Cross Account Scan Multiple Amazon S3 Accounts

To enable scanning of S3 buckets across multiple AWS accounts, you must configure AWS IAM policy, user, and role on the primary account, and then configure users, roles, policies and CloudTrail trails for both the primary and secondary accounts. The account in which all CloudTrail is stored is referenced as the primary account. All other accounts are referenced as secondary accounts.
Configuring AWS S3 scanning across multiple accounts requires you to:
  1. Configure CloudTrail on the primary account.
    1. Log in to your AWS Console aws.amazon.com.
    2. Select ServicesCloudTrailTrailsCreate Trail.
    3. Enter the Trail name aperture-s3-primary-trail.
    4. Set Apply trail to all Regions to Yes.
    5. In the Data Events area, enter the name of each S3 bucket that want to enable scanning on your primary account. You can also choose Select all S3 buckets in your account to enable Aperture to scan all of your S3 buckets in your primary account.
    6. In the Storage location area, create a bucket in which CloudTrail will store management and data event logs, enter the S3 bucket name as aperture-s3-<AWS account ID>.
      You can also use an existing bucket for the log storage location, if one exists.
      amazon-s3-trail-summary.png
  2. Configure a role and an associated policy on each secondary account.
    1. Log in to your AWS Console aws.amazon.com.
    2. Configure an IAM role by selecting IAMRolesCreate Role.
    3. Select Another AWS Account Type as type of trusted entity.
    4. Enter the AWS account number of your primary account in Specify accounts that can use this role. Leave the other Options unchecked and select Next: Permissions.
    5. Click Create Policy and a new window will open.
    6. Click the JSON tab and copy and paste the following configuration into the Policy Document section:
      	{
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "s3:Get*",
                      "s3:List*",
                      "s3:Put*",
                      "s3:Delete*",
                      "s3:CreateBucket",
                      "iam:GetUser",
                      "iam:GetRole",
                      "iam:GetUserPolicy",
                      "iam:ListUsers",
                      "cloudtrail:GetTrailStatus",
                      "cloudtrail:DescribeTrails",
                      "cloudtrail:LookupEvents",
                      "cloudtrail:ListTags",
                      "cloudtrail:ListPublicKeys",
                      "cloudtrail:GetEventSelectors",
                      "ec2:DescribeVpcEndpoints",
                      "ec2:DescribeVpcs",
                      "config:Get*",
                      "config:Describe*",
                      "config:Deliver*",
                      "config:List*"
                  ],
                  "Resource": "*"
              }
          ]
      }
    7. Click Review Policy and enter the Policy Name as aperture-s3-secondary-policy and provide an optional description of the policy.
    8. Click Create Policy.
    9. Refresh the policy window and select aperture-S3-secondary-policy.
    10. Select Next: Review and enter the role name aperture-s3-secondary-role.
    11. Create the role by entering in Role name. Before creating the role, verify the following:
      1. Trusted entities contain the primary account number.
      2. aperture-s3-secondary policy displays in Policies.
      3. When verification is complete, click Create Role.
    12. Select the role just created and copy the role ARN into memory (for example arn:aws:iam::222222222:role/aperture-s3-secondary-role). You will need the role ARN later in this procedure.
  3. Configure the CloudTrail bucket in the primary account to give CloudTrail service access to each secondary account prefix.
