Connect AWS Account Fully-Managed
- Register an account on dashboard.codeshield.io and sign-in to the platform.
- Within the CodeShield app, click on the
# Connect Account/+ Accountbutton. - Enter an
Account Nameof your choice and your 12-digitAWS Account ID. TheAccount Namecan be any arbitrary identifier to label your account within CodeShield. TheAWS Account IDis the unique account identifier AWS provides.
We suggest to connect a management account here and use the multi connector to then connect an arbitrary amount of child accounts from the ogranizational hierarchy. This allows to incorporate SCPs and AWS IAM Identity Center information into scans of the child accounts.
If you you need to delegate the deployment of the connector CloudFormation stack to another team, your customer, or need a more asynchronous connection process for other reasons, please proceed with the self-managed connection process.
-
Click on
Connect Account. This will redirect you to the AWS console. -
_Ensure you are signed-in with the account you want CodeShield to connect. _ Follow the instructions within AWS to deploy the provided CloudFormation template. The template has been implemented carefully following the least-privilege principle. Connecting the account only gives read access to meta-data within the account. I.e., CodeShield cannot access sensitive data inside data stores like databases or S3 buckets.
-
Wait for the completion of the CloudFormation deployment within AWS.
-
Switch back to CodeShield and perform your first scan by scanning the whole account or a region bundle.
Need a sensible account to scan? We recommend testing CodeShield on the open-source application DVSA, a deliberately vulnerable application aiming to aid security professionals to test their cloud security skills. You can deploy the application to a sandbox account and perform a CloudFormation stack scan to get results. A walkthrough of the results is detailed here.
Permissions required to create the CodeShield connector CloudFromation stack
The permissions that CodeShield requires and which will be employed when connecting CodeShield to your account can be found in the connector's CloudFormation template.
If you want to use a specific user or role for deploying the CodeShield connector CloudFormation stack, you can use this predefined policy which contains all necessary permissions. The permissions are defined as strict as possible and especially do not allow any privilege escalation attacks!
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:ListStacks",
"cloudformation:GetTemplateSummary"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:DetachRolePolicy",
"iam:AttachRolePolicy"
],
"Resource": "arn:aws:iam::*:role/*-CodeShieldAwsConnectorRol*",
"Condition": {
"ArnLike": {
"iam:PolicyARN": [
"arn:aws:iam::*:policy/*-CodeShieldMaintenancePolicy-*",
"arn:aws:iam::*:policy/*-CodeShieldSecurityAuditAdditions-*",
"arn:aws:iam::aws:policy/SecurityAudit"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:GetPolicy",
"iam:DeletePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:CreatePolicy",
"sns:Publish",
"iam:ListPolicyVersions",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy",
"iam:TagRole",
"iam:PutRolePolicy"
],
"Resource": [
"arn:aws:sns:*:*:codeshield_aws-connector-callback_*",
"arn:aws:iam::*:policy/*-CodeShieldMaintenancePolicy-*",
"arn:aws:iam::*:policy/*-CodeShieldSecurityAuditAdditions-*",
"arn:aws:iam::*:role/*-CodeShieldAwsConnectorRol*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:ListStackResources",
"cloudformation:ListChangeSets",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/CodeShieldAwsConnector-*/*"
]
}
]
}