arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-02-21 20:12:10 +00:00
Code Issues Releases Wiki Activity

Add example IAM policy

Browse Source
This commit is contained in:
Liz Rice 2020-11-24 15:46:31 +00:00 committed by GitHub
parent c3f94dd89f
commit 6bbbd53054
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
docs/asff.md
View File

@ -19,6 +19,23 @@ You can configure kube-bench with the `--asff` to send findings to AWS Security
* You can run the kube-bench pod under a specific [service account associated with an IAM role](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) that has these permissions to write Security Hub findings.
* Alternatively the pod can be granted permissions specified by the Role that your [EKS node group uses](https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html).
Here is an example IAM Policy that you can attach to your EKS node group's IAM Role:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "securityhub:BatchImportFindings",
"Resource": [
"arn:aws:securityhub:us-east-1::product/aqua-security/kube-bench"
]
}
]
}
```
## Configure and rebuild kube-bench
You will need to download, build and push the kube-bench container image to your ECR repo as described in Step 3 of the [EKS instructions][eks-instructions], except that before you build the container image, you need to edit `cfg/eks-1.0/config.yaml` to specify the AWS account, AWS region, and the EKS Cluster ARN.