Update AWS IAM Roles
This document is intended for Managed Detection and Response customers who need to review and adjust their credentials. Complete these instructions to ensure your environment is properly discovered.
Periodically, Alert Logic updates the policy documents used for the IAM roles that are required for Amazon Web Services (AWS) deployments. These updates, which Alert Logic announces in Alert Logic Console Release Notes, support new features and ensure your deployments continue to monitor your AWS assets.
A Remediations view is generated when Alert Logic detects an AWS deployment is using an outdated policy, which can be found in the Exposures and Health pages under the Response group in the Alert Logic console.
Copy the current policy document from the Alert Logic console
If an IAM role policy document needs to be updated, complete this procedure to copy the current one from the Alert Logic console.
To copy the current policy document:
- In the Alert Logic console, click the menu icon () to see the navigation menu.
- Click Configuration, and then click Deployments.
- Click the relevant deployment tile, and then on the left navigation, under Access to AWS Account, click Setting up a Role.
- On the main pane, under the IAM Policy and Role Setup section, click Manual IAM Setup.
- Under Step 2e, click Copy Policy.
Update your IAM role in the AWS console
After you copy the policy document, the last step is to update the IAM role in the AWS console.
To update an IAM role:
- In the AWS IAM Management Console, click Roles.This step specifies that you select Roles instead of Policies in case you set up the IAM role policy with a CloudFormation template. If you used the CloudFormation template, the IAM role policy is an inline policy accessed from Roles only.
- From the list of your roles, click the role you want to update. If you do not know the name of the role, you can find it in the Alert Logic console. Access the deployment, and then on the left navigation area, under Access to AWS Account, click Role ARN. The role name is the portion of the ARN after the string "role/". For example, if the ARN is “arn:aws:iam::123456789012:role/cloud-insight”, the role name is “cloud-insight”.
- Click the Role name you want to update.
- In the Edit policy window, click the JSON tab.
- Search for AllowDecryptOfCloudTrailKey.
- If it is found in your old policy, then you have configured KMS encryption for CloudTrail and MUST copy over the permissions to decrypt the CloudTrail into the updated IAM Role policy document. For example,
{
"Sid": "AllowDecryptOfCloudTrailKey",
"Action": [
"kms:Decrypt"
],
"Effect": "Allow",
"Resource": "[KMS KEY]”
}
- Paste the updated policy document, which you copied from the Alert Logic console, into the JSON window to replace the old information.
- Click Review policy to verify no errors are detected.
- Click Save changes.
You can also expand the policy listed under the Permissions tab and click the edit button on the right.
Perform this procedure for every IAM role you need to update. You can also contact Alert Logic Support for further guidance or assistance.