Assets for Setting up AWS Role

A guide to establishing an AWS Role and Policy for use with CloudTruth.
In order for CloudTruth to access AWS resources, it is necessary to create a role associated with the CloudTruth Account ID as well as associated policies for the desired services (S3 and/or SSM).
Trusted Entity AWS Account ID
The CloudTruth Account ID is #811566399652.  This ID is also shown as "CloudTruth Account #" at the top of the Integrations screen within the CloudTruth application.  The JSON snippet contains the trust relationship policy that allows the CloudTruth system to assume the role you create within your AWS account.  Note that you'll have to supply the ExternalId qualifier supplied during setup on the CloudTruth integration page.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCloudtruthToAssumeRole",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::811566399652:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "GENERATED-EXTERNAL-ID-FROM-CLOUDTRUTH-INTEGRATION-PAGE"
        }
      }
    }
  ]
}
AWS S3 Policy
This JSON snippet contains the policy needed to grant CloudTruth access to S3 buckets.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BucketSelection",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "BucketAccess",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
AWS SSM Parameter Store Policy
The JSON snippet contains the policy needed to grant CloudTruth access to SSM Parameter Store.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ParameterAccess",
            "Action": [
                "ssm:DescribeParameters",
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:GetParametersByPath"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
Using the AWS Console to give CloudTruth access
The following steps provide a guide for creating the role and policy needed for CloudTruth access via the AWS Console.
Go to the IAM console
​https://console.aws.amazon.com/iam/home​
Create a Role
Click on Roles in the left navigation
Click on Create role
Choose “Another AWS Account”
Type in the CloudTruth Account ID.  Check "Require external ID..." and supply the external ID generated during the CloudTruth AWS integration setup, then click Next:Permissions
Click Next: Review
Type in the Role name that you used in the CloudTruth account setup, and click Create Role
Add a policy to the Role
Click the role that was created for CloudTruth access
Click add Inline Policy
Click JSON Tab
Paste in the JSON policy (at the top of this page) and click Review Policy
Type in a name for the policy and click Create Policy
Setup is now complete for both Roles and Policies.  If you've created an AWS integration within CloudTruth, it should now show a "Connected" status, and you can begin creating Parameter values that reference your AWS resources. 
Use Terraform to give CloudTruth access
The following Terraform code can be used to generate the role and associated policies needed for both S3 and SSM Parameter store access.  See the module documentation for further customization.
module "grant-cloudtruth-access" {
  source = "github.com/cloudtruth/terraform-cloudtruth-access"
​
  role_name   = "name-the-role-as-desired-matches-that-on-cloudtruth-integration-page"
  external_id = "generated-external-id-from-cloudtruth-integration-page"
}
​
​
Using Terraform State Files
Secrets Management
Last updated 5 months ago