Detailed View of the Onboarded AWS Standalone Application

You can view the details of the onboarded AWS standalone application from Britive such as scans, related graphs and charts, profiles, or properties. You can also make necessary edits, or perform scans or profile checkouts if needed.

Details of the Onboarded Application

Perform the following steps for viewing an AWS standalone tenant application onboarded to Britive:

1. Login to the Britive application with administrator privileges.
2. Click Admin > Application and Access Profile Management. The Tenant Applications page is displayed. You can view the onboarded AWS application on the Tenant Applications page.
3. Click the Manage icon inline to the AWS standalone application. The Overview page is displayed.

Details about AWS environments

Perform the following steps for viewing AWS environment details:

1. Click on the Properties page to get more details about each environment of AWS.
2. Select a particular environment from the drop-down list.
3. Click EDIT if you want to update the following:
   1. Environment Description
   2. Environment Display Name
   3. Support AWS Session Invalidation: Checking this box invalidates the AWS session when the Britive profile gets checked in or expires. The following prerequisites are required on the AWS side to enable this feature:
      • Each Integration Role in the AWS environment must be updated to allow the following additional API actions: 
        Integration role IAM policy actionsIntegration role IAM policy actions

        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": [
                "iam:CreatePolicy",
                "iam:DeletePolicy",
                "iam:CreatePolicyVersion",
                "iam:DeletePolicyVersion",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:ListPolicyVersions"
              ],
              "Effect": "Allow",
              "Resource": "arn:aws:iam::*:policy/britive/managed/*",
            }
          ]
        }

        
        
      • Each role that is marked for use by Britive (trusts the Britive identity provider) must have its trust policy updated to reflect the following: 
        Trust policyTrust policy

        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Federated": "arn:aws:iam::<account>:saml-provider/<britive idp>"
                    },
                    "Action": [
                        "sts:AssumeRoleWithSAML",
                        "sts:SetSourceIdentity",
                        "sts:TagSession"
                    ],
                    "Condition": {
                        "StringEquals": {
                            "SAML:aud": "https://signin.aws.amazon.com/saml"
                        }
                    }
                }
            ]
        }

        
        
      • It is recommended that customers apply a Service Control Policy (SCP) in the management account of AWS organization which restricts access to the Britive-managed IAM policies so that only the Britive integration role can update those policies.
        SCP policySCP policy

        {
         "Effect": "Deny",
         "Actions": "*",
         "Resource": "arn:aws:iam::*:policy/britive/managed/*",
         "Condition": {
          "StringNotLike": {
           "aws:PrincipalArn": "arn:aws:iam::*:role/<britive integration role name>"
          }
         }
        }
        
        

4. To enable AWS invalidation feature for the existing onboarded AWS applications, contact our team at support@britive.com.