Overview
The following information is important to understanding how Illumio interacts with AWS.
Service Accounts in the CloudSecure Context
Within the CloudSecure platform, a "service account" refers to an account used by CloudSecure to interact with its own services (CloudSecure services) rather than directly with your AWS services. This account is primarily used for internal operations within CloudSecure, such as making API calls to the CloudSecure platform, and is separate from AWS IAM roles and permissions.
The IAM Role for AWS
For reading the current state of AWS resources, and writing security groups to the customer's AWS accounts, CloudSecure requires the creation of an identification and access management (IAM) role within the customer's AWS account. CloudSecure assumes this IAM role to perform actions in AWS, such as reading resources and managing policies. This is consistent with Amazon's recommended practice of using cross-account roles for granting external services access to AWS resources. The IAM role ensures secure and scoped access in accordance with the principle of least privilege.
AWS IAM Permissions
To onboard your AWS account into CloudSecure, you will need use the CloudFormation Stack to create an IAM role within your AWS account, which CloudSecure will assume to make API calls. This role must be granted permissions to specific AWS resources for CloudSecure to provide visibility and manage policies for those resources. It is important to note that CloudSecure relies on the cross-account role assumption methodology. Ensure that you regularly check this page for updates, as new policies may be required in the future.
CloudSecure IAM Role Configuration
To facilitate CloudSecure's access to your AWS environment, you must create an IAM role specifically for CloudSecure within your AWS account. This role must be assigned the following policies:
- SecurityAudit (managed by AWS): Permissions in this policy are required for CloudSecure to read the resources in your AWS account.
- IllumioCloudAWSIntegrationPolicy: Permissions in this policy are required for CloudSecure to read the resources in your AWS account.
- IllumioCloudAWSProtectionPolicy: Permissions in this policy are required for CloudSecure to write policies for your AWS account.
Read Only Policy
The following items are AWS IAM read permissions that you will need to grant to the Illumio AssumeRole:
ManagedPolicyArns: ["arn:aws:iam::aws:policy/SecurityAudit"]
Policies
PolicyName: IllumioCloudAWSIntegrationPolicyPolicyDocument:Version: 2012-10-17Statement:Effect: AllowResource: '*'Action:'apigateway:GET'
'autoscaling:Describe*''cloudtrail:DescribeTrails''cloudtrail:GetTrailStatus''cloudtrail:LookupEvents''cloudwatch:Describe*''cloudwatch:Get*''cloudwatch:List*''codedeploy:List*''codedeploy:BatchGet*''directconnect:Describe*''dynamodb:List*''dynamodb:Describe*''ec2:Describe*''ecs:Describe*''ecs:List*''elasticache:Describe*''elasticache:List*''elasticfilesystem:DescribeAccessPoints''elasticfilesystem:DescribeFileSystems''elasticfilesystem:DescribeTags''elasticloadbalancing:Describe*''elasticmapreduce:List*''elasticmapreduce:Describe*''es:ListTags''es:ListDomainNames''es:DescribeElasticsearchDomains''fsx:DescribeFileSystems''fsx:ListTagsForResource''health:DescribeEvents''health:DescribeEventDetails''health:DescribeAffectedEntities''kinesis:List*''kinesis:Describe*''lambda:GetPolicy''lambda:List*''logs:TestMetricFilter''logs:DescribeSubscriptionFilters''organizations:Describe*''organizations:List*''rds:Describe*''rds:List*''redshift:DescribeClusters''redshift:DescribeLoggingStatus''route53:List*''s3:GetBucketLogging''s3:GetBucketLocation''s3:GetBucketNotification''s3:GetBucketTagging''s3:ListAllMyBuckets''sns:List*''sqs:ListQueues''states:ListStateMachines''states:DescribeStateMachine''support:DescribeTrustedAdvisor*''support:RefreshTrustedAdvisorCheck''tag:GetResources''tag:GetTagKeys''tag:GetTagValues''xray:BatchGetTraces''xray:GetTraceSummaries'
Write Policy
The following items are AWS IAM write permissions that you will need to grant to the Illumio AssumeRole.
