01 Run get-policy command (OSX/Linux/UNIX) using the ARN of the IAM policy that grants access to the Conformity Bot on your behalf, named CloudConformityPart2, as identifier parameter, and custom query filters to describe the policy document version id. Replace ${aws-account-id} with the ID of your AWS account registered with Trend Micro Cloud One™ – Conformity:
aws iam get-policy \
--policy-arn arn:aws:iam::${aws-account-id}:policy/CloudConformityPart2 \
--query 'Policy.DefaultVersionId'
02 The command output should return the requested IAM policy document version id:
03 Run get-policy-version command (OSX/Linux/UNIX) using the ARN of the IAM policy that grants access to the Conformity Bot on your behalf, named CloudConformityPart2, as identifier parameter, the version id returned by previous command, and custom query filters to describe the policy document in JSON format. Replace ${aws-account-id} with the ID of your AWS account registered with Trend Micro Cloud One™ – Conformity:
aws iam get-policy-version \
--policy-arn arn:aws:iam::${aws-account-id}:policy/CloudConformityPart2 \
--version-id v1 \
--query 'PolicyVersion.Document'
04 The command output should return the requested IAM policy document:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:DescribeScheduledActions",
"athena:GetQueryExecution",
"athena:ListQueryExecutions",
"athena:ListTagsForResource",
"backup:DescribeBackupVault",
"backup:ListBackupVaults",
"backup:GetBackupVaultAccessPolicy",
"dax:DescribeClusters",
"dax:ListTags",
"dms:DescribeReplicationInstances",
"dms:ListTagsForResource",
"ds:DescribeDirectories",
"ds:ListTagsForResource",
...
"comprehend:ListKeyPhrasesDetectionJobs",
"comprehend:ListSentimentDetectionJobs",
"comprehend:ListTopicsDetectionJobs",
"comprehend:ListEntitiesDetectionJobs",
"comprehend:ListDocumentClassificationJobs",
"comprehend:ListDominantLanguageDetectionJobs"
],
"Resource": ["*"],
"Effect": "Allow"
},
{
"Action": ["s3:Get*", "s3:List*"],
"Resource": "arn:aws:s3:::elasticbeanstalk*",
"Effect": "Allow"
}
]
}
05 Update the IAM policy document returned at the previous step and add the missing action(s), e.g. "dynamodb:ListBackups", listed in the conformity rule settings under Missing Action, to the "Action" policy element within the selected policy. Once the missing actions are added, save the IAM policy to a JSON document named cloud-conformity-bot-policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:DescribeScheduledActions",
"athena:GetQueryExecution",
"athena:ListQueryExecutions",
"athena:ListTagsForResource",
"backup:DescribeBackupVault",
"backup:ListBackupVaults",
"backup:GetBackupVaultAccessPolicy",
"dax:DescribeClusters",
"dax:ListTags",
"dms:DescribeReplicationInstances",
"dms:ListTagsForResource",
"dynamodb:ListBackups",
"ds:DescribeDirectories",
"ds:ListTagsForResource",
...
"comprehend:ListKeyPhrasesDetectionJobs",
"comprehend:ListSentimentDetectionJobs",
"comprehend:ListTopicsDetectionJobs",
"comprehend:ListEntitiesDetectionJobs",
"comprehend:ListDocumentClassificationJobs",
"comprehend:ListDominantLanguageDetectionJobs"
],
"Resource": ["*"],
"Effect": "Allow"
},
{
"Action": ["s3:Get*", "s3:List*"],
"Resource": "arn:aws:s3:::elasticbeanstalk*",
"Effect": "Allow"
}
]
}
06 Run create-policy-version command (OSX/Linux/UNIX) to create a new version of the CloudConformityPart2 IAM policy, an operative policy version that includes the missing AWS actions defined at the previous step. Replace ${aws-account-id} with the ID of your AWS account registered with Trend Micro Cloud One™ – Conformity:
aws iam create-policy-version \
--policy-arn arn:aws:iam::${aws-account-id}:policy/CloudConformityPart2 \
--set-as-default \
--policy-document file://cloud-conformity-bot-policy.json
07 The command output should return the new IAM policy version metadata:
{
"PolicyVersion": {
"CreateDate": "2020-08-24T10:00:00Z",
"VersionId": "v5",
"IsDefaultVersion": true
}
}
08 Repeat steps no. 1 – 7 to update the Amazon IAM access policies for other AWS accounts registered with Trend Micro Cloud One™ – Conformity.