AWS requirements - BlueCat Cloud Resolver - 1.2.0

BlueCat Cloud Resolver Administration Guide
Locale
English
Product name
BlueCat Cloud Resolver
Version
1.2.0

Cloud API access requirements

The platform that has Cloud Resolver installed must be able to access the following cloud API endpoint:
  • .amazonaws.com
Note: For more information on AWS API endpoints, refer to https://docs.aws.amazon.com/general/latest/gr/rande.html.

Configuring AWS permission requirements

  1. Create an IAM role. For more information on creating IAM roles, refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html.
    Note: If you are configuring Cloud Resolver on an EC2 instance, BlueCat recommends assigning the IAM role to the EC2 instance. For more information on attaching IAM roles to EC2 instances, refer to https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#attach-iam-role.
  2. Create an IAM policy that has the following permissions:
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetRandomPassword",
                "route53:ListHostedZonesByVPC",
                "ec2:DescribeVpcs",
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets",
                "lambda:*",
                "ec2:DescribeVpcEndpoints"
            ],
            "Resource": "*"
        }
    ]
}
    Note: These permissions are provided for guidance but might not be suitable for environments with restrictive access. You can configure granular permissions to set boundaries on the resources that Cloud Resolver can discover.
  3. Create an STS AssumeRole policy with the following permissions:
    {
    "Version": "2012-10-17",
    "Statement": [   
       {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::123456789012:role/cloud_resolver_remote"
            ]
        }
    ]
}
    Where the resource is as follows:
    • The ARN of a remote account for which Cloud Resolver can Assume Role.
      Note: You can list multiple resources.
  4. (Optional) If your BlueCat Edge API keys are stored in the AWS Secrets Manager, you must also create the following policy:
    {
    "Version": "2012-10-17",
    "Statement": [   
       {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds"
            ],
            "Resource": [
                "arn:aws:secretsmanager:us-east-1:123456789012:secret:crs_keys-ABCD123"
            ]
        }
    ]
}
    Where the resource is as follows:
    • The ARN of the BlueCat Edge API keys in AWS Secrets Manager.
  5. Assign the policies to the Cloud Resolver IAM role. For more information, refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html.

If you are deploying Cloud Resolver on-premises, create an AWS configuration file that contains the IAM role that you created earlier. For more information on creating AWS configuration files, refer to https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html. When creating the Cloud Resolver configuration file, ensure that you configure the AWS_CONFIG_FILE parameter with the location of the local AWS configuration file.