To connect to the AWS accounts or regions that you want to protect, Clumio requires that certain resources are present in your AWS account. You can connect the Clumio service to your AWS account using one of the following deployment methods:
-
CloudFormation Stack
-
Terraform
The Clumio CloudFormation/Terraform templates follow the "least privileges" model, in line with standard AWS Identity and Access Management (IAM) security guidelines.
Before you connect your AWS environment, verify the permission requirements below to ensure the connection process runs smoothly.
After you have met all the requirements, you are ready to connect your AWS environment by logging in to Clumio, going to AWS > Accounts, and selecting either CloudFormation or Terraform to connect your AWS account.
IAM permissions required to deploy the Clumio service through CloudFormation
To create the Clumio CloudFormation stack, use an IAM user account that has the permissions to deploy CloudFormation templates. The permission set defined in the IAM policy should grant the following permissions:
-
Create, update, and delete Clumio CloudFormation templates.
-
Select the IAM CloudFormation service role that has permissions to create AWS resources as defined in the Clumio CloudFormation template.
This sample template grants CloudFormation create actions to the IAM user account that creates the Clumio CloudFormation stack:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:*",
"iam:PassRole",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Sid": "allowS3TemplateAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"*"
]
}
]
}If you attach this policy to an existing IAM user account, review the other policies that are attached to the user account to avoid conflicts that can be caused by explicit deny permissions.
Create IAM CloudFormation service role
Create an IAM CloudFormation service role and grant it permissions to deploy the AWS resources defined by the Clumio CloudFormation stack.
Use the CloudFormation service role to explicitly specify the actions that AWS CloudFormation can perform, which might not be the same actions you or other IAM users can perform. For example, you might have administrative privileges, but you might want to limit AWS CloudFormation access to only Amazon EC2 actions. For information about using the AWS IAM service role, see the AWS documentation.
Use this template to create the IAM policy for the CloudFormation service role. IAM users can use this role to allow the CloudFormation template to deploy the required AWS resources. To do this, use the template to create an IAM policy and attach the policy to the AWS CloudFormation Service role. This grants the CloudFormation service role the required permissions to deploy the Clumio resources defined in the template.
Placeholder text in the template:
-
<AWS_Account_ID> The account in which the CloudFormation stack is created.
-
<CLUMIO_CONTROL_PLANE_ACCOUNT_ID> Clumio’s AWS account ID (use * if not known, or contact support@clumio.com)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "events",
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:ListRules",
"events:ListTagsForResource",
"events:ListTargetsByRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": [
"arn:aws:events:*:AWS_Account_ID:rule/Clumio*"
]
},
{
"Sid": "iamall",
"Effect": "Allow",
"Action": [
"iam:GetInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:CreateInstanceProfile",
"iam:GetRole",
"iam:GetPolicy",
"iam:DetachRolePolicy"
],
"Resource": "*"
},
{
"Sid": "iam",
"Effect": "Allow",
"Action": [
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetPolicyVersion",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:TagPolicy",
"ssm:CreateDocument",
"ssm:DeleteDocument",
