Onboarding an AWS Standalone Application
    • PDF

    Onboarding an AWS Standalone Application

    • PDF

    Article summary

    This section describes the steps in onboarding an AWS standalone application to Britive:

    1. Adding an AWS Standalone Application
    2. Adding an Environment Group
      1. Adding an Environment to the Environment Group

    1. Adding an AWS Standalone Application

    Perform the following steps for adding an AWS standalone tenant application to Britive:

    Note:
    Before onboarding the application, ensure that you have completed the onboarding prerequisites mentioned in the Prerequisites for Onboarding and Profile Access.
    1. Login to the Britive application with administrator privileges.
    2. Click Admin > Application and Access Profile Management.
    3. From the Tenant Applications page, click CREATE APPLICATION.
    4. On the Add Application page, click the Add (+) sign inline to the AWS Standalone application. The Create Application (AWS) page is displayed. On this page, you can see two tabs: Application and Settings.
    5. In the Application tab, enter the following values: 
      1. Enter the Application Name.
      2. Enter the Application Description (optional step).
      3. Check Show AWS Account Numbers, if you want the AWS Account numbers to be displayed in the tenant application.
      4. Under Account Mapping, you can choose the username or email mapping, to map the username or user email respectively, with the AWS account.
    6. Click Next. The Settings tab is displayed.
    7. In the Settings tab, enter the following values:
      • In the Console Access section, select the following:
        • Check the Allow copy link for console URL to allow the user to copy the console URL link after checking out the profile.
        • Check Display programmatic access keys to allow the user to copy the credentials to the clipboard after they check out programmatic access profiles. Users can only access the keys through CLI or scripts if the option is not selected.
      • In the Properties sectionenter the following values:
        • Identity Provider Name corresponds to the Provider name added in while adding the Identity Provider to the AWS account. For more information, see Configuring an Identity Provider in AWS.
        • Integration Role Name corresponds to the name of the IAM role within the AWS account of the user.  If the role is created with AWS Resource Path, you need to prefix the resource path without a leading slash symbol. For example: If the ARN of the role is arn:aws:iam::0000000000:role/Security/IAM/Britive_Integration_Role2, you need to enter Security/IAM/Britive_Integration_Role2 in the role name.
        • Duration of the backend AWS connection (in hours) corresponds to the Maximum Session Duration in an IAM role within the AWS account of the user. For more information, see Configuring IAM Roles.
        • Region corresponds to the AWS region to be used for STS to generate temporary AWS access keys.
      • Source Identity Attribute corresponds to the attribute value for setting Source Identity in CloudTrail logs.Under Advanced Settings, select an attribute from the dropdown list to be set in CloudTrail logs. Select None to not set any Source Identity.
        Note that all Britive managed roles used in profiles, need to have sts:SetSourceIdentity action in Trusted relationships. Roles that do not have this action will fail to checkout. Trust Relationship configuration in AWS for defining Source Identity:
        {
           "Version":"2012-10-17",
           "Statement":[
              {
                 "Effect":"Allow",
                 "Principal":{
                    "Federated":"arn: aws : iam: : <account>: saml-provider/Britive"
                 },
                 "Action":[
                    "sts : AssumeRolewithSAML",
                    "sts : SetSourceIdentity"
                 ],
                 "Condition":{
                    "StringEquals":{
                       "SAML: aud":"https://signin.aws. amazon.com/saml"
                    }
                 }
              }
           ]
        }
      • Profile Settings: Configure the maximum session duration for profiles. You can select the duration between 15 minutes to 12 hours. This allows to setup expiration duration for each profile while creating/updating the profile up to this configured value.

    8. Click Save. The page refreshes and the AWS standalone application is created.

    To complete the onboarding process for the AWS standalone application, it is also required to create an environment and add the AWS account numbers to the environment. The environment is needed because there is no management account for the AWS standalone application. Also, you need to add an environment for each onboarded AWS standalone application.

    To add an environment or environment group, use the CREATE ENTITY button from the top right corner of the Settings page (which is visible after you have created the AWS standalone application in Britive).

    2. Adding an Environment Group

    Perform the following steps to add an environment group to the newly created AWS standalone application in Britive:

    1. From the Settings tab on the Create Application page, select CREATE ENTITY.
    2. Enter the required values for the following fields in the Create Environment/Environment Group pop-up window:
      • Entity Type- You can choose an Environment Group (if you want to group a set of standalone AWS accounts in a specific hierarchy) or an Environment. Here, choose Environment Group.
      • Entity Name- Enter a name for the environment Group. 
      • Entity Description- Optionally, you can enter a description for the environment group.
    3. Click Save. The page refreshes and the environment group is visible for the onboarded application.

    2.1  Adding an Environment to the Environment Group

    For the Entity Type, if you choose an Environment Group, you need to add the environments within the group- an example is shown here. 

    1. Within the newly created Environment Group page (as explained in section 1.1 above), click CREATE ENTITY to add an environment. The Create Environment/Environment Group window is displayed.
    2. In the Create Environment/Environment Group pop-up window, select the following fields and provide the required values:
      • Entity Type- In this field, choose Environment.
      • Entity Name- Enter a name for the environment. 
      • Entity Description- Optionally, you can enter a description for the environment.
    3. Click Save. The page refreshes and the environment is visible within the environment group for the onboarded AWS standalone application.
    4. Select Settings.
    5. Under Account ID, select Edit
    6. Choose the AWS Account ID for the environment.
    7. Click Save and Test. A message is displayed that the environment is correctly configured. 

    Error Message

    In case you have not configured the correct AWS account ID (in step 6 above) in the Settings page of the environment, the Test Failure error message is displayed.

    Next, you can view the details of the newly created (onboarded) AWS standalone application and also use the scan functionality for scanning environments in the AWS account.


    See also:


    Was this article helpful?