From 6bbbd5305458168224a41d118d22750abd6314ba Mon Sep 17 00:00:00 2001
From: Liz Rice <liz@lizrice.com>
Date: Tue, 24 Nov 2020 15:46:31 +0000
Subject: [PATCH] Add example IAM policy

---
 docs/asff.md | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/docs/asff.md b/docs/asff.md
index 5d56e1f..7445d84 100644
--- a/docs/asff.md
+++ b/docs/asff.md
@@ -18,6 +18,23 @@ You can configure kube-bench with the `--asff` to send findings to AWS Security
 * Grant these permissions to the IAM Role that the kube-bench pod will be associated with. There are two potions:
   * You can run the kube-bench pod under a specific [service account associated with an IAM role](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) that has these permissions to write Security Hub findings.
   * Alternatively the pod can be granted permissions specified by the Role that your [EKS node group uses](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html).
+  
+Here is an example IAM Policy that you can attach to your EKS node group's IAM Role: 
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "securityhub:BatchImportFindings",
+            "Resource": [
+                "arn:aws:securityhub:us-east-1::product/aqua-security/kube-bench"
+            ]
+        }
+    ]
+}
+```
 
 ## Configure and rebuild kube-bench
 
@@ -36,4 +53,4 @@ Findings will be generated for any kube-bench test that generates a `[FAIL]` or
   <img src="../images/asff-example-finding.png">
 </p>
 
-[eks-instructions]: ../README.md#running-in-an-EKS-cluster
\ No newline at end of file
+[eks-instructions]: ../README.md#running-in-an-EKS-cluster