All necessary permissions ( AWSWAFFullAccess , AmazonS3ReadOnlyAccess , and CloudWatchReadOnlyAccess) are automatically applied to the IAM role with the [Create an IAM Role and register it (Create a new IAM role with CloudFormation)] method because the IAM role is created by CloudFormation.
CloudWatchReadOnlyAccess is not required for the old plan users, so you can delete the CloudWatchReadOnlyAccess permission after the IAM role has been created.
The following notes apply to the [Create an IAM Role and register it (Create a new IAM role with CloudFormation)] method out of the three methods.
This method automatically applies all necessary permissions for the new plan. When CloudFormation is used to create an IAM role, the old plan users need to adjust the permissions separately.
CloudFormation is executed in the ap-northeast-1 (Tokyo) region.
The method to use the IAM role (AssumeRole) is recommended.
[Use an existing IAM User (Create an IAM user on AWS management console first and register the keys)] method is not recommended because it requires access key and secret key registration. The [Create] button is not disabled, so please click the [Create] button and proceed if you wish to use this method.
Procedure
Create an IAM Role and register it (Create a new IAM role with CloudFormation)
Sign in to the WafCharm console.
Click [Credential] from the left menu.
Click the [Create] button below the [Create an IAM Role and register it].
Read the information available on [Introduction] to check your AWS account and click [Next].
If your AWS account does not have permission to create a CloudFormation stack and IAM role, the process will fail in the following steps.
The introduction contains information about read permission on CloudWatch Metrics (CloudWatchReadOnlyAccess), but this permission will be deleted in the following steps because it is not required for the old plan users.
Enter the AWS Account ID to use and the IAM Role Name to create.
CloudFormation will use the specified name to create an IAM role. Please choose a name that is easy to recognize.
Click the [Create a template] button.
Click the URL below the message [Copy and access the URL below to complete configuring the IAM Role in the AWS management console.].
URL is a link and will take you to the CloudFormation page on your AWS management console.
Check the checkbox below on the AWS management console.
I acknowledge that AWS CloudFormation might create IAM resources with custom names.
Click [Create stack].
Wait for the completion of stack creation.
When the creation is completed, check that the IAM role has been successfully created.
Open the IAM role page, check [CloudWatchReadOnlyAccess], and click the [Remove] button to remove the permission.
As stated above, this permission is not required in the old plan.
Go back to the WafCharm Console and click on the [Validate] button.
If you see a message that says "Validated," go to the next step.
Check the Credential Store name.
The IAM role name will be entered in the Credential Store name. If you want to keep the same name, go to the next step. If you want to change the name of the Credential Store, please adjust the name shown on the page.
Click [Create].
The Credential Store creation is complete if a message that says "Your credential information has been created." is shown on the page. Click on the [Back to list of Credentials] button to see the registered Credential Stores.
Use an existing IAM Role (Create an IAM role on the AWS management console first and then register the information)
Sign in to the AWS management console.
Open the IAM dashboard.
Click [Roles] from the left menu.
To create an IAM role, click the [Create role] button at the top right corner of the Roles page.
Select AWS Account under [Select trusted entity].
Choose [This account (account ID)] for [An AWS Account]. Leave the [Options] as is.
When the trusted policy is updated on the created IAM role in the following steps, the trusted account will be changed to the intended AWS account instead of your account.
Add necessary permissions under the [Permissions policies].
AWSWAFFullAccess and AmazonS3ReadOnlyAccess
The introduction on the WafCharm Console contains information about read permission on CloudWatch Metrics (CloudWatchReadOnlyAccess), but this permission is not required for the old plan users.
On the next page, enter the role name, check the settings, and click the [Create role] button.
The trust policy will be updated later. At this point, the trust policy shown under [Step 1: Select trusted entities] can contain your AWS account ID.
Go back to the Roles page and open the IAM role you have just created. The trust policy will be updated later, so please keep this page open.
Sign in to the WafCharm console.
Click [Credential] from the left menu.
Click the [Create] button below the [Use existing IAM Role].
Click [Generate the trust policy for your IAM role].
Click the [Copy] button to copy the trust policy.
Go back to the AWS management console and click the [Trust relationships] tab on your IAM role.
Click the [Edit trust policy] button.
Paste the trust policy copied from the WafCharm Console under the [Edit trust policy] section.
Click the [Update policy] button.
Copy the IAM role's ARN.
Go back to the WafCharm Console and paste the ARN in the field shown under [Enter the ARN of your IAM role and click the Validate button.].
Click the [Validate] button.
If you see a message that says "Validated," go to the next step.
Enter the Credential Store name on the Create page.
Click [Create].
The Credential Store creation is complete if a message that says "Your credential information has been created." is shown on the page. Click on the [Back to list of Credentials] button to see the registered Credential Stores.
Use an existing IAM User (Create an IAM user on the AWS management console first and register the keys)
Sign in to the AWS management console.
Open the IAM dashboard.
Click [Users] from the left menu.
Click the [Add users] button on the top right corner to create an IAM user.
Enter [User name].
Click [Create group].
If a group already exists, select one from [User groups] and proceed to step 10.
Enter [User group name].
Add necessary permissions under the [Permissions policies].
AWSWAFFullAccess and AmazonS3ReadOnlyAccess
Click [Create user group] and select the created user group.
Click [Next].
Click [Create user].
Click the name of the created user.
Click the [Security credentials] tab.
Create an access key from [Access keys].
Copy the access key and secret key.
The access key and secret key will be used in the following steps.
Download the CSV file from [Download .csv file] if necessary.
Sign in to the WafCharm console.
Click [Credential] from the left menu.
Click the [Create] button below the [Use existing IAM User].
The option is grayed out, but it is clickable.
Paste each key in the [Access Key ID] field and the [Secret Access Key] field under the [Verify IAM User Credential] section.
Click the [Validate] button and check that the "Validated" message is shown.
You cannot register the same access key/secret key to the same WafCharm account. If the registered access key/secret key already exists within the WafCharm account, you will see an error message. If you want to use the same access key/secret key in multiple resources in the WafCharm Console, please use the same Credential Store.
Enter the Credential Store name on the Create page.
Click [Create].
The Credential Store creation is complete if a message that says "Your credential information has been created." is shown on the page. Click on the [Back to list of Credentials] button to see the registered Credential Stores.