sevco.io

AWS IAM

About

Amazon Identity and Access Management (Amazon IAM) provides central management of access and permissions in the Amazon Web Services (AWS) Cloud. Amazon IAM allows you to create granular permissions on user attributes such as department, job function, or team name.

Why You Should Integrate

This integration will provide visibility into your AWS IAM users within Sevco.

How Does the Integration Work

This integration pulls all IAM users within a given AWS account.

This data is only used internally; we do not share it with any parties outside of Sevco. Refer to our privacy policy for details.

⚠️

If you haven't already, please review our instructions for configuring the AWS integration before proceeding with the instructions below.

Configuration Options

No integration-specific configuration needed

External Documentation

Creating Credentials

Access Key ID/Secret Access Key Schemas

See platform documentation for details on AWS - Creating credentials

Assume Role Schemas

You'll be required to configure a AWS role for Sevco to assume to connect to AWS. Please contact Sevco Support for the full details on creating and configuring your AWS roles.

Create a new role that will be assumed by Sevco to interact with your AWS account. Use the following JSON to create your trust policy. Sevco Support will provide your sts:ExternalId to replace the 11111111-1111-1111-1111-111111111111 value and the Sevco account ID to replace 123456789010.

Sample IAM Assume Role trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789010:role/Sevco_USProd_IAMAssetCollection"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "11111111-1111-1111-1111-111111111111"
                }
            }
        }
    ]
}

AWS Organization Discovery

AWS Organization Discovery allows Sevco to discover all AWS accounts that are members of your AWS Organization. When enabled, Sevco will iterate through each member account and collect users from IAM as configured.

If organizational discovery is enabled the following additional configuration is required

  • The integration needs to be configured to assume a role into the AWS account that owns your AWS Organization.
  • A role of the same name with appropriate permissions for IAM collection needs to be created in each member account in your Organization that you'd like to collect assets from.
  • The role in the primary account will need an additional statement added to it's permissions document as show below
{
  "Effect": "Allow",
  "Action": [
    "organizations:ListAccounts"
  ],
  "Resource": "*"
}

AWS CloudFormation Templates

If you would like to automate creating an assumable role for multiple accounts in your AWS organization, you can do so using a CloudFormation template.

See the CloudFormation template below:

 AWSTemplateFormatVersion: '2010-09-09'
  Description: CloudFormation template to create an Identity Center asset collection role that can be assumed by a specific role with an ExternalId condition.

  Parameters:
  RoleName:
    Type: String
    Description: Name of the IAM role to create.
    Default: SevcoAssumableRole
    MinLength: 1
    MaxLength: 64
  TrustedAccountNumber:
    Type: String
    Description: The AWS account hosting the role that will allowed to assume the collection role in your account.
  ExternalId:
    Type: String
    Description: The ExternalId required for assuming the role.

  Resources:
  AssumableIdentityCenterRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref RoleName
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${TrustedAccountNumber}:role/Sevco_USProd_IAMAssetCollection'
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ExternalId
      Policies:
        - PolicyName: SevcoIdentityCenterAssetCollectionPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - 'identitystore:ListGroupMemberships'
                  - 'identitystore:ListGroups'
                  - 'identitystore:ListUsers'
                Resource: '*' # Or the ARN for whatever Identity Store ID you want to read from
      MaxSessionDuration: 3600 # Session duration in seconds (1 hour)

  Outputs:
  RoleArn:
    Description: ARN of the created IAM role
    Value: !GetAtt AssumableIdentityCenterRole.Arn
  RoleName:
    Description: Name of the created IAM role
    Value: !Ref AssumableIdentityCenterRole


Required Permissions

Your IAM user (Access Key ID/Secret) or newly created role (AssumeRole) should use a permission policy with at least the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUser",
                "iam:ListUsers"
            ],
            "Resource": "*"
        }
    ]
}

Contact Us

If you're having problems integrating a source, or if you've found something wrong in this document, please email us at [email protected].

Tags: cloud, IAM