfaces
ec2:DescribeInstances
The following topics are covered in this section:
IAM Policy
First, we will create a custom policy with the permissions listed above to assign to users or roles.
In the AWS Management Console, Use the Services menu to navigate to IAM under Security, Identity, & Compliance.
Select Policies from the IAM menu.
Click on Create policy.
Policies can be selected through the visual editor or defined using JSON. For this guide, we will use JSON. Click the JSON tab.
In the JSON editor view, you will see the base outline for a policy definition:
Between the square brackets next to Statement, paste the following to define your policy:
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAddresses",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:GetUser",
"Resource": "arn:aws:iam::*:user/*"
}
Your JSON policy definition should look like this:
Click Next: Tags. Add tags if desired.
Click Next: Review.
Name your policy.
Optionally, add a description.
Review the Summary.
Click Create Policy.
IAM User
Next, we will create a user with an access key that can be used to authenticate for vDiscovery jobs.
Select Users from the IAM menu.
Click Add users.
Name the user.
Click Next.
Under Permissions options, select Attach policies directly.
Use the Permissions policies search to locate and select your vDiscovery policy.
Click Next.
On the Review and create step, review details and click Create user.
After the user is created, search for and click on the new user.
Select the Security credentials tab.
Scroll down to the Access Keys section and click Create access key.
Select Other and click Next.
Add a description for the key and click Create access key.
Click Download .csv file to retrieve the new keys.
Warning: This is the only opportunity to download or view these credentials. If you do not save them, or lose them later, you will have to create new access keys for this user.
Click Done.
Rotating Credentials
When using user access keys as described in the previous section, keys should be rotated on a regular basis, at a minimum every 90 days. To rotate access keys for an IAM user, follow the guidance in AWS documentation: Manage access keys for IAM users - AWS Identity and Access Management , specifically the section titled Rotating access keys.
IAM Role
Creating a role to use for vDiscovery is optional and if desired should be completed prior to deploying your vNIOS for AWS instance. The role can be assigned to your instance during deployment, as described in the Deploy vNIOS Instance in AWS → Configure Instance Details section of this guide. It is also possible to add roles to a running instance using the AWS CLI command: aws ec2 associate-iam-instance-profile. See AWS CLI documentation for details on working with this and other commands related to IAM roles: https://docs.aws.amazon.com.
In the AWS Management Console, Use the Services menu to navigate to IAM under Security, Identity, & Compliance.
Select Roles from the IAM menu.
Click on Create role.
For Trusted entity type, select AWS service.
For Use case, select EC2.
Click Next.
Enter the name of your policy in the search bar or scroll down to locate your policy.
Check the box next to your vDiscovery policy.
Click Next.
Enter a name under Role name.
Optionally, add a description.
Review the role properties.
Scroll down and click Create role.