    1. Log in to your AWS Console aws.amazon.com.
    2. Select ServicesS3.
    3. Select the CloudTrail S3 bucket you just created, for example aperture-s3-[aws account id].
    4. Select PermissionsBucket Policy.
    5. Verify that the bucket policy has a Statement to Allow Action S3:PutObject for the primary account prefix, for example, “Resource”: “arn:aws:s3:::aperture-s3-[aws account id]/AWSLogs/[aws account id]/*”,
    6. Modify this resource entry to add the account prefix for each secondary account, similar to the following:
      	"Resource": 
      	[              
      	"arn:aws:s3:::aperture-s3-[aws account id]/AWSLogs/[aws account id]/*",              
      	"arn:aws:s3:::aperture-s3-[aws account id]/AWSLogs/111111111/*",              
      	"arn:aws:s3:::aperture-s3-[aws account id]/AWSLogs/222222222/*",              
      	"arn:aws:s3:::aperture-s3-[aws account id]/AWSLogs/333333333/*"          
      	],
    7. Save the resource modification.
  4. Configure CloudTrail on each secondary account to associate with the primary account.
    1. Select ServicesCloudTrailTrailsCreate trail.
    2. Enter the Trail name aperture-s3-secondary-trail.
    3. Set Apply trail to all Regions to Yes.
    4. In the Data events area, enter the name of each bucket in your secondary account for which you want to enable scanning. You can also choose Select all S3 buckets in your account to enable Aperture to scan all of your secondary S3 buckets. The interface offers auto-completion as you type. Repeat the process to select additional buckets.
    5. To configure a bucket in which CloudTrail will store management and data event logs for this account, enter the bucket name of the CloudTrail bucket in the primary account, for example aperture-s3-<AWS account ID> in the Storage location area and click Create.
      amazon-s3-trail-summary.png
  5. Configure a user in the primary account that will access each of the secondary accounts.
    1. Select ServicesIAM.
    2. Select UsersAdd user.
    3. Enter the user name as aperture-s3-user.
    4. Select Programmatic access to generate an access key ID and secret access key for Aperture to use to access the Amazon S3 service.
    5. Select Next: Permissions.
    6. Create a user policy.
      1. Select Attach existing policies directlyCreate Policy. A new window will open. You will attach this policy to the user account that authorizes the Aperture service to scan the Amazon S3 accounts.
      2. Click the JSON tab and copy and paste the following configuration into the Policy Document section:
      {
       "Version": "2012-10-17",
       "Statement": [
        {
         "Effect": "Allow",
         "Action": [
          "s3:Get*",
          "s3:List*",
          "s3:Put*",
          "s3:Delete*",
          "s3:CreateBucket",
          "iam:GetUser",
          "iam:GetRole",
          "iam:GetUserPolicy",
          "iam:ListUsers",
          "cloudtrail:GetTrailStatus",
          "cloudtrail:DescribeTrails",
          "cloudtrail:LookupEvents",
          "cloudtrail:ListTags",
          "cloudtrail:ListPublicKeys",
          "cloudtrail:GetEventSelectors",
          "ec2:DescribeVpcEndpoints",
          "ec2:DescribeVpcs",
          "config:Get*",
          "config:Describe*",
          "config:Deliver*",
          "config:List*"
         ],
         "Resource": "*"
        },
        {
         "Effect": "Allow",
         "Action": "sts:AssumeRole",
         "Resource": "arn:aws:iam::111111111:role/aperture-s3-cross-account-access-role"
        },
        {
         "Effect": "Allow",
         "Action": "sts:AssumeRole",
         "Resource": "arn:aws:iam::222222222:role/aperture-s3-cross-account-access-role"
        },
        {
         "Effect": "Allow",
         "Action": "sts:AssumeRole",
         "Resource": "arn:aws:iam::333333333:role/aperture-s3-cross-account-access-role"
        }
       ]
      }
      This policy document has three pseudo secondary accounts 222222222,111111111,333333333 referenced in it. You will need to edit the policy to reflect the account numbers of each of your secondary accounts.
    7. Click Review Policy and enter the Policy Name as aperture-s3-primary-policy and provide an optional description of the policy.
    8. Click Create Policy.
    9. Refresh the first window and select aperture-s3-primary policy, and click NextReview and then Create User.
      Note the Access key ID and Secret access key for the user. You will need these numbers later in this setup.
    10. Click Close.
  6. You can now Add the Amazon S3 App to Aperture.

Related Documentation