RSA Governance & Lifecycle Collections (Vol.16) : Amazon AWS IAM
a year ago
Originally Published: 2023-08-21

 

Contents

Overview

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

 

Amazon AWS IAM : Application

Steps

  1. Login to RSA G&L console as System Administrator.
  2. Navigate to Resources > Applications.
  3. Click on Create Application and select Other Application.
  4. Enter the details as shown below.

    \"pastedImage_1.png\"

  5. Click Finish.

 

Amazon AWS IAM : Account Collector

This section explains the process for configuring an account collector for the Amazon AWS IAM application. We will use the RSA G&L out of the box collector for this purpose.\u00a0 \u00a0

Steps

  1. Login to RSA G&L console as System Administrator.
  2. Navigate to Resources > Applications.
  3. Click on Amazon AWS IAM.
  4. Navigate to Collectors tab and click on Create Account Collector. Enter the details as shown below.\n

    \"pastedImage_2.png\"

  5. Click Next and enter the configuration details. Enter the proxy details if applicable to your environment. Refer to Amazon AWS IAM : Security Credentials for more information on creating the API keys.

    \"pastedImage_5.png\"

  6. Click Next. The only available account attribute that can be collected is the AccountName.\"pastedImage_3.png\"
  7. Click Next. On the mapping screen, add the AccountName as the User Reference field.\"pastedImage_4.png\"
  8. Click Next. In the User Resolution Rules, map the user to account\"pastedImage_7.png\"
  9. Click Next. In the Member Account Resolution Rules, map the target collector for group members.\"pastedImage_8.png\"
  10. Click Finish. Use the Test function to make sure the configurations are accurate.

 

Amazon AWS IAM : Entitlement Collector

This section explains the process for configuring an entitlement collector to collect admin roles from Amazon AWS IAM application. We will use the RSA G&L out of the box collector for this purpose.

 

Steps

  1. Login to RSA G&L console as AveksaAdmin.
  2. Navigate to Resources > Applications.
  3. Click on Amazon AWS IAM.
  4. Navigate to Collectors tab and click on Create Entitlement Collector. Enter the details as shown below.\n

    \"pastedImage_1.png\"

  5. Click Next and enter the configuration details. Enter the proxy details if applicable to your environment. Refer to Amazon AWS IAM : Security Credentials for more information on creating the API keys.
     

    \"pastedImage_5.png\"

     
  6.  
  7. Click Next. \"pastedImage_2.png\"
  8. Click Next.
  9. Click Next. \"pastedImage_4.png\"
  10. Click Next and then click Finish. Use the Test function to make sure the configurations are accurate.

 

Amazon AWS IAM : Security Credentials

This section explains the setup of security credentials for the service account that will be used with RSA G&L ADC and EDC.

Steps

  1. Login to AWS Identity and Access Management (IAM) console https://console.aws.amazon.com/iam/home.
  2. Expand Access Management and click on Policies.\"pastedImage_15.png\"
  3. Click on Create Policy.
  4. Click on JSON tab and paste the below policy. 
    {\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"VisualEditor0\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"iam:ListGroupsForUser\",\n                \"iam:ListUsers\",\n                \"iam:ListGroups\"\n            ],\n            \"Resource\": \"*\"\n        }\n    ]\n}\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d
  5. Click on Review Policy.\"pastedImage_20.png\"
  6. Click Create Policy.
  7. Repeat Steps 3 through 6 to create another policy (RSA-IGL-EDC-Policy) for EDC using the below policy definition. 
    {\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"VisualEditor0\",\n            \"Effect\": \"Allow\",\n            \"Action\": [\n                \"iam:ListGroupPolicies\",\n                \"iam:ListAttachedRolePolicies\",\n                \"iam:ListRoles\",\n                \"iam:ListUserPolicies\",\n                \"iam:ListRolePolicies\"\n            ],\n            \"Resource\": \"*\"\n        }\n    ]\n}\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d\u200d
  8. Expand Access Management and click on Users.\"pastedImage_6.png\"
  9. Click on Add User.
  10. Provide a user name for the service account and select Programmatic Access\"pastedImage_10.png\"
  11. Click Next: Permissions
  12. Under Set Permissions, click on Attach existing policies directly
  13. Select the two (2) policies created earlier for ADC & EDC.
  14. Click Next:Tags.
  15. Click Next :Review
  16. Click Create User.
  17. Click on the newly created user and navigate to the Security Credentials tab.
  18. Click Create Access Key.\"pastedImage_5.png\"
  19. Click on Download.csv file to save the Access Key and Secret Key. We will need this file during the ADC and EDC configurations in RSA IGL.\"pastedImage_7.png\"

Related Articles

Trending Articles

Don't see what you're looking for?