How to find specific AWS resources and identify the corresponding permissions needed for the integration to work with Cortex. Anything under Cloud Control API that supports both read and list will be supported in Cortex.
Creating your policy
- First step is to identify your AWS resource type. You can find the full list under Supported Resource Types in AWS. [AWS > Documentation > Cloud Control API > User Guide > Supported Resource Types]
- Once you have identified your resource type, navigate to your AWS account and open IAM [AWS account home page >All Services > Security, Identity, and Compliance > IAM]
- Next, navigate to Policies under Access Management on left hand menu
- You can create a custom policy or use existing policy based on your use case. This example will be creating a custom policy for RDS. This means, any of these RDS subtypes listed here will start working for this policy:
- Select Create Policy and search for your specific service type.
- All possible permissions will display. Cortex only needs the permissions for Read and List, all other fields can be ignored. Select all List actions and all Read actions. (Note: DownloadCompleteDBLogFile and DownloadDBLogFilePortion under Read are optional for this RDS example,, but each resource may differ)
- Another option for the previous step is to toggle to the JSON view and add “rds:list*” and “rds:describe*” as shown in the below screenshot:
- Next, you will need to add your resources in the bottom right corner. You can select all or specific resources related to your use case. Note: Cortex recommends that you select all to minimize running into issues.
- Select Next, name your policy, add description (optional), and Create Policy.
Note: In order for the resource types to pull into Cortex, you will need to add them to the Cloud Control types field in the AWS integration Settings section.
Testing your policy
- You can also test your policy to ensure it is working as expected. Navigate to Roles on the left hand menu.
- Click into the role, select Add Permissions, and add your new policy. This new policy is now added to the role and can be tested.
- Still under the Role, select Simulate. Select Role under User, add the specific role you added the new policy to, and select the appropriate service (this example, RDS), and the Actions to run against. Click Simulate and verify the results.
Comments
0 comments
Article is closed for comments.