STIGs Configuration Guide
1. Introduction
- A valid Role ARN and S3 bucket name are required to access the report file for analysis in ASCERA.
2. Prerequisites
- An AWS account with the required permissions for the necessary services
- Ask ASCERA to provide the AWS Account ID and User ARN
3. STIGs Setup Guide
3.1 In Customer AWS Account
Create a cross-account IAM role that ASCERA can assume
-
Go to IAM -> Roles -> Create role
-
Choose Trusted entity type: Another AWS account
-
Enter the ASCERA AWS Account ID
-
Click Next
-
Add Permissions
-
Attach a policy that gives read access to the S3 bucket (or specific bucket prefix).
-
For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowReadOnlyAccessToBucket",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME",
"arn:aws:s3:::YOUR_BUCKET_NAME/*"
]
}
]
}
-
-
-
Click Next
-
Provide the Role details
- Example Role name:
AsceraS3ReadAccessRole
- Example Role name:
-
Click Create Role
-
After successful creation, it will create the Role ARN like below, copy it
arn:aws:iam::YOUR_ACCOUNT_ID:role/AsceraS3ReadAccessRole
-
Verify or Modify Trust Policy
-
Edit the trust relationship of the role to allow ASCERA’s IAM user (not the full account) to assume it.
-
Example trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ASCERA_ACCOUNT_ID:user/ASCERA_S3_READ_USERNAME"
},
"Action": "sts:AssumeRole"
}
]
}
-
-