Onboard AWS Account for Transilience Managed Compliance

Created by Venkat Pothamsetty, Modified on Mon, 9 Jun at 8:08 AM by Venkat Pothamsetty

Transilience Managed Compliance service offers compliance outcomes that includes

Security monitoring, incident creation
Vulnerability management, prioritization
Standards check, against CIS
Pen testing
Risk analysis, risk acceptance
Access reviews, network access reviews, log reviews

and finally

Auditing

The service is offered through our agent software, that runs in our backend in modal (www.modal.com). The software accesses customers AWS account, runs the analysis, puts the artifacts back into customers account, so no data is stored in our backend.

There are 4 steps in onboarding a AWS account into our backend

Step 1 . Select the target scoped (or security) account

Transilience needs access to the scoped accounts to configure and monitor the account(s). The AWS organizations might already be setup in such a way that security account already has access to and is getting results from all other accounts. In that case, all we need access to security account and to a role that can assume access to other accounts.

Or if there is only one account and no security account, we need access to that scoped prod account.

Once the target account is selected

identity provider needs be created

A role that transilience can assume needs to be created

with the right permissions

Step 2. Create a OIDC identity federation

2.1 Click on identity providers

2.1.1 Add provider

Add URL, client

Step 3. Create a role in the scoped (or parent) account

3.1 Click on roles, create a role

3.2. Select Trusted Entity

3.3 Add Permissions

Add SecurityAudit role which gives 90% of the information we need rto collect. security audit role does not include items such as ECR scan read, so we recommend adding ECR read access along with the Security Audit role.

Select Trusted Entities

Change this to your account ID, and additionally add these for StringLike

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::account_id:oidc-provider/oidc.modal.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.modal.com:aud": "oidc.modal.com"
                },
                "StringLike": {
                    "oidc.modal.com:sub": [
                        "modal:workspace_id:ac-ANyiPKWSp01iIhiCaLYwmi:*",
                        "modal:workspace_id:ac-v1CZ9TWcqA7282i3kcFYa9:*"
                    ]
                }
            }
        }
    ]
}

Final Step :

Share the account ID and role name with your account manager for us to test the connection and everything is looking good on our end.

References

https://modal.com/docs/guide/oidc-integration