PolicyName: IllumioCloudAWSProtectionPolicyPolicyDocument:Version: 2012-10-17Statement:Effect: AllowResource:'arn:aws:ec2:*:*:security-group-rule/*''arn:aws:ec2:*:*:security-group/*'
Action:-
'ec2:AuthorizeSecurityGroupIngress' 'ec2:RevokeSecurityGroupIngress''ec2:UpdateSecurityGroupRuleDescriptionsIngress''ec2:AuthorizeSecurityGroupEgress''ec2:RevokeSecurityGroupEgress''ec2:UpdateSecurityGroupRuleDescriptionsEgress''ec2:ModifySecurityGroupRules'- "
ec2:DescribeTags" ec2:CreateTags"ec2:DeleteTags"
-
FLOW READ Policy
's3:ListBucket''s3:ListBucketVersion''s3:GetBucketLocation''s3:GetObject'
Handling Encrypted VPC Flow Logs
If service-side encryption with KMS (SSE-KMS) keys is enabled for the S3 bucket, CloudSecure requires additional permissions for the log service to be added to the KMS key before enabling flow logs.
To allow the log service to write VPC Flow Logs in the designated S3 bucket, the AWS Logs Delivery System must be granted permission to the Encrypt, Decrypt, ReEncrypt, GenerateDataKey*, and Describe key on the key that is used to encrypt the data in the S3 bucket. Below is an example policy showing the necessary permissions in place for the key policy.
{
"Sid": "Allow Log Delivery to use the key",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action":
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
"Condition": {
"StringEquals": {
"aws:SourceAccount": "<account-id>"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:<region>:<account-id>:*"
}
}
}
To read flows stored in encrypted buckets, the CloudSecure Assume Role requires access to the key used for encrypting the contents of the S3 bucket. This key decrypts the contents of the S3 bucket. The following is the policy document required to gain access to the key and decrypt the flow logs. Adding this permission automatically allows the Assume Role, created during on-boarding, to decrypt the contents of the bucket (In this case, the flow logs). No additional settings are required.
{
"Version": "2012-10-17",
"Statement":[
{
"Effect": "Allow",
"Action":
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:<region>:<account-id>:key/<key-id>" // Replace with your KMS key ARN
]
}
]
}
The following CloudFormation Template gets the Assume Role ARN and the KMS Key ARN as input and grants the decrypt permission on the KMS Key to the Assume Role.
AWSTemplateFormatVersion: "2010-09-09"
Description: "Grant Decrypt permission on KMS key for Cloudsecure's Assume Role"
Parameters:
- IAMRoleName:
- Type: String
- Description: IAM Role name used by Cloudsecure.
- KMSKeyARNs:
- Type: CommaDelimitedList
- Description: List of KMS Key ARNs.
Resources:
- IllumioKMSDecryptPolicy:
- Type: 'AWS::IAM::Policy'
- Properties:
- PolicyName: IllumioKMSDecrypt
- PolicyDocument:
- Version: 2012-10-17
- Statement:
- - Effect: Allow
- Sid: IllumioKMSKeyAccess
- Action:
- - 'kms:Decrypt'
- Resource: !Ref KMSKeyARNs
-
Roles:
-
- !Ref IAMRoleName
-
For more information, see the following AWS documentation: https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html#cross-account-use
Flow Logs
Supported Flow Log Fields
Illumio CloudSecure uses the following fields in the logs: srcaddr, srcport, dstaddr, dstport, protocol, action, bytes, start, action, log-status, packets, tcp-flags*, interface-id*, flow-direction*, pkt-srcaddr*, pkt-dstaddr*
Fields marked by * are optional, but their absence will lead to limited functionality. It is strongly recommended that the log to contain all used fields. This requires selecting Custom format for the Log record format option.
For example, you would choose the following from the list in AWS:
${action} ${bytes} ${dstaddr} ${dstport} ${end} ${flow-direction} ${interface-id} ${log-status} ${packets} ${pkt-dstaddr} ${pkt-srcaddr} ${protocol} ${srcaddr} ${srcport} ${start} ${tcp-flags}
All the required (i.e., not marked by *) fields are in Version 2 (the default AWS set)
Flow Log Support Notes
For instructions on setting up flow logs, see Set up Flow Logs in Grant Flow Log Access to Your CSPs.
- Only the default "text" format is supported for S3 storage of flow logs
- There is no support for the "Hive-compatible S3 prefix"
- There is currently no support for the "optional prefix" (customer path prefix inside the S3 bucket) for flow log destinations
- How CloudSecure fetches the flow logs depends on your configuration (e.g., a central account or multiple accounts)
-
Every 10 minutes the map ingests traffic flows in 60-minute chunks. Flows are shown only for completed chunks. This means that if flow log access has just been enabled, you would need to wait at least an hour to see the flows in the Cloud Map, Traffic, and Inventory pages. However, if you enabled flow log access some time ago and already have previous 60-minute flow chunks, you would see the updated flow within 10 minutes.
