Onboarding an AWS Application in Britive
    • PDF

    Onboarding an AWS Application in Britive

    • PDF

    Article summary

    As mentioned earlier in the Introduction and Terminology of this guide, you can choose to onboard an AWS application when your AWS organization has both management account(s) and member accounts.

    If you selected to onboard the AWS application, follow the steps outlined in this section to complete the onboarding process.

    Steps for Onboarding an AWS Application

    Perform the following steps for adding an AWS tenant application to Britive:

    Note:
    Before onboarding the application, ensure that you have completed the onboarding prerequisites mentioned in the section Prerequisites for Onboarding and Profile Access.
    1. Login to the Britive application with administrator privileges.
    2. Click Admin > Application and Access Profile Management.
    3. From the Tenant Applications page, click CREATE APPLICATION.
    4. On the Add Application page, click the Add (+) sign inline to the AWS application. The Create Application (AWS) page is displayed. On this page, you can see two tabs— Application and Settings.
    5. In the Application tab, enter the following values:
      1. Enter the Application Name.
      2. Enter the Application Description (optional step).
      3. Check Show AWS Account Numbers, if you want the AWS Account numbers to be displayed in the tenant application.
      4. Under Account Mapping, you can choose the username or email mapping to map the username or user email with the AWS account, respectively. You can also choose the default setting "No mapping" as per requirement.
    6. Click Next. The Settings tab is displayed.
    7. In the Settings tab, enter the following values:
      • In the Console Access section, select the following values:
        • Check the Allow copy link for console URL to allow the user to copy the console URL link after checking out the profile.
        • Check Display programmatic access keys to allow the user to copy the credentials to the clipboard after they check out programmatic access profiles. Users can only access the keys through CLI or scripts if the option is not selected.
      • In the Properties section, enter the following values:
        • Management Account ID corresponds to the Account ID of the Management AWS Account of the user.
        • Identity Provider Name corresponds to the Provider name added while adding the identity provider to the AWS account. For more information, see Configuring an Identity Provider in AWS.
        • Integration Role Name corresponds to the name of the IAM role within the AWS account of the user. If the role is created with AWS Resource Path, you need to prefix the resource path without a leading slash symbol. For example: If the ARN of the role is arn:aws:iam::0000000000:role/Security/IAM/Britive_Integration_Role2, you need to enter Security/IAM/Britive_Integration_Role2 in the role name.
        • Duration of the backend AWS connection (in hours) corresponds to the Maximum Session Duration in an IAM role within the AWS account of the user. For more information, see Configuring IAM Roles.
        • The region corresponds to the AWS region to be used for STS to generate temporary AWS access keys.
      • In the Advanced Settings section, enter the following values:
        • Source Identity Attribute corresponds to the attribute value for setting Source Identity in CloudTrail logs.Under Advanced Settings, select an attribute from the dropdown list to be set in CloudTrail logs. Select None to not set any Source Identity. Note that all Britive managed roles used in profiles, need to have sts:SetSourceIdentity action in the Trust relationship. Roles that do not have this action will fail to checkout. Trust Relationship configuration in AWS for defining Source Identity:
        • Enable AWS Session Invalidation for all Environments to support invalidation for all environments for the management account. Make sure you have completed the configuration on the AWS side. For more information, see Configuring for Session Invalidation.
      • Profile Settings: Configure the maximum session duration for profiles. You can select the duration between 15 minutes to 12 hours. This allows to setup expiration duration for each profile while creating/updating the profile up to this configured value.

    8. Click SAVE AND TEST. If the AWS application is configured with the correct values, then the success message is displayed.

    Clicking the SAVE AND TEST button, after adding incorrect configuration value(s) in the Settings tab, while configuring an AWS application, displays the relevant error message.


    Next, you can view the details of the newly created (onboarded) AWS application and use the scan functionality to scan organizations or environments in the AWS account.


    Was this article helpful?