The following prerequisites are required on the AWS side to enable Session Invalidation feature:
- Each Integration Role in the AWS environment must be updated to allow the following additional API actions:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreatePolicy", "iam:DeletePolicy", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:ListPolicyVersions" ], "Effect": "Allow", "Resource": "arn:aws:iam::*:policy/britive/managed/*", } ] } - Each role that is marked for use by Britive (trusts the Britive identity provider) must have its trust policy updated to reflect the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<account>:saml-provider/<britive idp>" }, "Action": [ "sts:AssumeRoleWithSAML", "sts:SetSourceIdentity", "sts:TagSession" ], "Condition": { "StringEquals": { "SAML:aud": "https://signin.aws.amazon.com/saml" } } } ] } - It is recommended that customers apply a Service Control Policy (SCP) in the management account of AWS organization which restricts access to the Britive-managed IAM policies so that only the Britive integration role can update those policies.
{ "Effect": "Deny", "Actions": "*", "Resource": "arn:aws:iam::*:policy/britive/managed/*", "Condition": { "StringNotLike": { "aws:PrincipalArn": "arn:aws:iam::*:role/<britive integration role name>" } } }