You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: use-cases/org-three-cross-account-setup.md
+5-6Lines changed: 5 additions & 6 deletions
Original file line number
Diff line number
Diff line change
@@ -70,7 +70,7 @@ Please contact us if something requires to be adjusted.
70
70
71
71
- Before running Terraform, we need to give permissions to the role of the `member`-aliased terraform aws provider, to be able to create an SQS queue
72
72
and subscribe it to the provided SNS. Otherwise, Terraform will fail with an error such as
73
-
> AuthorizationError: User: *** is not authorized to perform: SNS:Subscribe on resource <SNS_ARN>: because no resource-based policy allows the SNS:Subscribe action
73
+
> AuthorizationError: User: *** is not authorized to perform: SNS:Subscribe on resource <SNS_ARN>: because no resource-based policy allows the SNS:Subscribe action
74
74
- We'll need to add following permissions to the SNS queue
75
75
```text
76
76
{
@@ -83,6 +83,7 @@ Please contact us if something requires to be adjusted.
83
83
"Resource": "<CLOUDTRAIL_SNS_ARN>"
84
84
}
85
85
```
86
+
- Check [`./modules/infrastructure/cloudtrail/sns_permissions.tf`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/modules/infrastructure/cloudtrail/sns_permissions.tf#L22) for more insight
86
87
87
88
4. Use `organizational` example snippet with following parameters
88
89
@@ -94,9 +95,6 @@ Please contact us if something requires to be adjusted.
94
95
- Existing Organizational Cloudtrail Setup
95
96
- `CLOUDTRAIL_SNS_ARN`
96
97
- `CLOUDTRAIL_S3_ARN`
97
-
- You MUST grant manual permissions to the organizational cloudtrail, for the AWS member-account management role `OrganizationAccountAccessRole` to be able to perform `SNS:Subscribe`.
98
-
- This will be required for the CloudConnector SQS Topic subscription.
99
-
- Use [`./modules/infrastructure/cloudtrail/sns_permissions.tf`](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/modules/infrastructure/cloudtrail/sns_permissions.tf#L22) as guideline
100
98
101
99
- Existing ECS Cluster Workload Setup
102
100
- `ECS_CLUSTER_NAME` ex.: "sfc"
@@ -107,9 +105,10 @@ Please contact us if something requires to be adjusted.
107
105
108
106
5. Permissions - S3
109
107
- Terraform should have successfully deployed everything, but still, ECS task will fail due to missing permissions on S3 access.
110
-
- We cannot prepare this beforehand, as S3 will say `Invalid principal in policy` if the referenced Role does not exist yet.
108
+
- We cannot prepare this beforehand, as S3 will throw following error if the referenced Role does not exist yet.
109
+
> Invalid principal in policy
111
110
- For cross-account S3 access, we will provision permissions on both management-account role and s3 bucket
112
-
- For Terraform provisioned role in the management account, "<ARN_SYSDIG_S3_ACCESS_ROLE>", in form of "arn:aws:iam::<SYSDIG_SECURE_FOR_CLOUD_MEMBER_ACCOUNT_ID>:role/sysdig-sfc-SysdigSecureForCloudRole", <br/>we will add
111
+
- For Terraform provisioned role in the management account, `<ARN_SYSDIG_S3_ACCESS_ROLE>`,<br/> in form of `arn:aws:iam::<SYSDIG_SECURE_FOR_CLOUD_MEMBER_ACCOUNT_ID>:role/sysdig-sfc-SysdigSecureForCloudRole`, <br/>
0 commit comments