Creating an IAM GroupΒΆ

When thinking about who on your team will be deploying BinaryAlert, we recommend creating an IAM group with least-privilege permissions and adding users to that group.

The following is an example Terraform file that can be applied by an account admin outside of the BinaryAlert repo to create a least-privilege group. This group will have permission to create, modify, and destroy all of the BinaryAlert infrastructure:

# ========== Variables ==========

variable "account" {
  default = "123412341234"  # Replace with your account ID
}

variable "region" {
  default = "us-east-1"  # Region in which BinaryAlert will be deployed
}

variable "prefix" {
  default = "binaryalert-prefix"  # The name prefix you will use when deploying BinaryAlert
}

# ========== IAM policy ==========

data "aws_iam_policy_document" "binaryalert_admin" {
  statement {
    effect = "Allow"

    actions = [
      "cloudwatch:DeleteAlarms",
      "cloudwatch:DeleteDashboards",
      "cloudwatch:DescribeAlarms",
      "cloudwatch:PutMetricAlarm",
    ]

    resources = ["*"]
  }

  statement {
    effect    = "Allow"
    actions   = ["cloudwatch:*"]
    resources = ["arn:aws:cloudwatch::${var.account}:dashboard/BinaryAlert"]
  }

  statement {
    effect    = "Allow"
    actions   = ["dynamodb:*"]
    resources = ["arn:aws:dynamodb:${var.region}:${var.account}:table/${var.prefix}_binaryalert*"]
  }

  statement {
    effect    = "Allow"
    actions   = ["events:*"]
    resources = ["arn:aws:events:${var.region}:${var.account}:rule/${var.prefix}_binaryalert*"]
  }

  statement {
    effect  = "Allow"
    actions = ["iam:*"]

    resources = [
      "arn:aws:iam::${var.account}:policy/${var.prefix}_binaryalert*",
      "arn:aws:iam::${var.account}:role/${var.prefix}_binaryalert*",
    ]
  }

  statement {
    effect = "Allow"

    actions = [
      "iam:Get*",
      "iam:List*",
    ]

    resources = ["*"]
  }

  # This allows users to create a new KMS key for CarbonBlack credentials
  statement {
    effect = "Allow"

    actions = [
      "kms:CreateKey",
      "kms:Describe*",
      "kms:Get*",
      "kms:List*",
    ]

    resources = ["*"]
  }

  statement {
    effect  = "Allow"
    actions = ["kms:*"]

    resources = [
      "arn:aws:kms:${var.region}:${var.account}:alias/${var.prefix}_binaryalert*",

      # NOTE: Once a new key is generated, add permissions to use that key here:
      # "arn:aws:kms:${var.region}:${var.account}:key/KEY-UUID",
    ]
  }

  statement {
    effect    = "Allow"
    actions   = ["lambda:*"]
    resources = ["arn:aws:lambda:${var.region}:${var.account}:function:${var.prefix}_binaryalert*"]
  }

  statement {
    effect = "Allow"

    actions = [
      "logs:Describe*",
      "logs:Get*",
      "logs:List*",
    ]

    resources = ["*"]
  }

  statement {
    effect    = "Allow"
    actions   = ["logs:*"]
    resources = ["arn:aws:logs:${var.region}:${var.account}:log-group:/aws/lambda/${var.prefix}_binaryalert*"]
  }

  statement {
    effect    = "Allow"
    actions   = ["s3:*"]
    resources = ["arn:aws:s3:::${replace(var.prefix, "_", ".")}.binaryalert*"]
  }

  statement {
    effect    = "Allow"
    actions   = ["sns:*"]
    resources = ["arn:aws:sns:${var.region}:${var.account}:${var.prefix}_binaryalert*"]
  }

  statement {
    effect    = "Allow"
    actions   = ["sqs:*"]
    resources = ["arn:aws:sqs:${var.region}:${var.account}:${var.prefix}_binaryalert*"]
  }
}

resource "aws_iam_policy" "binaryalert_admin" {
  name        = "binaryalert_admin_policy"
  description = "Policy for managing BinaryAlert"
  policy      = "${data.aws_iam_policy_document.binaryalert_admin.json}"
}


# ========== IAM Group ==========

resource "aws_iam_group" "binaryalert_admin" {
  name = "BinaryAlertAdmin"
}

resource "aws_iam_group_policy_attachment" "custom_policy" {
  group      = "${aws_iam_group.binaryalert_admin.name}"
  policy_arn = "${aws_iam_policy.binaryalert_admin.arn}"
}

Once you terraform apply to create the IAM group, you can add new or existing users to the group (manually or with Terraform).