Table of contents

Create security groups and IAM roles

Network Security requires a minimum of two security groups. These security groups are used when you create the ENIs. Learn more about security groups.

From the EC2 Dashboard, scroll down to Security Groups, and click Create security group.

Management security group

Use this security group for the Network Security management port.

  • Security Group Name: Enter Management security group.
  • Description: Enter Allows you to access Network Security from the CLI and the Network Security management interface.
  • VPC: Select the Inspection VPC.

Select the management group, scroll down to the Inbound Rules and Outbound Rules tabs, and click Edit Rules to add these required rules.

Inbound rules

Type Protocol Port range Source Description
SSH TCP 22 <IP or CIDR addresses that need access to the management port for the Network Security instance> Allows you to SSH into Network Security and manage the instance with the CLI

Outbound rules


NOTE

We recommend that you keep the outbound rules for this group open to all traffic on all ports to all destinations.


Type Protocol Port range Source Description
All traffic All All 0.0.0.0/0 Allows all traffic on all ports to all destinations

Traffic security group

Use this security group for the Network Security data ports. AWS considers all traffic that passes through the data port to be inbound traffic, so you must allow inbound traffic rules from the internet, even if you are only inspecting connections originating inside your network.

The inbound and outbound rules listed below are the minimum required rules for the security group. Add any additional rules necessary for your network environment, but make sure the inbound and outbound rules are the same for this security group.

  • Security Group Name: Enter Traffic security group.
  • Description: Enter Allows all inbound traffic from the internet.
  • VPC: Select the Inspection VPC.

NOTE

We recommend that you keep this security group as open as possible and that you restrict traffic using security groups attached to your Workload EC2 instances.


Inbound rules

Type Protocol Port range Source Description
All traffic All All 0.0.0.0/0 Allows all traffic that originates inside or outside of your network

Outbound rules

Type Protocol Port range Source Description
All traffic All All 0.0.0.0/0 Allows all traffic that originates inside or outside of your network

Create an IAM policy and role

IAM policies and roles allows the Network Security instance to send metrics to CloudWatch. Create an IAM policy then attach it to an IAM role. Learn more about creating IAM roles.

Create policy

  1. Navigate to the IAM Dashboard.

  2. Click Policies, and then click Create policy.

  3. Click on the JSON tab, then copy and paste the following permissions:

{
       "Version": "2012-10-17",
       "Statement":[
       {
       "Action": [
       "logs:CreateLogGroup",
       "logs:CreateLogStream",
       "logs:PutLogEvents"
       ],
       "Resource": "arn:aws:logs:*:*:*",
       "Effect": "Allow"
       },
       {
       "Action": "cloudwatch:PutMetricData",
       "Resource": "*",
       "Effect": "Allow"
       }
       ]
       }

Click Review Policy, and enter the following parameters before clicking Create policy.

  • Name: CloudWatch_logs_policy
  • Description: Allows CloudWatch to track metric data

Additional IAM roles

You may need to include additional IAM policies and roles to enable Network Security to discover assets behind an Application Load Balancer (ALB).


NOTE

Newly added accounts do not need to follow the steps below to add additional IAM roles, as this is already enabled.


Follow the steps below to include additional IAM policies:

  1. Navigate to the IAM Dashboard.

  2. Click Policies, and then click Create policy.

  3. Click on the JSON tab, then copy and paste the following permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "cloudconnectorEc2",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeImages",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeVpcs",
        "ec2:DescribeRegions",
        "ec2:DescribeNatGateways",
        "ec2:DescribeSubnets",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroups"
      ],
      "Resource": "*"
    },
    {
      "Sid": "cloudconnectorElb",
      "Effect": "Allow",
      "Action": [
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetHealth"
      ],
      "Resource": "*"
    },
    {
      "Sid": "cloudconnectorIamPolicy",
      "Effect": "Allow",
      "Action": [
        "iam:GetPolicyVersion",
        "iam:GetPolicy"
      ],
      "Resource": "arn:aws:iam::*:policy/NetworkSecurityPolicy"
    },
    {
      "Sid": "cloudconnectorIamRole",
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:ListAttachedRolePolicies"
      ],
      "Resource": "arn:aws:iam::*:role/NetworkSecurityRole"
    }
  ]
}

Click Review Policy, and enter the following parameters before clicking Create policy.

  • Name: Posture_Assessment_policy
  • Description: Enables connections to internet-facing VPCs behind an Application Load Balancer.

After you create the policy, follow the steps below to create a role and attach the policy to that role.

  1. Above Policies, click Roles, and then click Create role.
  2. Select AWS service, then choose EC2 for the service that will use this role.
  3. Click Next: Permissions, and then select the policy that you just created.
  4. Optionally, add any tags and then click Next: Review.
  5. For role name, enter the role name such as CloudWatch_logs and then click Create role.

Create a cross-account IAM role in your AWS account

Create a cross-account role to define a set of permissions for an AWS service request. This role allows you to grant access with defined permissions to trusted entities, like the IAM users that are managed within your account. Roles created previously for other Cloud One services cannot be used. You must create a new role specifically for Network Security. Follow the steps below to create an IAM role:

  1. Navigate to the Roles section above Policies, and then click Create role.
  2. For Select type of trusted entity, choose Another AWS account.
  3. For Account ID, enter the Cloud One - Network Security Account ID.
  4. Click Next : Permissions.
  5. Search for the policy name created in the previous step.
  6. Select policy and click Next : Tags. Optionally click Next : Review.
  7. In the Role name field, enter the NetworkSecurityRole, and click Create role.
  8. After the role is created, navigate to the IAM Roles section and select NetworkSecurityRole.
  9. Copy and paste the Role ARN value from the Summary in AWS into Role ARN field.
  10. Enter a vaild ARN value and click Create Account Name.