Check Point Security Management Server requires certain permissions in your AWS account in order to manage CloudGuard resources deployed in AWS and in certain cases, make changes in the environment so that the solutions will function properly. These permissions vary and depend on the solution (Auto Scaling or Transit VPC) being deployed.
(2) Creating a IAM role with CloudFormation Template
To create the IAM role, deploy the following template in your AWS account:
The template accepts the following parameters:
Select Create with read permissions if the Security Management Server will manage CloudGuard Auto Scaling or Create with read-write permissions if the management server will manage Transit VPC. Specifying STS roles in the field below will add the permissions required to assume the STS role to the IAM policy attached to this IAM role.
If you wish to create a IAM role in order to only assume an STS role (in the same account or another), select Create with assume role permissions (specify an STS role ARN).
||Specify one or a comma separated list of roles ARNs in order to add permissions to assume these roles to the IAM policy attached to this IAM role.
|Trusted Account ID
If you wish to create this role so that entities in another AWS account will be able to use it, provide the 12 digits number that represents the ID of the trusted account. Entities in this account will be able to assume the role created by this template and receive the permissions stated in its IAM policy. See section 3 for more information.
(3) Configuration of AWS STS to Delegate Access across two AWS accounts
The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users. This grants entities from one AWS account, called the trusted account, privileges in a different AWS account, called the trusting account.
To create a role that will be used by a Security Management Server deployed in another, trusted, account:
- In the trusting account, launch the stack above to creates the IAM role.
- Provide the 12 digits number that represents the ID of the trusted account, in the Trusted Account ID field.
- Select what type of permissions to grant the management server, in the IAM role field.
- Click Create.
When the stack creation successfully completes, find the Role ARN in the Outputs tab and make note of it.
Then, either add the permission to assume this role to the IAM role used by the Security Management Server in the trusted account, as described in section Connecting with Additional AWS accounts in sk130372 or create a new IAM role, provide the role ARN in the STS roles field, and attach it to the management server.
Detailed AWS guide on how to delegate access across AWS accounts is available here.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.