Hello,
In this guide I'm going to highlight how to set deny permissions within AWS to prevent CWP users being able to remotely shutdown AWS workloads.
The business reasoning for this can vary from business to business, it does add additional risk to an environment if those responsible for using CWP can see a workload is infected but cannot shut it down. However some business prefer to containerise departments, i.e infrastructure team manage workloads and they are the only ones authorised to shutdown workloads.
Background information:
When SCWP is connected to Amazon Web Services (AWS) a CloudFormation template it deployed as part of this process.
Settings - AWS Connection:
This CloudFormation template has all the permissions required for all features/tasks of CWP.
From this stage this article assumes you have successfully connected SCWP to AWS and can see workloads within the platform. If this has not yet been completed please follow:
How To:
Important Note: As an IAM account is created for SCWP specifically and all interactions are done via this account; you cannot grant certain people access to shutdown workloads from SCWP, this is either Deny All, or Grant All.
1. Log into Amazon Web Services.
2. Open AWS CloudFormation
3. Select the CloudFormation template deployed as part of the integration and select resources drop down.
4. Select the 'Physical ID' account name shown as a hyperlink. This will redirect you into IAM for that user.
5. Select the drop down option under Policy Name (There should theoretically only be one group as CloudFormation created) then select 'Edit Policy'.
6. Select JSON and scroll to the bottom of the script.
7. Enter the below:
{
"Effect": "Deny",
"Resource": "*",
"Action": [
"ec2:StopInstances*"
]
}
]
}8. Save the changes.
Summary:
You're the bottom of your JSON script should now look like the below:
When you attempt to remotely shutdown a workload from within SCWP following these changes you will be presented with:
I hope this article proves to be useful.
