How To: Create a Fugue IAM Role¶
This quick tutorial shows how to create the Fugue IAM role to scan an AWS or AWS GovCloud environment by launching a CloudFormation stack in your AWS account.
See a list of all possible IAM permissions here.
If you’d prefer to create the role manually, see Create Rule Manually.
What’s Going to Happen?¶
When you launch a stack to create an IAM role in your account, Fugue creates the role with permissions according to the resource types you selected. It assigns two roles:
The AWS-managed SecurityAudit read-only policy
An inline role granting any required permissions not covered by
SecurityAudit, if needed
From the Create New Environment workflow, proceed to step 2 (Resources) and select the region and resource types to be scanned, then scroll down to Connect to AWS Resources:
Launch CloudFormation Stack¶
Select Launch Stack in AWS Console.
Select Next on the next three pages, keeping defaults.
Check the box to acknowledge that CloudFormation may create IAM resources with custom names.
Select Create Stack.
On the created stack page, select the Outputs tab.
Copy the IAM role ARN from the Value column after it appears (this may take a few seconds and require refreshing).
Paste the IAM role ARN in the AWS IAM Role ARN field in Fugue.
That’s it – you’re done! You just created an IAM role for Fugue.
How do I see the role permissions before creating the role?¶
You can inspect the exact permissions Fugue will grant the role by viewing the stack template in the AWS console without actually creating the role. Simply exit the AWS console workflow at any time before launching the Create Stack button in step 4 above. Follow the instructions below:
In Fugue, the Create New AWS IAM Role tab is selected by default, so select the Launch Stack in AWS Console button underneath it to access the CloudFormation Stack Designer.
In the AWS console, select View In Designer.
The Template tab at the bottom of the page is selected by default, so scroll down to see the exact list of permissions that will be assigned to the role.
Because Fugue also attaches the AWS-managed SecurityAudit read-only policy, see the list of SecurityAudit permissions here.