Manually Integrating AWS with Authomize
- using cross-account assumes a role
This guide describes how to manually integrate Authomize, with cross-account assumes a role, (with your favorite tool).
Before proceeding make sure you have permission to create roles and assign policies to them.
The process:
- For each account that will be integrated, create a role with a trust policy for the Authomize user and attach the policies described below (in Required Role Settings).
- Once the roles are installed on each account, go to the Authomize console and add the account numbers (of the accounts to be integrated).
If you use the AWS Identity Center:
- In the master account, add the following permission to the Authomize role:
- AWSSSOReadOnly
- AWSSSODirectoryReadOnly
- In the Authomize integration page, add the master account number to the list of accounts, and to the Master Account field
Required Role Settings:
- Role name: AuthomizeCrossAccountTrustRole
- Role policy: aws:iam::aws:policy/SecurityAudit
- Role trust policy:
- Important: the ExternalID should be copied from the Authomize AWS Integration dialog.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::291883359082:user/AuthomizeGlobalUser"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {enter_unique_value}
}
}
}
]
}
- If you are installing this role on the management account and wish to integrate AWS Identity Center as well, add the following policies to this role on top of the security audit policy:
- arn:aws:iam::aws:policy/AWSSSOReadOnly
- arn:aws:iam::aws:policy/AWSSSODirectoryReadOnly
Notes:
- If you update the role name, you must add the updated name in the integration dialog.
- Do not change the trust policy principal.
Complete the Integration
In the Integrate AWS dialog:
If you added a trust policy to the Authomize user – skip step 4
Step 5:
- Insert the Account Numbers where this integration was installed
- Insert the Management Account number only if you want to integrate the AWS Identity Center.
This assumes:
- the role is installed on the management account
- the role includes AWS Identity Center permission.
If you insert a Management Account, that account number must be included
(in comma-delimited format) in the Account Number - Skip the Assumed Role, or enter a different name if you changed it.
- If you leave the Regions field empty, all regions (in your organization) will be included. If you specify one or more regions, data will be fetched only from those regions.
Step 6. Enter an Integration name.
Step 7. Enter Owner’s email.
Click
If all goes well, you will see this:
Notice that AWS and AWS SSO were added to your Connected Apps.