AWS IAM
About
Amazon Identity and Access Management (Amazon IAM) provides central management of access and permissions in the Amazon Web Services (AWS) Cloud. Amazon IAM allows you to create granular permissions on user attributes such as department, job function, or team name.
Why You Should Integrate
This integration will provide visibility into your AWS IAM users within Sevco.
How Does the Integration Work
This integration pulls all IAM users within a given AWS account.
This data is only used internally; we do not share it with any parties outside of Sevco. Refer to our privacy policy for details.
If you haven't already, please review our instructions for configuring the AWS integration before proceeding with the instructions below.
Configuration Options
No integration-specific configuration needed
External Documentation
Creating Credentials
Access Key ID/Secret Access Key Schemas
See platform documentation for details on AWS - Creating credentials
Assume Role Schemas
You'll be required to configure a AWS role for Sevco to assume to connect to AWS. Please contact Sevco Support for the full details on creating and configuring your AWS roles.
Create a new role that will be assumed by Sevco to interact with your AWS account. Use the following JSON to create your trust policy. Sevco Support will provide your sts:ExternalId
to replace the 11111111-1111-1111-1111-111111111111
value and the Sevco account ID to replace 123456789010
.
Sample IAM Assume Role trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789010:role/Sevco_USProd_IAMAssetCollection"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "11111111-1111-1111-1111-111111111111"
}
}
}
]
}
AWS Organization Discovery
AWS Organization Discovery allows Sevco to discover all AWS accounts that are members of your AWS Organization. When enabled, Sevco will iterate through each member account and collect users from IAM as configured.
If organizational discovery is enabled the following additional configuration is required
- The integration needs to be configured to assume a role into the AWS account that owns your AWS Organization.
- A role of the same name with appropriate permissions for IAM collection needs to be created in each member account in your Organization that you'd like to collect assets from.
- The role in the primary account will need an additional statement added to it's permissions document as show below
{
"Effect": "Allow",
"Action": [
"organizations:ListAccounts"
],
"Resource": "*"
}
AWS CloudFormation Templates
If you would like to automate creating an assumable role for multiple accounts in your AWS organization, you can do so using a CloudFormation template.
See the CloudFormation template below:
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template to create an Identity Center asset collection role that can be assumed by a specific role with an ExternalId condition.
Parameters:
RoleName:
Type: String
Description: Name of the IAM role to create.
Default: SevcoAssumableRole
MinLength: 1
MaxLength: 64
TrustedAccountNumber:
Type: String
Description: The AWS account hosting the role that will allowed to assume the collection role in your account.
ExternalId:
Type: String
Description: The ExternalId required for assuming the role.
Resources:
AssumableIdentityCenterRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref RoleName
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${TrustedAccountNumber}:role/Sevco_USProd_IAMAssetCollection'
Action: 'sts:AssumeRole'
Condition:
StringEquals:
'sts:ExternalId': !Ref ExternalId
Policies:
- PolicyName: SevcoIdentityCenterAssetCollectionPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'identitystore:ListGroupMemberships'
- 'identitystore:ListGroups'
- 'identitystore:ListUsers'
Resource: '*' # Or the ARN for whatever Identity Store ID you want to read from
MaxSessionDuration: 3600 # Session duration in seconds (1 hour)
Outputs:
RoleArn:
Description: ARN of the created IAM role
Value: !GetAtt AssumableIdentityCenterRole.Arn
RoleName:
Description: Name of the created IAM role
Value: !Ref AssumableIdentityCenterRole
Required Permissions
Your IAM user (Access Key ID/Secret) or newly created role (AssumeRole) should use a permission policy with at least the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetUser",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
Contact Us
If you're having problems integrating a source, or if you've found something wrong in this document, please email us at [email protected].
Tags: cloud, IAM
Updated 3 days ago