Configuring for Session Invalidation

Article summary

Did you find this summary helpful?

Thank you for your feedback

The following prerequisites are required on the AWS side to enable Session Invalidation feature:

Each Integration Role in the AWS environment must be updated to allow the following additional API actions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "iam:CreatePolicy",
        "iam:DeletePolicy",
        "iam:CreatePolicyVersion",
        "iam:DeletePolicyVersion",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:ListPolicyVersions"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:iam::*:policy/britive/managed/*",
    }
  ]
}

Each role that is marked for use by Britive (trusts the Britive identity provider) must have its trust policy updated to reflect the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<account>:saml-provider/<britive idp>"
            },
            "Action": [
                "sts:AssumeRoleWithSAML",
                "sts:SetSourceIdentity",
                "sts:TagSession"
            ],
            "Condition": {
                "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                }
            }
        }
    ]
}

It is recommended that customers apply a Service Control Policy (SCP) in the management account of AWS organization which restricts access to the Britive-managed IAM policies so that only the Britive integration role can update those policies.
```
{
 "Effect": "Deny",
 "Actions": "*",
 "Resource": "arn:aws:iam::*:policy/britive/managed/*",
 "Condition": {
  "StringNotLike": {
   "aws:PrincipalArn": "arn:aws:iam::*:role/<britive integration role name>"
  }
 }
}
```

Was this article helpful?

What's Next

Onboarding an AWS Application in Britive