Skip to content

Configuring Amazon Web Services Cloud

To configure Cloud Access Management for your Amazon Web Services source, you'll need to give it access to your Amazon Web Services policies and resources inventory, as well as the ability to read the logs in your CloudTrail bucket. To do this, you'll create a new role and associate it with the policies required to access resources in your Amazon Web Services source and provide read access to your CloudTrail S3 bucket.

You can configure Amazon Web Services using a CloudFormation template or manually.

You can connect to AWS sources by adding the organization or by adding single member accounts manually.

Note

We recommend you connect to AWS organizations, as opposed to individual member accounts so that you can see the full hierarchy of your organization.

Connecting AWS Organizations Using CloudFormation

To add AWS organization sources, you can use stack sets, sets, and a CloudTrail template. You must use a policy with the minimum set of permissions to connect to Cloud Access Management.

Required Policy Permissions

To allow Cloud Access Management to gather data from all member accounts within organizations, you must use a policy that includes the required set of permissions displayed below. You can create a custom policy or use an existing policy as long as they include these permissions. Your policy can have additional permissions beyond the required ones.

This policy must have an external ID, which will be provided upon onboarding.

Expand for Minimum Required Permissions JSON
{
    "Version":"2012-10-17",
    "Statement":[
       {
          "Effect":"Allow",
          "Resource":"*",
          "Action":[
             "cloudtrail:DescribeTrails",
             "cloudtrail:GetEventSelectors",
             "cloudtrail:GetTrailStatus",
             "cloudtrail:ListTags",
             "cloudtrail:LookupEvents",
             "cloudwatch:Describe*",
             "cloudwatch:ListTagsForResource",
             "config:BatchGetAggregateResourceConfig",
             "config:BatchGetResourceConfig",
             "config:Deliver*",
             "config:Describe*",
             "config:Get*",
             "config:List*",
             "dynamodb:DescribeContinuousBackups",
             "dynamodb:DescribeGlobalTable",
             "dynamodb:DescribeTable",
             "dynamodb:DescribeTimeToLive",
             "dynamodb:ListBackups",
             "dynamodb:ListGlobalTables",
             "dynamodb:ListStreams",
             "dynamodb:ListTables",
             "dynamodb:ListTagsOfResource",
             "ec2:Describe*",
             "ec2:DescribeTransitGatewayAttachments",
             "ec2:DescribeTransitGatewayMulticastDomains",
             "ec2:DescribeTransitGatewayPeeringAttachments",
             "ec2:DescribeTransitGatewayRouteTables",
             "ec2:DescribeTransitGatewayVpcAttachments",
             "ec2:DescribeTransitGateways",
             "ec2:GetManagedPrefixListAssociations",
             "ec2:GetManagedPrefixListEntries",
             "ec2:GetTransitGatewayAttachmentPropagations",
             "ec2:GetTransitGatewayMulticastDomainAssociations",
             "ec2:GetTransitGatewayPrefixListReferences",
             "ec2:GetTransitGatewayRouteTableAssociations",
             "ec2:GetTransitGatewayRouteTablePropagations",
             "elasticloadbalancing:Describe*",
             "es:Describe*",
             "es:ListDomainNames",
             "es:ListElasticsearchInstanceTypeDetails",
             "es:ListElasticsearchVersions",
             "es:ListTags",
             "events:Describe*",
             "events:List*",
             "events:TestEventPattern",
             "iam:GenerateCredentialReport",
             "iam:GenerateServiceLastAccessedDetails",
             "iam:Get*",
             "iam:List*",
             "iam:SimulateCustomPolicy",
             "iam:SimulatePrincipalPolicy",
             "kms:Describe*",
             "kms:Get*",
             "kms:List*",
             "lambda:GetAccountSettings",
             "lambda:GetFunctionConfiguration",
             "lambda:GetFunctionEventInvokeConfig",
             "lambda:GetLayerVersionPolicy",
             "lambda:GetPolicy",
             "lambda:List*",
             "logs:Describe*",
             "logs:ListTagsLogGroup",
             "organizations:Describe*",
             "organizations:List*",
             "rds:Describe*",
             "rds:DownloadDBLogFilePortion",
             "rds:ListTagsForResource",
             "s3:GetAccelerateConfiguration",
             "s3:GetAccessPoint",
             "s3:GetAccessPointPolicy",
             "s3:GetAccessPointPolicyStatus",
             "s3:GetAccountPublicAccessBlock",
             "s3:GetAnalyticsConfiguration",
             "s3:GetBucket*",
             "s3:GetEncryptionConfiguration",
             "s3:GetInventoryConfiguration",
             "s3:GetLifecycleConfiguration",
             "s3:GetMetricsConfiguration",
             "s3:GetObjectAcl",
             "s3:GetObjectVersionAcl",
             "s3:GetReplicationConfiguration",
             "s3:ListAccessPoints",
             "s3:ListAllMyBuckets",
             "sns:GetTopicAttributes",
             "sns:ListSubscriptions",
             "sns:ListSubscriptionsByTopic",
             "sns:ListTagsForResource",
             "sns:ListTopics",
             "sqs:GetQueueAttributes",
             "sqs:ListDeadLetterSourceQueues",
             "sqs:ListQueueTags",
             "sqs:ListQueues",
             "tag:GetResources",
             "tag:GetTagKeys"
          ]
       },
       {
          "Effect":"Allow",
          "Action":[
             "apigateway:GET"
          ],
          "Resource":[
             "arn:aws:apigateway:*::/apis",
             "arn:aws:apigateway:*::/apis/*/routes",
             "arn:aws:apigateway:*::/apis/*/stages",
             "arn:aws:apigateway:*::/apis/*/stages/*",
             "arn:aws:apigateway:*::/clientcertificates/*",
             "arn:aws:apigateway:*::/restapis",
             "arn:aws:apigateway:*::/restapis/*/authorizers",
             "arn:aws:apigateway:*::/restapis/*/authorizers/*",
             "arn:aws:apigateway:*::/restapis/*/documentation/versions",
             "arn:aws:apigateway:*::/restapis/*/resources",
             "arn:aws:apigateway:*::/restapis/*/resources/*",
             "arn:aws:apigateway:*::/restapis/*/resources/*/methods/*",
             "arn:aws:apigateway:*::/restapis/*/stages",
             "arn:aws:apigateway:*::/restapis/*/stages/*",
             "arn:aws:apigateway:*::/tags/*",
             "arn:aws:apigateway:*::/vpclinks"
          ]
       }
    ]
} 

