Configuring for Session Invalidation

Article Summary

Share feedback

Thanks for sharing your feedback!

The following prerequisites are required on the AWS side to enable Session Invalidation feature:

Each Integration Role in the AWS environment must be updated to allow the following additional API actions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "iam:CreatePolicy",
        "iam:DeletePolicy",
        "iam:CreatePolicyVersion",
        "iam:DeletePolicyVersion",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:ListPolicyVersions"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:iam::*:policy/britive/managed/*",
    }
  ]
}

Each role that is marked for use by Britive (trusts the Britive identity provider) must have its trust policy updated to reflect the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<account>:saml-provider/<britive idp>"
            },
            "Action": [
                "sts:AssumeRoleWithSAML",
                "sts:SetSourceIdentity",
                "sts:TagSession"
            ],
            "Condition": {
                "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                }
            }
        }
    ]
}

It is recommended that customers apply a Service Control Policy (SCP) in the management account of AWS organization which restricts access to the Britive-managed IAM policies so that only the Britive integration role can update those policies.
```
{
 "Effect": "Deny",
 "Actions": "*",
 "Resource": "arn:aws:iam::*:policy/britive/managed/*",
 "Condition": {
  "StringNotLike": {
   "aws:PrincipalArn": "arn:aws:iam::*:role/<britive integration role name>"
  }
 }
}
```

Was this article helpful?

What's Next

Onboarding an AWS Application in Britive