AWS CloudFormation Stack - for Integrating Individual Accounts

Individual account integration workflow

Note: Only an AWS admin can create a role that can access connected Authomize accounts.

Open both Authomize and AWS

• Log into Authomize and AWS in separate windows.
• In AWS you must have permissions to run CloudFormation and create new roles.

Preparing the AWS Integration in Authomize

1. Go to Settings > Data Sources.
2. If AWS appears under Recommended Apps, click it. Otherwise, Click Add New App.
   
3. Select AWS.
   

Note: AWS IAM Identity Center (old AWS SSO) will be installed alongside AWS when the “include SSO parameter” is set in AWS.

4. When the Integrate AWS dialog appears, click .
   If you do not have CloudFormation and Role creation privileges, send the link (along with a request to create an Authomize-Trust-Role) to your AWS admin.

Note: You can complete the Integrate AWS dialog after an Authomize-Trust-Role is available on AWS.

Creating an Authomize-Trust-Role on AWS

Authomize communicates with AWS through an Authomize account (on AWS) with an Authomize-Trust-Role.
Follow the steps below to create an account and an Authomize-Trust-Role.

1. 1. If you are already logged into AWS, the CloudFormation>Stacks>Create stack dialog will open in AWS after clicking on its link ().
      
      

Fill in the fields as follows:

Template:

• The Template URL is entered automatically. It is:

  https://authomize-cloud-formation.s3.amazonaws.com/authomize_cloud_formation.json

Stack name:

• Authomize-Trust-Role entered automatically

Parameters:

• ExternalID entered automatically
  (Do not change ID as the integration will not work)
• Set IncludeAWSIdentityCenter to true (so that AWS SSO will be integrated and installed alongside AWS).

Capabilities:

• Acknowledge that AWS Cloud-Formation might create IAM resources with custom names.

2. Click

3. In CloudFormation/Stacks/Authomize-Trust-Role, check to see if the stack creation was completed.
   
4. Copy the Account number from the account number next to your name on the Menu bar.
   

Complete the Integration

In the Integrate AWS dialog:

     4. Skip step 4 if you used CloudFormation,
         otherwise insert the AccessKeyId and SecretAccessKey (for legacy integration).
         

   5. Insert the Account Number (copied from the AWS menu bar, as described above).
       Insert the Management Account number only if you want to integrate the AWS Identity Center. 
       This assumes:
            - the role is installed on the management account
            - the role includes AWS Identity Center permission. 
        If you insert a Management Account, that account number must be included
        (in comma delimited format) in the Account Number field. 
       Skip the Assumed Role.

        If you leave the Regions field empty, all regions (in your organization) will be included.
        If you specify one or more regions, data will be fetched only from those regions.
       

      6. Enter an Integration name.
      7. Enter Owner’s email.

Click  

If all goes well, you will see this:

Notice that AWS and AWS SSO were added to your Connected Apps.

AWS IAM Identity Center

The AWS IAM Identity Center (previously known as AWS SSO) is an authentication solution that allows users to log in to multiple applications and websites with one-time user authentication.

• It is integrated with Authomize alongside AWS , when IncludeAWSIdentityCenter is set to true in the Specify StackSet Details page. It is only relevant if your organization uses IAM Identity Center (AWS SSO)
• If installed on an individual account, only mark as true in the management account.
• When checking this option Authomize requests two extra permissions:
  AWSSSOReadOnly,

  AWSSSODirectoryReadOnly

• AWS_CloudFormation_Stack-Individual_Accounts-Integration_Guide-10.Nov.22.pdf1 MB