Skip to main content

Creating a policy and adding an AWS Hypersync user

Note

Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance meeting the requirements to integrate with Hyperproof and collect the proof you need.

Tip

If you prefer, you can also provision and use a group or a role rather than an individual user.

Introduction

AWS Hypersyncs use a variety of AWS Actions to collect proof. The information in the table below allows AWS administrators to create a policy that matches the Hypersyncs used by their compliance team. An AWS administrator can either start from the policy in step 5 of the Creating a policy section below and remove permissions for Hypersyncs they won’t use, or they can construct a new policy file from scratch using the information in the table.

Use Case

Action(s)

Notes

Creating a connection using Access Key ID/Secret Access Key

  • iam:GetUser

Used to identify the connection.

Creating Hypersyncs for Amazon services that specify a region: Backup, EC2, EKS, Security Hub, VPC

  • ec2:DescribeRegions

Used to give a list of regions to select from while creating or editing a Hypersync.

Creating a connection using a cross-account role and multiple accounts

  • organizations:DescribeAccount

  • organizations:ListAccounts

  • resource-groups:SearchResources

  • tag:GetResources

Used to enumerate accounts, search by account number, and find accounts using tags.

AWS Backup Hypersyncs

  • backup:GetBackupPlan

  • backup:ListBackupJobs

  • backup:ListBackupPlans

  • backup:ListBackupSelections

Used to collect proof data.

EC2/VPC Hypersyncs

  • ec2:DescribeClientVpnEndpoints

  • ec2:DescribeImages

  • ec2:DescribeInstances

  • ec2:DescribeNetworkAcls

  • ec2:DescribeRegions

  • ec2:DescribeSecurityGroups

  • ec2:DescribeSnapshots

  • ec2:DescribeSubnets

  • ec2:DescribeVolumes

  • ec2:DescribeVolumeStatus

  • ec2:DescribeVpcs

  • ssm:GetInventory

Used to collect proof data.

Security Hub Hypersyncs

  • securityhub:DescribeProducts

  • securityhub:DescribeStandards

  • securityhub:GetFindings

  • securityhub:GetInsights

  • securityhub:ListEnabledProductsForImport

Used to collect proof data.

EKS Hypersyncs

  • eks:DescribeCluster

  • eks:ListClusters

Used to collect proof data.

IAM Hypersyncs

  • iam:GetAccountAuthorizationDetails

  • iam:GetAccountPasswordPolicy

  • iam:GetGroup

  • iam:GetUser

  • iam:ListGroupPolicies

  • iam:ListGroups

  • iam:ListRoles

  • iam:ListSAMLProviders

  • iam:ListUsers

  • iam:ListVirtualMFADevices

  • ssm:GetInventory

Used to collect proof data.

Identity Center Hypersyncs

  • identitystore:ListUsers

  • sso:ListInstances

Used to collect proof data.

RDS Hypersyncs

  • rds:DescribeDBClusters

  • rds:DescribeDBInstances

Used to collect proof data.

S3 Hypersyncs

  • s3:GetBucketPolicyStatus

  • s3:GetBucketVersioning

  • s3:GetBucketObjectLockConfiguration

  • s3:GetBucketAcl

  • s3:GetEncryptionConfiguration

  • s3:GetReplicationConfiguration

  • s3:GetLifecycleConfiguration

  • s3:ListAllMyBuckets

  • s3:ListBucket

Used to collect proof data.

Creating a policy

  1. In the AWS Management Console, expand View all services.

  2. Below Security, Identity, & Compliance, click IAM.

    The IAM dashboard opens.

  3. From the left navigation window, expand Access management, and then click Policies.

  4. Click Create policy.

  5. Select the JSON tab, and then paste the file below.

    {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "ActionsForHyperproofHypersyncs",
             "Action": [
                 "backup:GetBackupPlan",
                 "backup:ListBackupJobs",
                 "backup:ListBackupPlans",
                 "backup:ListBackupSelections",
                 "ec2:DescribeClientVpnEndpoints",
                 "ec2:DescribeImages",
                 "ec2:DescribeInstances",
                 "ec2:DescribeNetworkAcls",
                 "ec2:DescribeRegions",
                 "ec2:DescribeSecurityGroups",
                 "ec2:DescribeSnapshots",
                 "ec2:DescribeSubnets",
                 "ec2:DescribeVolumes",
                 "ec2:DescribeVolumeStatus",
                 "ec2:DescribeVpcs",
                 "eks:DescribeCluster",
                 "eks:ListClusters",
                 "iam:GetAccountAuthorizationDetails",
                 "iam:GetAccountPasswordPolicy",
                 "iam:GetGroup",
                 "iam:GetUser",
                 "iam:ListGroupPolicies",
                 "iam:ListGroups",
                 "iam:ListRoles",
                 "iam:ListSAMLProviders", 
                 "iam:ListUsers",
                 "iam:ListVirtualMFADevices",
                 "identitystore:ListUsers",
                 "organizations:DescribeAccount",
                 "organizations:ListAccounts",
                 "rds:DescribeDBClusters",
                 "rds:DescribeDBInstances",
                 "resource-groups:SearchResources",
                 "s3:GetBucketPolicyStatus",
                 "s3:GetBucketVersioning",
                 "s3:GetBucketObjectLockConfiguration",
                 "s3:GetBucketAcl",
                 "s3:GetEncryptionConfiguration",
                 "s3:GetReplicationConfiguration",
                 "s3:GetLifecycleConfiguration",
                 "s3:ListAllMyBuckets",
                 "s3:ListBucket",
                 "securityhub:DescribeProducts",
                 "securityhub:DescribeStandards",
                 "securityhub:GetFindings",
                 "securityhub:GetInsights",
                 "securityhub:ListEnabledProductsForImport",
                 "ssm:GetInventory",
                 "sso:ListInstances",
                 "tag:GetResources"
             ], 
             "Effect": "Allow",
             "Resource": "*"
         }
       ]
    }
    
  6. Click Next.

  7. Enter a name for the policy and, optionally, a description.

  8. Optionally, add tags for the policy.

  9. Click Create Policy.

Creating a new user

  1. From the left navigation menu, expand Access management, and then click Users.

  2. Click Add users.

  3. In the User name field, enter a unique username, and then click Next.

  4. Select the Attach policies directly radio button.

  5. In the search bar, enter the name of the policy created in the previous section.

  6. Select the checkbox next to the policy name.

  7. Click Next.

  8. Optionally, add tags for the user.

  9. Review your choices, and then click Create user.