In order for Cloud8 to access your AWS account, it is necessary to create a secure means. There are two ways:
- IAM Keys – to do so, simply create an IAM user of the “Programmatic Access” type and with a customized security policy that meets the needs of your business and processes;
- IAM Role – a Role with explicit permission to the AWS account used by Cloud8
In this article, we describe the step-by-step process for generating the IAM Role. Follow the step by step below:
The ideal is to first create a Managed Policy with the permissions you need. See a suggestion . Don’t worry if you don’t know all the permissions, you can change them at any time.
With possession of the created policy:
- In the AWS console, select Roles ;
- Clique em “Create New Role”;
- Choose a name, example: “RoleCloud8”;
- No “Role Type”, selecione “Role for Cross-Account Access”;
- Escolha “Provide access between your AWS account and a 3rd party AWS account”;
- For Account ID, enter “693155863762” and External ID, enter a new password that has not been used anywhere;
- Select the policy you created previously (it will appear under “Customer Managed”). Remember that you can change it later.
Minimum Cloud8 policy: https://cloud8.io/docs/using-cloud8-with-a-custom-aws-security-credential/
- Save the “Role ARN” and the External ID;
- Confirm and the Role is created
In Cloud8, when entering the new AWS account, just select “IAM Role” and register “IAM Role ARN” and “External ID”.
To access FINOPS and Best Practices (Recommendations and Opportunities), you can use the Managed Policy “ReadOnlyAccess” linked to this IAM Role.
Ready! You have a secure configuration, recommended as an AWS best practice and you don’t need to worry about key rotation!
Note: If you already use Access Keys and want to switch to IAM Role, it is not necessary to delete the account. Just “Configure” the AWS provider and change the security mode by passing a new IAM Role.
Doubts? Contact us.