Using Stack Sets

You can use stack sets to create resources for each member account within the organizational unit or whole organization. This excludes the root management account. Resources for the root management account will not be created even if it's a part of an organizational unit. Refer to the AWS documentation on creating a stack set.

Using a Stack

You can also use a stack, which is a collection of AWS resources that you can manage as a single unit. Stacks are applied to just the root management account. Refer to the AWS documentation for working with stacks.

Using Your Organization's CloudTrail

You'll need to know your organization's CloudTrail. Refer to the AWS documentation on how to create a trail for your organization. Use the link below to learn how to find an existing organization CloudTrail Amazon Resource Name (ARN).

Important

To avoid Amazon Web Services costs, ensure that you enable only management events in your organization's CloudTrail. If you enable all events or create a new organization CloudTrail, you will incur costs. Refer to the CloudTrail pricing for more details.

To create permissions for organization onboarding with organization-level CloudTrail:

  • Create a stack set on the root management account using this CloudTrail template.

  • Create a stack on the root management account using this CloudTrail template.

  • Manually create an OrganizationTrail and add the subscription to a previously created SNS topic.

Connecting Single AWS Source Accounts Using CloudFormation

In order to use CloudFormation, you will need to have CloudTrail enabled. While CloudFormation can be used to create an S3 bucket, the default and recommended behavior is to use CloudFormation with an existing S3 bucket.

