The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Convert Native AWS Account Connection from IAM User to Cross Account Role
Technical Level
Solution ID
sk159912
Technical Level
Product
CloudGuard Posture Management
Version
All
Date Created
07-Aug-2019
Last Modified
04-Jul-2022
Solution
CloudGuard supports connections to AWS accounts using AWS Cross Account Roles.
Users who connected using IAM Users can now modify their CloudGuard account to connect to their AWS accounts with Cross Account Roles. This is considered to be more secure than IAM User connections.
The procedure below explains how to modify an account from IAM User to Cross Account Roles connections. The change cannot be reversed.
The procedure has two stages:
Stage 1: Change the account connection type in CloudGuard Native (steps 1-7 and 20-22)
Stage 2: Define the Role for Cross Account Role in AWS Console (steps 8-19)
Stage 1: Change the account connection type in CloudGuard Native
In the CloudGuard console, navigate to Cloud Inventory, and select Cloud Accounts.
Select the AWS account to be converted, and then click EDIT CREDENTIALS in the upper right.
Click Generate. This will generate a new external ID. Copy and save this, as it will be needed later.
Keep this box open, until the steps in the next stage are completed (during which the Role ARN value will be obtained).
Stage 2: Define the Cross Account Role in the AWS Console
In the AWS IAM console, select Roles, and then click Create New Role.
Select Another AWS account for the type of trusted entity.
Enter the following details:
Account Id: 634729597623
External ID: enter the external id generated for you in the Dome9 account conversion screen (from stage 1, above)
Require MFA: NOT checked
Click Next: Permissions.
Select the Dome9-Read-Only Policy,created above, the AWS SecurityAudit and AmazonInspectorReadOnlyAccess policies, and (optionally, if the account is in Full Protection), the Dome9-read-write-policy.
Click Next: Tags, and then Next: Review.
Enter a name for the role, and then click Create Role.
In the Summary page, select the new role, and copy the Role ARN.
In the CloudGuard console, enter the Role ARN value in the Edit Role Credentials box for the AWS account (step 4, in the previous stage)
Click SAVE CHANGES.
This step is optional. If the old AWS IAM user account that was previously used to connect to CloudGuard Native is no longer used for anything else, it is a security best practice to remove it. Once the new Cross Account role integration method is fully tested, consider removing the unused AWS IAM user account.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
Give us Feedback
Thanks for your feedback!
Are you sure you want to rate this stars?