Configuring IAM Roles in AWS - Configurations in AWS

Configuring IAM Roles in AWS

Article Summary

Share feedback

Thanks for sharing your feedback!

Britive needs the following access permissions in the AWS IAM role to successfully connect to AWS:

IAM ReadOnly Access
AWSOrganization ReadOnly Access

Note:

Only read-only access is needed here as the role is mainly used for scanning in Britive. Hence, write access is not required for the role.

Creating an IAM Role in AWS

Perform the following steps to create an IAM role in an AWS account:

Login to the AWS console with administrator privileges.
Open the IAM console.
Select IAM > Access management -> Roles.
Click Create role.
Enter the following in the Create role page:
1. Select SAML 2.0 federation.
2. Select the identity provider in SAML 2.0-based provider, added as explained in the section Configuring Britive Identity Provider in AWS.
3. Select Allow programmatic access only.
4. Enter the following for Attribute and Value fields:
  - Attribute : SAML:aud.
  - Value: https://signin.aws.amazon.com/saml
5. Click Next
6. Enter the following in the Add Permissions page:
  1. Search for IAMReadOnlyAccess in Filter policies.
  2. Select IAMReadOnlyAccess.
  3. Search for AWSOrganizationsReadOnlyAccess in Filter policies.
  4. Select AWSOrganizationsReadOnlyAcces.
  5. Click Next.
7. (Optional): For Britive-managed roles support: If an application needs to support the creation of Britive-managed roles through Access Builder, each Integration Role in the AWS environment must be updated to allow the following:
  Inline policyInline policy
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:DetachRolePolicy",
                "iam:UntagRole",
                "iam:DeleteRolePolicy",
                "iam:TagRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:UpdateRole",
                "iam:PutRolePolicy"
            ],
            "Resource": "arn:aws:iam::<account_id>:role/britive/managed/*"
        }
    ]
}
```
8. Enter the following values in the Name, Review and create page:
  1. Enter Role name (64 characters limit) that can include alphanumeric characters and special characters such as @ or *.
  2. Enter a Role description (optional).
  3. Click Create role. A message is displayed that the role is created.
You can select the newly-created IAM role from the role list for the AWS account and view the role details from the Summary page. Note that the Maximum session duration value displayed in the Summary page is used when configuring the role properties within the Britive tenant.

Now that you have completed the onboarding prerequisites, you can choose to onboard AWS applications or AWS standalone applications per your requirement, and proceed with the onboarding process.

For more information about creating a role in AWS, see Creating a role for SAML 2.0 federation.

What's Next

Configuring for Session Invalidation

Table of contents