Advanced Configuration

This section describes advanced configuration settings that may not yet be fully supported. Please read all documentation carefully.

AWS

GovCloud

GovCloud offers fewer services that commercial cloud, and requires slightly different configuration. The following is an example of and IAM policy for a cloudhunter user in GovCloud. Substitute your bucket name for [YOUR-BUCKET-NAME] below.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:Get*",
            "s3:List*"
        ],
        "Resource": [
            "arn:aws-us-gov:s3:::[YOUR-BUCKET-NAME]/*",
            "arn:aws-us-gov:s3:::[YOUR-BUCKET-NAME]"
        ]
    }
]
}

Alternative S3 Bucket Access

There are multiple options for providing access to s3 buckets in your environment: using S3 bucket policies and using IAM policies. The following is an example of an appropriate s3 bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SiftBucketAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[YOUR-ACCOUNT-NUMBER]:root"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::[YOUR-BUCKET-NAME]",
                "arn:aws:s3:::[YOUR-BUCKET-NAME]/*"
            ]
        }
    ]
}

Alternative Access Methods

The getting started guide describes using an AMI user to access your API accounts. There are two other methods that can be used to access data stored in s3: instance roles and cross-account roles. Instance roles can only be used if you are hosting CloudHunter in your own account.

For more details of which one to choose read Best Practices for Managing AWS Access Keys

Important

For AWS API access you must use an IAM user access key & secret. Support for cross-account roles is not currently supported.