AWS GovCloud
- Installation guide
Installation
The integration instance configuration requires the accessKeyId of the customer's IAM user to create credentials used to read infrastructure information through AWS APIs. The instance configuration also requires the secretAccessKey that is associated with the accessKeyId.
Configuration in AWS
Step 1: Create IAM Policy
From the AWS GovCloud Console homepage, search and select IAM under Services.
Select Policies.
Click Create Policy, select the JSON tab, and enter the following document content:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"batch:Describe*",
"batch:List*",
"cloudhsm:Describe*",
"cloudhsm:List*",
"cloudwatch:GetMetricData",
"codebuild:BatchGetReportGroups",
"codebuild:GetResourcePolicy",
"codebuild:List*",
"ec2:GetEbsDefaultKmsKeyId",
"eks:Describe*",
"eks:List*",
"fms:List*",
"glacier:List*",
"glue:GetJob",
"glue:GetTags",
"glue:List*",
"lambda:GetFunction",
"lex:List*",
"ses:GetConfigurationSet",
"ses:GetEmailIdentity",
"ses:List*",
"sns:GetSubscriptionAttributes",
"ssm:GetDocument"
]
},
{
"Effect": "Allow",
"Action": ["apigateway:GET"],
"Resource": ["arn:aws-us-gov:apigateway:*::/*"]
}
]
}
Click Tags then Review and verify the permissions.
Enter JupiterOneSecurityAudit as the Name and click Create Policy.
Step 2: Create IAM User
Navigate to the Users page and select the user you are using.
Select Add users.
Enter JupiterOneUser as the user name for the new user.
Select Access key - Programmatic access under Select AWS credential type.
Select Next: Permissions.
Select the Attach existing policies directly tab.
In the Policy search box, search for SecurityAudit. Select both SecurityAudit and JupiterOneSecurityAudit policies. SecurityAudit is an AWS-managed IAM policy that grants access to read security configurations of AWS resources.
Click Tags then Review and verify the user information is correct.
Click Create User.
Copy both the AccessKeyId and SecretAccessKey (click show to display) from the final screen. These values are needed for JupiterOne configuration.
Configuration in CloudFormation
Step 1: Deploy CloudFormation Stack
Download our latest GovCloud CloudFormation available in our docs Link.
Visit the CloudFormation page in the AWS Console.
Select Stacks.
Select Create Stack then select With new resources (standard).
Select Template is ready and Upload a template file.
Upload the file you downloaded and click Next.
Enter JupiterOneAccess as the name then click Next.
On the Review and create page accept the checkbox at the bottom labeled I acknowledge that AWS CloudFormation might create IAM resources with custom names.
- JupiterOne uses this permission to create a managed policy. You can view the added permissions here Link
Click Submit
Step 2: Get Access Key
Go to the
jupiterone-access-user
user in the IAM console.Click Security Credentials.
Under Access Keys click Create access key.
Select Other.
Create the Access Key.
Copy both the AccessKeyId and SecretAccessKey (click show to display) from the final screen. These values are needed for JupiterOne configuration.
Configuration in Terraform
Step 1: Provision Terraform
Download our latest GovCloud Terraform available in our docs Link
Provision the Terraform in each of your AWS accounts you wish to configure.
Step 2: Get Access Key
Go to the
jupiterone-access-user
user in the IAM console.Click Security Credentials.
Under Access Keys click Create access key.
Select Other.
Create the Access Key.
Copy both the AccessKeyId and SecretAccessKey (click show to display) from the final screen. These values are needed for JupiterOne configuration.
Finalize in JupiterOne
- From the top navigation of the J1 Search homepage, select Integrations.
- Scroll to the AWS GovCloud integration tile and click it.
- Click New instance and configure the following settings:
- Enter the Account Name by which you want to identify this AWS account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when Tag with Account Name is selected.
- Enter a Description that will further assist your team when identifying the integration instance.
- Select a Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.
- Enter the Account ID of the GovCloud account you are ingesting data from.
- Enter the Access Key ID of the IAM user to create credentials to authenticate with AWS.
- Enter the Secret Access Key associated with Access Key Id.
- Click Create Configuration after all values are provided.
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.