Up to Documentation

Creating an AWS STS Role for JASP

One way to allow JASP to scan your AWS environment is for you to provide the ARN of a role with the necessary privilege which can be assumed to obtain an STS token. This role must have the privileges necessary to read your environment configuration.

This document describes the steps to create such a role.

Create JASP role

  1. Open the AWS Configuration dialog in JASP:
    1. Login to JASP
    2. Click on the environment matching the AWS account where you will create the JASP role.
    3. On the environment detail page, click Configure Env Access.
    4. Under “Option 2” in the pop-up dialog,
    5. If your account is in the US GOV partition, click where indicated to reveal settings for GovCloud.
    6. Note the JASP Account Id and the Environment External Id, they get used below.

  2. Navigate to the IAM console and login with credentials permitted to create policies and users.

  3. Create the JASP role:
    1. Navigate to Roles
    2. Select Create Role
    3. Select Another AWS account
    4. Enter the JASP Account Id (copied from JASP) in the Account ID field.
    5. Select Require external ID.
    6. Enter your environment’s external ID (the Environment External Id copied from JASP, above)
    7. Click Next: Permissions
    8. Select the following AWS managed polices
      1. ReadOnlyAccess: provides read-only access to all AWS services and resources.
      2. SecurityAudit: provides read-only permissions useful for conducting security audits.
    9. Click Next: Review
    10. Name the role jasp.
    11. Click Create role
  4. Increase max session duration, then copy the ARN:
    1. Click on the newly created role.
    2. Click Edit for Maximum CLI/API session duration
    3. Select 4 hours from the drop-down and click Save Changes
    4. Click the icon to the right of the Role ARN to copy it to the clipboard.
  5. Update environment credentials in JASP:
    1. Login to JASP (if you’re not still logged in)
    2. Click on the environment matching the AWS account where you just created the JASP role.
    3. On the environment detail page, click Configure Env Access.
    4. Paste the Role ARN in the AWS Role ARN field under “Option 2”. (Do not fill in anything for “Option 1”.)
    5. Click Submit

That’s it! JASP will now be able to scan your environment by assuming the role you provisioned.