CloudSecure IP Addresses for Flow Log Access
CloudSecure uses TCP port 443 to access your flow logs, so open that port for the IP addresses listed in this section.
CloudSecure Control Plane (For All AWS Regions)
The CloudSecure control and data plane uses the following public IP addresses to reach customer networks, so add them to your firewall inbound/outbound allowed list:
- 35.167.22.34
- 52.88.124.247
- 52.88.88.252
CloudSecure US West Data Plane for AWS
The CloudSecure US West data plane uses the following public IP addresses to reach customer networks, so add them to your firewall inbound allowed list for the AWS regions listed following.
- 35.163.224.94
- 44.226.137.227
- 54.190.103.0
AWS Regions Requiring above IPs for US West Data Plane
- eu-central-2
- il-central-1
- me-south-1
- me-central-1
- sa-east-1
- us-west-1
- us-west-2
- us-gov-east-1
- us-gov-west-1
- ca-central-1
- ca-west-1
- af-south-1
- ap-east-1
- ap-south-1
- ap-south-2
- ap-southeast-1
- us-east-2
- ap-southeast-3
- ap-southeast-4
- ap-southeast-5
- ap-southeast-6
- ap-southeast-7
- cn-north-1
- cn-northwest-1
- ap-northeast-1
- ap-northeast-2
- ap-northeast-3
- eu-central-1
- eu-west-1
- eu-west-3
- eu-south-1
- eu-south-2
- eu-north-1
- us-east-1
CloudSecure EU West (UK) Data Plane for AWS
The CloudSecure UK data plane uses the following public IP addresses to reach customer networks, so add them to your firewall inbound allowed list for the AWS regions listed following:
- 18.169.5.9
- 13.41.233.77
- 18.169.6.17
AWS Regions Requiring above IPs for EU West (UK) Data Plane
- eu-west-2
CloudSecure APAC Data Plane for AWS
The CloudSecure APAC data plane uses the following public IP addresses to reach customer networks, so add them to your firewall inbound allowed list for the AWS regions listed following:
- 13.54.140.138/32
- 52.63.108.169/32
- 52.64.120.98/32
AWS Regions Requiring above IPs for APAC Data Plane
- ap-southeast-2
Background
When you start the onboarding process and begin creating IAM roles from the CloudSecure user interface, the restricted area console lets you run the stack. The following operations will occur at that time:
- Creation of a role for Lambda execution function with new permissions
- Creation of a role for Illumio to talk to AWS
- Creation of a Lambda function
- Creation of a custom resource for Lambda invocation
- Return of the Amazon Resource Name (ARN) and external ID via the Lambda function role back to CloudSecure
Note that the Lambda role cannot be deleted after onboarding. If it is removed, then the roles will be deleted along with it, which prevents CloudSecure from synchronizing resources from the cloud.
Updating Permissions on Assume Role
CloudSecure has the ability to update and modify EC2 security groups on a continuous basis. Use these steps provide CloudSecure with permissions for the newly added resources.
- Download the CFT template to update permissions from this link. https://cloudsecure-onboarding-templates.s3.us-west-2.amazonaws.com/cloudsecure/aws-policy-update.yaml
- Login to the AWS console of account to which you need to update the permissions to run the cloudformation stack.
- Under services click CloudFormation.
- Click Create StackSet.
- In the Choose template page select, template ready and upload a template file option, and upload the downloaded template and click Next.
- In the Specify stackset details page, enter the stack name. The stack name must be unique and not the same name used to create previous stacks.
- In the IAMRoleName box, enter the name of the assume role created in AWS when onboarding with CloudSecure. By default, the name is IllumioCloudIntegrationRole. Click Next.
- If you had given a different name during onboarding, make sure to give the same name. (The name can be verified by going to Service->IAM→roles and finding the role name.)
- Click continue and in the Review page, select the acknowledgment check box and click Submit.
The stack will run and add the newly required permissions to the role.
Handling Failures or Other Errors
CloudFormation Template Failures
In the event of a CFT failure, perform the following steps:
- Completely delete the previous deployment stack.
- Ensure that the stack name and resources being created are not already present.
If these steps are not done, the CFT will continue to fail.