Warning

If you choose to create a new S3 bucket for CloudTrail, Cloud Access Management will not have historical usage data and some of the capabilities will not work.

In Stacks, select the Create stack dropdown menu and choose With new resources (standard).

Complete the following steps to create a stack:

  1. Specify template

    Select Upload a template file and choose the appropriate JSON file. We recommend you use an existing S3 bucket and this CloudFormation Template.

    Select Next.

  2. Specify stack details

    • BucketName

      In BucketName, add the name of the existing bucket with CloudTrail logs. You can find this information by going to CloudTrail configuration and viewing Trails.

    • ExternalID

      Enter any unique external ID. You will want to keep this information secret.

    • RoleName

      Create a name for this role.

    • RolePolicyName

      This role needs to have the SecurityAuditPolicy policy in order to receive read access to all the resources in that source account. In addition to the SecurityAudit policy, this new role needs a policy to read the S3 objects under the CloudTrail bucket. Provide the name of this policy here. For example, "SailPointCAMAuditPolicy".

    • TopicName

      Name the SNS topic. All of the CloudTrail logs go to this defined SNS topic where Cloud Access Management picks up the usage data.

    • TrailName

      This is the name of the Trail, which you can find in the CloudTrail section.

  3. Configure stack options. Navigate to the bottom and select Next.

  4. Review

    Navigate to the bottom and check the box under Capabilities to acknowledge that Amazon Web Services CloudFormation may create Identity Access Management (IAM) resources with custom names.

  5. Select Create stack.

When you've completed all of these steps, you will be redirected to see your stacks. Select the name of the stack you just created and look at the Outputs tab to find the information you will need to enter into Cloud Access Management.

Outputs tab with columns for key, value, description, and export name.

Configuring a Central CloudTrail Bucket

If you have set up CloudTrail logs and would like them to be sent to a bucket owned by a central, management account, follow these directions. After setting up CloudFormation in the subaccounts (accounts falling under the Management Logging Account), add a policy to the bucket owned by the Management Logging Account.

Note

This action only has to be taken on the bucket of the Management Logging Account. The CloudFormation template manages subaccounts.

  1. In Amazon Web Services Console, search for or select S3.

  2. Search for and select the Management Logging Account bucket you want the CloudTrails to be sent to.

  3. In the bucket menu, select Permissions and Bucket Policy.

  4. In the bucket policy editor, copy and paste the following JSON text and append it to the existing policy:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Stmt1",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::<sailpoint-accountid>:root"
                },
                "Action": "s3:GetObject",
                "Resource": "arn:aws:s3:::<central-cloud-trail-bucket>/*"
        },
        {
            "Sid": "Stmt2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<sailpoint-accountid>:root"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::<central-cloud-trail-bucket>"
        }
    }
    
  5. There are four areas in the JSON file that need editing to make it appropriate for your project:

    • Replace the two instances of <sailpoint-accountid> with SailPoint account number for Cloud Access Management.

    • Replace the two instances of central-cloud-trail-bucket with your bucket name. In this example that would be travis-cloud-trail.

Connecting AWS Manually

If you are not using the AWS Organizations feature, follow these directions for each Amazon Web Services account within your organization unit that you want to govern:

  1. Create a new Identity and Access Management role within your Amazon Web Services source account.

  2. Create a New Managed IAM Policy to assign policies to roles, users, and groups in your Amazon Web Services source account.

  3. Enable CloudTrail logging and SNS notifications to store trail information.

  4. Register your Amazon Web Services Cloud source account with Cloud Access Management.

Creating a New IAM Role

  1. Log in to the Amazon Web Services Management console.

  2. Search for "IAM".

  3. On the left, select Roles and choose Create Role.

  4. Choose the Another AWS account option.

  5. In the Account ID field, enter the SailPoint account number for Cloud Access Management: 874540850173.

  6. Check the Require external ID option and enter any string in the External ID field. You will need this later to connect your AWS source account with Cloud Access Management.

