Prepping an AWS Integration

Ariel Zaretsky
Ariel Zaretsky
  • Updated

Prepping an AWS Integration

AWS (including IAM Identity Center-AWS SSO) can be integrated with Authomize so that Authomize can pull information about identities, groups, and assets that are known on your AWS account.

AWS can be integrated with Authomize on specific accounts or an organization. The procedure is a bit different in each case, so they are described separately:

Legacy method

  • Generate a user for Authomize with an access key.
  • Create a role in each user account.
  • Your user can use the roles to gain access to your accounts

Assumed Role-based Integration

CloudFormation for individual accounts

  • Create a role for each account.
  • Allow an Authomize users to access the roles.

CloudFormation for an organizational account (AWS StackSets)

  • Create a role and assign it to all your accounts.
  • Allow an Authomize users to access the role.

Manually Integrating AWS with Authomize

  • Manually create roles to integrate with Authomize

Notes:

  • Authomize generates a role on AWS that Authomize can use.
  • Authomize randomly generates a unique ExternalID for each customer (as recommended by AWS).
  • The AWS role requires a unique ExternalID (supplied by Authomize) to make the connection more secure.

Before you begin

To integrate AWS with Authomize, you need the following privileges:

  • the ability to create new roles on AWS
  • access to a management account (only needed set up an organizational account, or set up an SSO).
  • AWS CloudFormation privileges

With the legacy method, you need to create a user with “programmatic" credentials and one role per account that the user can assume.

What Do We Do with Those Credentials?

We list resources, policies and CloudTrail logs. We don't make too many calls there, and it shouldn't cost anything or cost very little (the number of objects is small). To be exact, those are the actions we perform at low numbers repeatedly. The list might grow a bit as we expand our AWS coverage, but the cost should remain low.

We read CloudTrail logs (only management ones, not data events). Those do cost, but it should be quite low.

API calls we make:

  • list groups
  • list local policies
  • list roles
  • list users
  • list AWS policies
  • list AWS users access keysEc2 service resources
  • EC2 network

 

Share this

Was this article helpful?

0 out of 0 found this helpful