AWS CloudFormation StackSets - for Integrating an Organizational Account

Ariel Zaretsky
Ariel Zaretsky
  • Updated

Organizational account integration workflow

AWS_Organizational_Integration_Workflow.png

Open both Authomize and AWS

  • Log into Authomize and AWS in separate windows.
    Authomize_Login.png 3a_AWS_Sign_In.png

Preparing the AWS Integration in Authomize

  1. Go to Settings > Data Sources.
  2. If AWS appears under Recommended Apps, click it. Otherwise, Click Add New App.
    1_Recommended_Ap.png
  3. Select AWS.
    1b_Recommended_Ap.png

Note: AWS IAM Identity Center (old AWS SSO) will be installed alongside AWS when the IncludeAWSIdentityCenter parameter is set in AWS.

  1. When the Integrate AWS dialog appears, click CloudFormation_Installation_Button.png.
    If you do not have CloudFormation and Role creation privileges, send the link (along with a request to create an Authomize-Trust-Role) to your AWS admin.

Creating an Authomize StackSet on AWS

If you are already logged into AWS, the CloudFormation>Stacks>Create stack dialog will open in AWS after clicking on its link (CloudFormation_Installation_Button.png).
31b_AWS_Quick_Create_Stack.png

The Template URL is entered automatically by Authomize. You will need this URL later:

https://authomize-cloud-formation.s3.amazonaws.com/authomize_cloud_formation.json

In the search field, on the menu bar, enter CloudFormation. Click CloudFormation then go to StackSets

Click Create_StackSet_Button.png.

Follow the steps below to create an Authomize-Integration stackset on AWS:

36_AWS_cloud_formation_stack_Sets_Create_Stack_Set.png

Fill in the fields as follows:

Step 1 Choose a Template

Permissions

Select either Service-managed permissions or Self-service permissions.

Prerequisite – Prepare template

Select either Template is ready or Use a sample template.

Specify Template

Select Amazon S3 URL.

In the Amazon S3 URL field, enter the following URL:

https://authomize-cloud-formation.s3.amazonaws.com/authomize_cloud_formation.json

Click Next_Button.png and go to the Specify StackSet details section.

37_AWS_cloud_formation_stack_Sets_Create_Stack_Set-full.png

Step 2 Specify StackSet details

StackSet name

Enter a StackSet name [such as Authomize-integration].

StackSet description

Enter a description of your choosing.

Parameters

Enter the ExternalID from Authomize’s Integrate AWS page

Enter true in the IncludeAWSIdentityCenter field if your organization uses AWS Identity Center

Click Next_Button.png to go to the Configure StackSet options section.

39_AWS_cloud_formation_stack_Sets_Create_Stack_Set-full.png

Step 3 Configure StackSet options

Skip step 3 for now.

Click Next_Button.png to go to the Set Deployment Options section.

40_AWS_Organizational_Unit_Deployment.png

For example:

42a_AWS_Region.png

Step 4 Set Deployment options

Add stacks to stack set

Select either Deploy new stacks or Import stacks to stack set.

Deployment targets

Select either Deploy to organization or Deploy to organization units (OUs).

If you picked OUs set the OU ID.

Auto-deployment options

Skip these options.

Specify Regions

Specify one region in your organization (to install the stack).
Note: Do not install Authomize CloudFormation on Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Europe (Milan), Middle East (UAE), or Midde East (Bahrain).

Deployment options 

Enter a number of concurrent accounts and failure tolerance.
Select parallel Region Concurrency for faster processing.

Click Next_Button.png to go to the Review section.

Check the entries on the Review page to see if everything is correct.

44_AWS_Organizational_Unit_Deployment-Review.png

Check the I acknowledge that AWS CloudFormation might create IAM resources with custom names.

Click Submit_Button.png to create a StackSet.

Go to CloudFormation>StackSets options

Check if the Authomize-integration StackSet status is active (was created successfully).

45_AWS_Authomize_Integration_Stack_Set.png

Complete the Integration

In the Integrate AWS dialog:40d_Account_No.png

42c.png
     4. Skip this step.
     5. Insert comma delimited Account Numbers (copied from Authomize-Integration StackSet) in the
         Account Number field. 
         Insert the Management Account number only if you want to integrate the AWS Identity Center. 
        This assumes:
            - the role is installed on the management account
            - the role includes AWS Identity Center permission. 
        If you insert a Management Account, that account number must be included
        (in comma delimited format) in the Account Number field. 

         If you leave the Regions field empty, all regions (in your organization) will be included.
         If you specify one or more regions, data will be fetched only from those regions.
         Skip the Assumed Role.
     6. Enter an Integration name.
     7. Enter Owner’s email.
    10X_Integrate_AWS.png

Click Create_Button.png.

If all goes well, you will see this:

40b_Success.jpg
Notice that AWS and AWS SSO were added to your Connected Apps.

AWS IAM Identity Center

The AWS IAM Identity Center (previously known as AWS SSO) is an authentication solution that allows users to log in to multiple applications and websites with one-time user authentication.

  • It is integrated with Authomize alongside AWS , when IncludeAWSIdentityCenter is set to true in the Specify StackSets Details page. It is only relevant if your organization uses IAM Identity Center (AWS SSO)
  • If installed on an individual account, only mark as true in the management account.
  • When checking this option Authomize requests two extra permissions:
    AWSSSOReadOnly,
    AWSSSODirectoryReadOnly

 

Share this

Was this article helpful?

0 out of 0 found this helpful