Skip to main content

Connect AWS Account

  1. Register an account on dashboard.codeshield.io and sign-in to the platform.

  2. Within the CodeShield app, click on the # Connect Account/+ Account button.

  3. Enter an Account Name of your choice and your 12-digit AWS Account ID. The Account Name can be any arbitrary identifier to label your account within CodeShield. The AWS Account ID is the unique account identifier AWS provides.

  4. Click on Connect Account. This will redirect you to the AWS console.

  5. _Ensure you are signed-in with the account you want CodeShield to connect. _ Follow the instructions within AWS to deploy the provided CloudFormation template. The template has been implemented carefully following the least-privilege principle. Connecting the account only gives read access to meta-data within the account. I.e., CodeShield cannot access sensitive data inside data stores like databases or S3 buckets.

  6. Wait for the completion of the CloudFormation deployment within AWS.

  7. Switch back to CodeShield and perform your first scan by scanning the whole account or a region bundle.

info

Need a sensible account to scan? We recommend testing CodeShield on the open-source application DVSA, a deliberately vulnerable application aiming to aid security professionals to test their cloud security skills. You can deploy the application to a sandbox account and perform a CloudFormation stack scan to get results. A walkthrough of the results is detailed here.

Permissions required to create the CodeShield connector CloudFromation stack

note

The permissions that CodeShield requires and which will be employed when connecting CodeShield to your account can be found in the connector's CloudFormation template.

If you want to use a specific user or role for deploying the CodeShield connector CloudFormation stack, you can use this predefined policy which contains all necessary permissions. The permissions are defined as strict as possible and especially do not allow any privilege escalation attacks!

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudformation:ListStacks",
        "cloudformation:GetTemplateSummary"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:DetachRolePolicy",
        "iam:AttachRolePolicy"
      ],
      "Resource": "arn:aws:iam::*:role/CodeShieldAwsConnector-*",
      "Condition": {
        "ArnLike": {
          "iam:PolicyARN": [
            "arn:aws:iam::*:policy/*-CodeShieldMaintenancePolicy-*",
            "arn:aws:iam::*:policy/*-CodeShieldSecurityAuditAdditions-*",
            "arn:aws:iam::aws:policy/SecurityAudit"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetRole",
        "iam:GetPolicy",
        "iam:DeletePolicy",
        "iam:CreateRole",
        "iam:DeleteRole",
        "iam:CreatePolicy",
        "sns:Publish",
        "iam:ListPolicyVersions",
        "iam:DeleteRolePolicy",
        "iam:GetRolePolicy"
      ],
      "Resource": [
        "arn:aws:sns:*:*:codeshield_aws-connector-callback_*",
        "arn:aws:iam::*:policy/*-CodeShieldMaintenancePolicy-*",
        "arn:aws:iam::*:policy/*-CodeShieldSecurityAuditAdditions-*",
        "arn:aws:iam::*:role/CodeShieldAwsConnector-*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudformation:CreateStack",
        "cloudformation:DeleteStack",
        "cloudformation:DescribeStackResource",
        "cloudformation:DescribeStacks",
        "cloudformation:DescribeStackEvents",
        "cloudformation:DescribeStackResource",
        "cloudformation:ListStackResources",
        "cloudformation:ListChangeSets",
        "cloudformation:GetStackPolicy",
        "cloudformation:GetTemplate"
      ],
      "Resource": [
        "arn:aws:cloudformation:*:*:stack/CodeShieldAwsConnector-*/*"
      ]
    }
  ]
}