Manually Integrating AWS with Authomize

Ariel Zaretsky
Ariel Zaretsky
  • Updated

Manually Integrating AWS with Authomize
                       - using cross-account assumes a role

This guide describes how to manually integrate Authomize, with cross-account assumes a role, (with your favorite tool).

Before proceeding make sure you have permission to create roles and assign policies to them.

The process:

  1. For each account that will be integrated, create a role with a trust policy for the Authomize user and attach the policies described below (in Required Role Settings).
  2. Once the roles are installed on each account, go to the Authomize console and add the account numbers (of the accounts to be integrated).

If you use the AWS Identity Center:

  1. In the master account, add the following permission to the Authomize role:
    • AWSSSOReadOnly
    • AWSSSODirectoryReadOnly
  2. In the Authomize integration page, add the master account number to the list of accounts, and to the Master Account field

Required Role Settings:

  • Role name: AuthomizeCrossAccountTrustRole
  • Role policy: aws:iam::aws:policy/SecurityAudit
  • Role trust policy:
    • Important: the ExternalID should be copied from the Authomize AWS Integration dialog.
{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Principal": {
               "AWS": "arn:aws:iam::291883359082:user/AuthomizeGlobalUser"
           },
           "Action": "sts:AssumeRole",
           "Condition": {
               "StringEquals": {
                   "sts:ExternalId": {enter_unique_value}
               }
           }
       }
   ]
}
  • If you are installing this role on the management account and wish to integrate AWS Identity Center as well, add the following policies to this role on top of the security audit policy:
    • arn:aws:iam::aws:policy/AWSSSOReadOnly
    • arn:aws:iam::aws:policy/AWSSSODirectoryReadOnly

Notes:

  1. If you update the role name, you must add the updated name in the integration dialog.
  2. Do not change the trust policy principal.

Complete the Integration

In the Integrate AWS dialog:

If you added a trust policy to the Authomize user – skip step 4

10c_Integrate_AWS.png

Step 5:

  • Insert the Account Numbers where this integration was installed
  • Insert the Management Account number only if you want to integrate the AWS Identity Center.
    This assumes:
         - the role is installed on the management account
         - the role includes AWS Identity Center permission. 
    If you insert a Management Account, that account number must be included
    (in comma-delimited format) in the Account Number
  • Skip the Assumed Role, or enter a different name if you changed it.
  • If you leave the Regions field empty, all regions (in your organization) will be included. If you specify one or more regions, data will be fetched only from those regions.
    10b_Create_Integration.png

Step 6. Enter an Integration name.
Step 7. Enter Owner’s email.

10a_Create_Integration.png

Click Create_Button.png

If all goes well, you will see this:

40b_Success.jpg
Notice that AWS and AWS SSO were added to your Connected Apps.

Share this

Was this article helpful?

0 out of 0 found this helpful