Configuring IAM Roles in AWS
    • PDF

    Configuring IAM Roles in AWS

    • PDF

    Article summary

    Britive needs the following access permissions in the AWS IAM role to connect to AWS successfully: 

    • IAM ReadOnly Access
    • AWSOrganization ReadOnly Access
    Note:
    Only read-only access is needed here as the role is mainly used for scanning in Britive. Hence, write access is not required for the role.

    Creating an IAM Role in AWS

    Perform the following steps to create an IAM role in an AWS account: 

    1. Log in to the AWS console with administrator privileges. 
    2. Open the IAM console. 
    3. Select IAM > Access management -> Roles.
    4. Click Create role
    5. Enter the following in the Create role page:
      1. Select SAML 2.0 federation.
      2. Select the identity provider in SAML 2.0-based provider, added as explained in the section Configuring Britive Identity Provider in AWS.
      3. Select Allow programmatic access only.
      4. Enter the following for Attribute and Value fields: 
      5. Click Next
      6. Enter the following on the Add Permissions page:
        1. Search for IAMReadOnlyAccess in Filter policies.
        2. Select IAMReadOnlyAccess.
        3. Search for AWSOrganizationsReadOnlyAccess in Filter policies.
        4. Select AWSOrganizationsReadOnlyAcces. 
        5. Click Next.
      7. (Optional) For session invalidation: To enable session invalidation feature, each Integration Role in the AWS environment must be updated to allow the following additional API actions: 
        Integration role of IAM policy action
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": [
                "iam:CreatePolicy",
                "iam:DeletePolicy",
                "iam:CreatePolicyVersion",
                "iam:DeletePolicyVersion",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:ListPolicyVersions"
              ],
              "Effect": "Allow",
              "Resource": "arn:aws:iam::*:policy/britive/managed/*",
            }
          ]
        }

      8. (Optional): For Britive-managed roles support:If an application needs to support the creation of Britive-managed roles through Access Builder, each Integration Role in the AWS environment must be updated to allow the following:
        Inline policy
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "VisualEditor0",
                    "Effect": "Allow",
                    "Action": [
                        "iam:DetachRolePolicy",
                        "iam:UntagRole",
                        "iam:DeleteRolePolicy",
                        "iam:TagRole",
                        "iam:CreateRole",
                        "iam:DeleteRole",
                        "iam:AttachRolePolicy",
                        "iam:UpdateRole",
                        "iam:PutRolePolicy"
                    ],
                    "Resource": "arn:aws:iam::<account_id>:role/britive/managed/*"
                }
            ]
        }

      9. Enter the following values in the Name, Review and create page:
        1. Enter Role name (64 characters limit) that can include alphanumeric characters and special characters such as @ or *.
        2. Enter a Role description (optional).
        3. Click Create role. A message is displayed that the role is created.
    6. You can select the newly-created IAM role from the role list for the AWS account and view the role details from the Summary page. Note that the Maximum session duration value displayed in the Summary page is used when configuring the role properties within the Britive tenant.

    Now that you have completed the onboarding prerequisites, you can choose to onboard AWS applications or AWS standalone applications per your requirement, and proceed with the onboarding process. 

    For more information about creating a role in AWS, see Creating a role for SAML 2.0 federation.

    See also:


    Was this article helpful?