As a cloud account admin you must first establish a trust relationship between your cloud account in Carbon Black Cloud and your customer’s AWS account. Thus, you can communicate with the customer’s account when needed.

Although there is an AWS tutorial on how to create that cross trust between AWS accounts with an IAM role, this procedure includes some additional setup in the AWS Management console for the AWS account that you onboard to the Carbon Black Cloud. For the AWS tutorial, see IAM tutorial: Delegate access across AWS accounts using IAM roles.

To have the Carbon Black Cloud access resources into the AWS account of your customer, such as pulling inventory of resources from the AWS account, you must create an IAM Amazon Resource Name (ARN) role for that AWS account. For details on IAM ARNs, see IAM identifiers.

In the process of creating the ARN role assign the permission of the SecurityAudit policy. Then, define the external ID of the account and the ARN of the Carbon Black Public Cloud service (pc-aws-collector service) that communicates with the AWS account. For details on external ID usage, see How to use an external ID when granting access to your AWS resources to a third party.

You create this role before onboarding the AWS account.

Procedure

  1. Log in to the AWS Management console and navigate to the IAM dashboard.
  2. Locate the 12-digit AWS Account number (ID) by clicking Support > Support Center. The account ID appears in the Support Center navigation pane. Record the account ID for a future step.
  3. From the left navigation pane, select Roles > Create role.
  4. In the Create role page select the Another AWS account box as type of trusted entity.
    1. Enter the Account ID of the Carbon Black Cloud AWS account that can use this role.
      For example, 605728677638.
    2. In Options, select Require external ID and provide the External ID, which is automatically generated in the Carbon Black Cloud console.
      For example, 8ddd09d7-719f-50ca-1982-8f4025568265.
      You retrieve the external ID by logging in to the Carbon Black Cloud console, navigating to the Settings > AWS Accounts, and selecting the Add Account option.

      Carbon Black Cloud generates an external ID for every organization in your environment. You use the same external ID for all accounts that belong to the same organization.

  5. Click Next:Permissions and select the SecurityAudit policy.
    The SecurityAudit policy gives you read-only permissions to the AWS resources.
  6. Click Next:Tags and add a tag if needed.
  7. Click Next:Review, enter a user-friendly Role name, and select Create role.
    The new role gets listed in the Role name column.
  8. Select the newly created role and click Trust relationships > Edit trust relationship.
    The JSON policy document opens.
  9. Locate the Principal > AWS field and enter either of the following AWS collector service's ARN roles depending on your Carbon Black Cloud Point of Presence.
    Region Carbon Black Cloud Login URL ARN Roles
    US arn:aws:iam::132308400445:role/mcs-psc-prod-cwp-pc-aws-collector-us-east-1-pod
    Europe https://defense-eu.conferdeploy.net arn:aws:iam::132308400445:role/mcs-psc-prod-cwp-pc-aws-collector-eu-central-1-pod
    Tokyo https://defense-prodnrt.conferdeploy.net/ arn:aws:iam::132308400445:role/mcs-psc-prod-cwp-pc-aws-collector-ap-northeast-1-pod
    Sydney https://defense-prodsyd.conferdeploy.net/ arn:aws:iam::132308400445:role/mcs-psc-prod-cwp-pc-aws-collector-ap-southeast-2-pod
  10. Select Update Trust Policy.

What to do next

Add the AWS account into the Carbon Black Cloud console to view the inventory information that relates to the EC2 instances and all metadata associated with these EC2 instances.