HERE'S WHY
Connecting AWS CodeCommit to Drata allows for the automated, continuous monitoring and evidence collection of the dozens of infrastructure security controls required for compliance.
BEFORE DIVING IN
Make sure you have an IAM account that has access to create new roles.
Overview of what we're going to set up
Create an IAM Profile for Drata with the required permissions.
Create an IAM Role for Drata to use and apply the Policy.
Get the new Role ARN to input into Drata.
Create a Policy
Log in to the AWS Console with an account that has access to create a new role.
Go to the IAM service, once there, click on Roles in the sidebar.
Click on 'Policies' link in the sidebar.
Click on the 'Create Policy' button.
Copy the Drata Policy below:
{ "Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": "ec2:DescribeRegions",
"Resource": "*"
}, {
"Effect": "Allow",
"Action": [
"iam:GetAccountAuthorizationDetails",
"iam:GetRole",
"iam:GetUser",
"iam:ListAccountAliases",
"iam:ListMFADevices",
"iam:ListUsers",
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
}, {
"Sid": "NeededUntilWeConsolidateThePolicyChecks",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:ListUserPolicies",
"iam:SimulateCustomPolicy"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Action": [
"codecommit:EvaluatePullRequestApprovalRules",
"codecommit:GetApprovalRuleTemplate",
"codecommit:GetRepository",
"codecommit:ListAssociatedApprovalRuleTemplatesForRepository",
"codecommit:ListRepositories"
],
"Resource": "*"
}]
}Click the 'JSON' tab.
Select all of the default policy in the editor and paste over it.
Click the 'Next: Tags' button.
(Optional) If your company uses tags, enter them here.
Click the 'Next: Review' button.
Copy and paste the Drata Policy Name into the 'Name' field exactly as it appears below.
DrataCodeCommitPolicy
Copy and paste the Drata Policy Description into the 'Description' field.
Provides read-only access for Drata Code Commit Connection
Click the 'Create policy' button.
Create a new Role
Click on the Create role button, then the Another AWS account button.
Use the following values to fill out the form
Account ID:
269135526815
5. Check the Require external ID checkbox, and enter your Drata account ID into the External ID field.
The value below is just an example... you will get your REAL account ID within the Drata app when connecting AWS.
βExternal ID:
YOUR-ACCOUNT-ID
(Note: Leave the Require MFA checkbox un-checked)
6. Click the Next: Permissions button.
7. Copy and paste the Drata Policy Name into the search field and press enter.
Read Only Drata Policy Name for CodeCommit:
DrataCodeCommitPolicy
8. Click the Next: Tags button. Optionally add tags if your company uses them.
9. Click the Next: Review button.
10. Copy and paste the fields below into the form, then click the Create role button. Ensure that the value for Role Name is copied exactly as listed below.
Role Name:
DrataCodeCommitRole
Role Description:
Cross-account read-only access for Drata CodeCommit Connection
Get the new Role ARN to input into Drata
Click on the new Role you just created, named DrataCodeCommitRole.
Copy and paste the Role ARN value on AWS into the Role ARN field on Drata.
π You have just successfully setup proper read-only access for Drata π