Skip to main content

[AWS] How to Properly Update Scopes/Permissions

AWS Monitor connection error, CloudFormation

A
Written by Annie Gregory
Updated over a year ago

Audience: AWS Technical Owner

Background:

Thoropass is constantly updating AWS with new compliance automation features. Sometimes that means that you need to update our access to AWS with additional scopes so that you may take advantage of these features.

Typically, you will know it is time to update your AWS connection when you get a connection error on one of your monitors. A key indicator that we do not have sufficient permissions for the monitor is any error like this that indicates something like "AccessDenied" or messages that reference permissions, scopes or potentially more ambiguous error messages from AWS.

Resolution:

There are two ways to update your permissions.

Method 1 (Recommended): Use our CloudFormation template

You may use our latest CloudFormation template automatically by refreshing your AWS connection.

  1. Go to your AWS Connection Page

  2. Click Reconfigure on your first healthy AWS account (We recommend you delete any inactive or unused AWS Accounts listed)

  3. Click Next until you get to the "Connect AWS Account" screen on the connection wizard.

  4. From the connection wizard, click Launch AWS.

  5. From the AWS sign in page, log into the specific account you are integrating with Thoropass and click Sign In.

  6. From the AWS "Quick create stack" page you may keep our default stack and role name or you may customize them for your own infrastructure organization purposes.

  7. Next, click Create Stack after checking the box next to "I acknowledge that AWS CloudFormation might create IAM resources with custom names."

  8. On the following screen wait until the status changes from CREATE_IN_PROGRESS to CREATE_COMPLETE. ( 1 ) This may take a couple minutes.

  9. Once the status has changed, click on the Outputs tab. ( 2 ) From there, check the values ( 3 ). If it is blank like in the screenshot above. You are done.

    If there are values in the Outputs section copy the entire Value next to "Role ARN" and proceed to step 9a, otherwise skip to step 10.

    1. (9a) Return to the Thoropass AWS setup Wizard you came from. Ensure you paste the latest ARN (replace the existing ARN!) then click Submit ARN. Then on the following screen click Connection.


    2. (9b) When you get Success! you are done. Continue to Step 10

  10. If still in the AWS connection wizard you may close the Wizard. At this point you have refreshed your AWS connection with the latest permissions needed by Thoropass!

    If you are were troubleshooting a monitor with a connection error, navigate to the monitor in question and click the Refresh button. Once the monitor has refreshed, if successful the monitor status will go from Connection Error to Healthy or Flagged. If your monitor is not Healthy or Flagged, you may have other AWS Connections that you need to refresh (you must repeat this process for each connection you have). If your monitor is still in connection error state, it may make sense to delete all of your connections and start over.

    NOTE: If you have multiple AWS connections (multiple connection accounts configured in Thoropass, you must repeat the above steps for each connection, then continue. Each AWS connection must be healthy and configured with appropriate scopes for a monitor to not be in a connection error state.

Method 2 (Advanced Users): Update your roles manually

If you are an advanced AWS admin, it is recommended that you update your existing CloudFormation Stack used for Thoropass manually. You can always see the latest Thoropass CloudFormation template here and add the new required roles that are not in the current role configured with your stack: https://thoro-public.s3.amazonaws.com/thoro-template.json.

Did this answer your question?