MCDControllerRole
Cross-account IAM role that allows Multicloud Defense to access your cloud account and take necessary actions, for example, Create EC2 instances, create load balancers, and change Route53 entries. The service principal is the Multicloud Defense-controller-account with an external id applied. Here is the IAM policy applied to the role (e.g controller role name used in this example is Multicloud Defense-controller-role ):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"acm:DescribeCertificate",
"aacm:ListCertificates",
"apigateway:Get",
"ec2:*",
"elasticloadbalancing:*",
"events:*",
"globalaccelerator:*"
"iam:ListPolicies",
"iam:ListRoles",
"iam:ListRoleTags",
"logs:*",
"route53resolver:*",
"servicequotas:GetServiceQuota",
"3:ListAllMyBuckets",
"s3:ListBucket",
"wafv2:Get*",
"wafv2:List*,
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"iam:GetRole",
"iam:ListRolePolicies",
"iam:GetRolePolicy"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::<ciscomcd-account>:role/ciscomcd-controller-role"
]
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<S3Bucket>/*"
},
{
"Action": [
"iam:GetRole",
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::<customer- account>:role/ciscomcd_firewall_role"
},
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/*"
}
]
}Service Principal:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<ciscomcd-account>:root"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "ciscomcd-external-id"
}
}
}
]
}