Support Center > Search Results > SecureKnowledge Details
Creating an AWS IAM Role for CME in Security Management Server Technical Level
Solution

Overview

Check Point Security Management Server with CME requires certain permissions in your AWS account in order to manage CloudGuard resources deployed in AWS and in certain cases, make changes in the environment so that the solutions will function properly. These permissions vary and depend on the solution being deployed.

 

Creating a IAM role with CloudFormation Template

 Click here to deploy IAM role for Security Management Server.

The template accepts the following parameters:

Parameter Description
IAM role

Select Create with read permissions if the Security Management Server will manage CloudGuard Auto Scaling or Create with read-write permissions if the management server will manage Transit Gateway Auto Scaling Group or Transit VPC. Specifying STS roles in the field below will add the permissions required to assume the STS role to the IAM policy attached to this IAM role.

If you wish to create a IAM role in order to only assume an STS role (in the same account or another), select Create with assume role permissions (specify an STS role ARN).

    STS roles Specify one or a comma separated list of roles ARNs in order to add permissions to assume these roles to the IAM policy attached to this IAM role.
    Trusted Account ID

    If you wish to create this role so that entities in another AWS account will be able to use it, provide the 12 digits number that represents the ID of the trusted account. Entities in this account will be able to assume the role created by this template and receive the permissions stated in its IAM policy. See section 3 for more information.

     

     

    Configuration of AWS STS to Delegate Access across two AWS accounts

    The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users. This grants entities from one AWS account, called the trusted account, privileges in a different AWS account, called the trusting account.

    To create a role that will be used by a Security Management Server deployed in another, trusted, account:

    1. In the trusting account, launch the stack above to creates the IAM role.
    2. Provide the 12 digits number that represents the ID of the trusted account, in the Trusted Account ID field.
    3. Select what type of permissions to grant the management server, in the IAM role field.
    4. Click Create.

    When the stack creation successfully completes, find the Role ARN in the Outputs tab and make note of it.

    Then, either add the permission to assume this role to the IAM role used by the Security Management Server in the trusted account, as described in section Connecting with Additional AWS accounts in sk130372 or create a new IAM role, provide the role ARN in the STS roles field, and attach it to the management server.

     

     

     

     

    This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

    Give us Feedback
    Please rate this document
    [1=Worst,5=Best]
    Comment