Update AWS Account Permissions

Introduction

info

This guide assumes that you have already added your AWS account/Organization to Chronom.
If you haven't added your AWS account yet, please follow the steps in the Add an AWS account Add an AWS organization guides.

As Chronom continues to expand its coverage, the IAM policy assigned to the IAM Role that enables our system to scan your cloud resources may require updates.
These adjustments ensure that the necessary permissions for newly supported services are included, allowing Chronom to maintain comprehensive scanning and monitoring of your infrastructure.

To make it easier for you to update the IAM policy attached to the IAM Role in your AWS account, we have created our CloudFormation template to allow in-place updates by updating the existing stack.

Verify Policy Before and After Updates

Before and after updating permissions, you can verify that your deployed role matches the expected policy using the checksums provided in the Add an AWS account documentation. This ensures the role permissions have been correctly applied and haven't been modified unexpectedly.

Prerequisites

In order to use this CloudFormation template, you need to have the following:

• An external id that is provided during the Account Registration process in Chronom.
• Access to an AWS account with the following permissions:
  • iam:CreateRole
  • iam:AttachRolePolicy
  • iam:PutRolePolicy
  • iam:DeleteRole
  • iam:DetachRolePolicy
  • iam:TagRole
  • iam:CreatePolicy
  • iam:DeletePolicy

Usage

AWS Account

info

This guide assumes that the CloudFormation stack has already been created using the readonly-role.yaml template in the us-east-1 region and that you have not changed the default name of the stack from chronom-readonly-role.
If you haven't created the stack in the us-east-1 region or have changed the default name, please adjust the steps accordingly.

To update the readonly-role.yaml CloudFormation stack, follow the steps below:

1. Open the AWS Management Console and navigate to the CloudFormation service in the us-east-1 region.

2. From the list of stacks, select the stack named chronom-readonly-role.

   note

   Make sure you do not select the NESTED stack, which is created by the chronom-readonly-role stack and has a suffix to the stack name.

3. click Update Stack > Make a direct update.

4. Choose Replace existing template and Amazon S3 URL and paste the following URL in the input field and click Next:

   https://chronom-public-assets.s3.amazonaws.com/readonly-role.yaml

5. Click Next (You can skip the Specify stack details step as it will reuse previous deployment values).

6. Scroll all the way down and approve both capabilities by checking the I acknowledge that AWS CloudFormation might create IAM resources with custom names., then click Next.

7. Review the changes and click Submit.

AWS Organization

info

This guide assumes that the CloudFormation stack has already been created using the org-level-readonly-role.yaml template in the us-east-1 region and that you have not changed the default name of the stack from chronom-readonly-role-auto-discover.
If you haven't created the stack in the us-east-1 region or have changed the default name, please adjust the steps accordingly.

To update the org-level-readonly-role.yaml CloudFormation stack, follow the steps below:

1. Open the AWS Management Console and navigate to the CloudFormation service in the us-east-1 region.

2. From the list of stacks, select the stack named chronom-readonly-role-auto-discover.

   note

   Make sure you do not select the NESTED stack, which is created by the chronom-readonly-role-auto-discover stack and has a suffix to the stack name.

3. click Update Stack > Make a direct update.

4. Choose Replace existing template and Amazon S3 URL and paste the following URL in the input field and click Next:

   https://chronom-public-assets.s3.amazonaws.com/org-level-readonly-role.yaml

5. Click Next (You can skip the Specify stack details step as it will reuse previous deployment values).

6. Scroll all the way down and approve both capabilities by checking the I acknowledge that AWS CloudFormation might create IAM resources with custom names. and I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND ✅ checkboxes, then click Next.

7. Review the changes and click Submit.