is now a part of Cisco. Learn More

About Cisco

Account Security platform manages cloud resources for the customer. To enable operations, the platform requires permissions to perform specific operations on behalf of the customer. This is achieved by creating an AWS IAM Role in the customer account that attaches the following policies.

  • Trust Policy
    • Who can access the role
  • Permission Policy
    • What actions can be performed when someone assumes the role

IAM Role Access

When a new cloud account is attached with platform, a new role is created within the customer account. All permission regarding this role are available as part of the open to public repository. When adding a new account, offers the customer a cloud formation template which will perform the necessary actions. The entire template is available in the below URL.

Once the role is created, the role permissions and trust can be viewed by navigating to the AWS IAM Console and selecting the newly created role.

Trust Permissions

The platform creates a trust relationship between the customer AWS account and the platform AWS account. The platform AWS account information is added as a trusted party during the call along with an identifier string. This enables that only applications which are operating within the AWS accounts have access to the customer role and not anybody from outside.

Policy Permissions

The platform performs critical operations like launching infrastructure, managing the infrastructure during its lifetime and removing infrastructure which may have served its purpose. To enable auditing, all infrastructure that are managed by platform are tagged. To ensure that other infrastructure are not disturbed by the platform, only resources that are managed by can be stopped/terminated. This is done using the tags that are added to instances.

Logging and Audit trail

All calls that are made by on behalf of the customers can be audited and logged by enabling AWS CloudTrail on the newly created role. This allows continuous monitoring of all the actions performed by platform and also helps in auditing to identify access to resources.

Credential Storage

The role information that is provided by the customer is encrypted using AWS KMS key store.The decryption of the roles are only done when necessary and is used to receive temporary grant to perform AWS operations. The role information is securely encrypted in disk at all times.

Temporary Grant

The platform assumes the customer role when accessing the customer cloud account. The assume role operation receives a temporary access key and secret key which are valid for at-most one hour. The information is encrypted and kept in-memory of the application. The keys are automatically rotated when they expire. The information is never persisted to disk and is kept encrypted in-memory at all times. The information is decrypted to access AWS resources of the customer and are discarded when the validity of the keys are expired.