"ssm:ListDocuments",
"ssm:DescribeDocument",
"ssm:GetDocument",
"ssm:UpdateDocument",
"ssm:UpdateDocumentMetadata"
],
"Resource": [
"arn:aws:iam::AWS_Account_ID:role/Clumio*",
"arn:aws:iam::AWS_Account_ID:role/StackSet*",
"arn:aws:iam::AWS_Account_ID:role/clumio/Clumio*",
"arn:aws:iam::AWS_Account_ID:policy/clumio/Clumio*",
"arn:aws:iam::AWS_Account_ID:policy/Clumio*",
"arn:aws:iam::AWS_Account_ID:policy/clumio/*",
"arn:aws:iam::AWS_Account_ID:policy/*",
"arn:aws:iam::AWS_Account_ID:instance-profile/Clumio*"
]
},
{
"Sid": "ssm",
"Effect": "Allow",
"Action": [
"ssm:CreateDocument",
"ssm:DeleteDocument",
"ssm:ListDocuments",
"ssm:DescribeDocument",
"ssm:GetDocument",
"ssm:UpdateDocument",
"ssm:UpdateDocumentMetadata"
],
"Resource": [
"arn:aws:ssm:*:AWS_Account_ID:document/Clumio*"
]
},
{
"Sid": "sns",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetTopicAttributes",
"sns:ListTagsForResource",
"sns:ListTopics",
"sns:Publish",
"sns:SetTopicAttributes",
"sns:TagResource",
"sns:ListSubscriptionsByTopic",
"sns:AddPermission",
"sns:RemovePermission"
],
"Resource": [
"arn:aws:sns:*:AWS_Account_ID:ClumioInventoryTopic*",
"arn:aws:sns:*:<CLUMIO_CONTROL_PLANE_ACCOUNT_ID>:CustomerCF*",
"arn:aws:sns:*:<CLUMIO_CONTROL_PLANE_ACCOUNT_ID>:*-Stack_Install_Notifier",
"arn:aws:sns:*:AWS_Account_ID:SendStackNotificationsToClumio*"
]
},
{
"Sid": "cloudformation",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:GetTemplateSummary"
],
"Resource": [
"*"
]
},
{
"Sid": "cloudformationStackSets",
"Effect": "Allow",
"Action": [
"cloudformation:ListStackSetOperations",
"cloudformation:DescribeStackSet",
"cloudformation:DescribeStackSetOperation",
"cloudformation:CreateStackInstances",
"cloudformation:DeleteStackInstances",
"cloudformation:UpdateStackInstances",
"cloudformation:DescribeStackEvents",
"cloudformation:GetTemplateSummary",
"cloudformation:DeleteStackSet",
"cloudformation:CreateStackSet",
"cloudformation:UpdateStackSet"
],
"Resource": [
"arn:aws:cloudformation:*:AWS_Account_ID:stackset/ClumioStackSet-*",
"arn:aws:cloudformation:*:AWS_Account_ID:stackset/ClumioEventRuleStackSet-*"
]
},
{
"Sid": "allowS3TemplateAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"*"
]
}
]
}IAM permissions required to deploy the Clumio service through Terraform
Permission set required to deploy the Terraform Stack.
data "aws_iam_policy_document" "hello" {
statement {
sid = "events"
effect = "Allow"
resources = ["arn:aws:events:*:AWS_Account_ID:rule/Clumio*"]
actions = [
"events:DeleteRule",
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:ListRules",
"events:ListTagsForResource",
"events:ListTargetsByRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
]
}
statement {
sid = "iamall"
effect = "Allow"
resources = ["*"]
actions = [
"iam:GetInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:CreateInstanceProfile",
"iam:GetRole",
"iam:GetPolicy",
"iam:DetachRolePolicy",
]
}
statement {
sid = "iam"
effect = "Allow"
resources = [
"arn:aws:iam::AWS_Account_ID:role/clumio/Clumio*",
"arn:aws:iam::AWS_Account_ID:policy/clumio/Clumio*",
"arn:aws:iam::AWS_Account_ID:policy/Clumio*",
"arn:aws:iam::AWS_Account_ID:policy/clumio/*",
"arn:aws:iam::AWS_Account_ID:policy/*",
"arn:aws:iam::AWS_Account_ID:instance-profile/Clumio*",
]
actions = [
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetPolicyVersion",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:TagPolicy",
]
}
statement {
sid = "sns"
effect = "Allow"
resources = [
"arn:aws:sns:*:AWS_Account_ID:ClumioInventoryTopic*",
"arn:aws:sns:*:*:CustomerCF*",
]
actions = [
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetTopicAttributes",
"sns:ListTagsForResource",
"sns:ListTopics",
"sns:Publish",
"sns:SetTopicAttributes",
"sns:TagResource",
]
}
}