Create a AWS STS Role

Creating trusted role without external id

Visit AWS Console/Roles
Click Create Role
Select Another AWS Account tab
- Account ID: 652845092827
- Next Permissions
Attach policies

Last9 requires Cloudwatch Read Only Access to fetch metrics for components that are being used. Last9 also requests Security Audit Access as it enables us to identify components by name and tags.
The AWS-managed SecurityAudit policy grants read-only access to logs, events and configuration detail for current and future AWS services. This policy allows Last9 to perform list and describe api calls to AWS to fetch component details such as name, ARNs and tags etc. And as Last9 provides auto detection of infrastructure components, this policy helps to minimize the access request burden on customers as they introduce new services to their infrastructure and as Last9 introduces new services to our platform.

a. SecurityAudit Policy

b. CloudWatchReadOnlyAccess Policy

c. Proceed to Next Steps
Add tags if needed
Review
1. Role name: ${business_name}_last9_role
2. Role description: Security Audit Access to Last9
3. Verify Last9 AWS Account Number
4. Verify Granted Policy
5. Create Role
After the role is created, Go to Role → Trust Relationships → Edit Trust Relationship

Update the JSON to the following and click “Update Trust Policy”

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::652845092827:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

Edit the role and update “Maximum session duration” to 3 hours if your security policy permits it. Else leave it as 1 hour.
Share the created role ARN with your Last9 point of contact

Creating trusted role with external id

Visit AWS Console/Roles
Click Create Role
Select “Another AWS Account” tab with external ID as a random string. It has to be something other than “somerandomstring” and share it with Last9
- Account ID: 652845092827
Attach policies

Last9 requires Cloudwatch Read Only Access to fetch metrics for components that are being used. Last9 also requests Security Audit Access as it enables us to identify components by name and tags.
The AWS-managed SecurityAudit policy grants read-only access to logs, events and configuration detail for current and future AWS services. This policy allows Last9 to perform list and describe api calls to AWS to fetch component details such as name, ARNs and tags etc. And as Last9 provides auto detection of infrastructure components, this policy helps to minimize the access request burden on customers as they introduce new services to their infrastructure and as Last9 introduces new services to our platform.

a. SecurityAudit Policy

b. CloudWatchReadOnlyAccess Policy

c. Proceed to Next Steps
Add tags if needed
Review
1. Role name: ${business_name}_last9_role
2. Role description: Security Audit Access to Last9
3. Verify Last9 AWS Account Number
4. Verify Granted Policy
5. Create Role
After the role is created, Go to Role → Trust Relationships → Edit Trust Relationship

Update the JSON to the following and click “Update Trust Policy”. Ensure that the value for sts:ExternalId matches the value set earlier for External-ID

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::652845092827:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "somerandomstring"
        }
      }
    }
  ]
}

Edit the role and update “Maximum session duration” to 3 hours if your security policy permits it. Else leave it as 1 hour
Share the created role ARN and external ID string with your Last9 point of contact