  7. Select Next: Permissions.

  8. Search for and select the SecurityAudit policy to associate it with the role you're creating.

  9. Select Next: Tags. Tags are optional.
  10. Select Next: Review. Enter an appropriate name for the role, such as "SailPointAuditRole" as well as a meaningful description such as "Used by SailPoint to read security policies".

  11. Select Create role to complete the process. The new role is displayed in the list of all roles.

  12. Select the new role name to view its details and make note of the following information:

    • The Role ARN listed on the Summary page for the newly created role.

    • Select Trust relationships, and under Conditions, locate the Key ExternalId generated for the role.

    Important

    You'll need this information to register your AWS source accounts with Cloud Access Management.

Creating a New Managed IAM Policy

In order to grant Cloud Access Management access to your CloudTrail events, create a new managed IAM policy using the following steps.

  1. In IAM, expand Access management in the left menu and select Policies.
  2. Select Create policy to create a managed policy (e.g., SPGovernIAMPolicy).
  3. Add the following permissions to the JSON file:

    { 
            "Version": "2012-10-17", 
            "Statement": [ 
                { 
                    "Effect": "Allow", 
                    "Action": "s3:GetObject", 
                    "Resource": "arn:aws:s3:::YourCloudtrailBucketName/*" 
                }, 
                { 
                    "Effect": "Allow", 
                    "Action": [ 
                        "s3:GetBucketLocation", 
                        "s3:ListBucket" 
                    ], 
                    "Resource": "arn:aws:s3:::YourCloudtrailBucketName" 
                } 
            ] 
    }
    

    Note

    Replace YourCloudtrailBucketName with the name of your CloudTrail bucket.

  4. Select Review policy at the bottom. Enter a name and optional description.

  5. Select Create policy.
  6. This directs you to the policy overview page. Select the radio button next to the policy name.
  7. Select the Policy actions dropdown menu and choose Attach to attach the policy to users, groups, or roles in your accounts.
  8. Select Attach policy to assign the new managed policy to the SailPointAuditRole you created previously.

Enabling CloudTrail Logging and SNS Notifications

After you've created a role with sufficient permissions, you'll need to enable CloudTrail event processing and log delivery. You can use an existing S3 bucket to store the CloudTrail logs or create a new one.

  1. In the Amazon Web Services Management console, select Services and search for "CloudTrail". Select Trails to access the CloudTrail service page.

  2. Select the trail name you want to use or select Create trail to create a new S3 bucket for your CloudTrail logs.

  3. Under Storage location, select Create new S3 bucket.

    Important

    Save your CloudTrail name as you'll need it to register your AWS source cloud accounts.

  4. To configure the Simple Notification Service (SNS) for log file delivery, expand Additional settings and in:

    a. SNS notification delivery - Select Enabled to send an SNS notification for every log file delivery.

    b. Create a new SNS topic - Select New.

    c. SNS topic - Enter an appropriate name and select Next.

    d. Create an access policy - Set up your access policy to allow Cloud Access Management to subscribe to the CloudTrail logs.

  5. Verify that the status of the CloudTrail subscription is healthy by looking for the green check mark in the Status column.

  6. Copy the Amazon Resource Name (ARN) of the SNS topic that's created to somewhere accessible.

  7. To allow Cloud Access Management to subscribe to the CloudTrail logs, you will need to create an access policy.
    1. In the AWS Console, select Services and search for "SNS".
    2. Select Topics from the left menu.
    3. Select the topic you created for Cloud Access Management and select Edit.
    4. Expand Access policy to show the JSON editor. Append the following code into the editor:
      {
          "Effect":"Allow",
          "Principal":{
              "AWS":[
                  "arn:aws:iam::874540850173:root"
              ]
          },
          "Action":[
              "SNS:Subscribe",
              "SNS:Receive"
          ],
          "Resource":"<ARN of the SNS topic created for CAM>"
      }
      

After you've completed all of the steps above, you're ready to connect the two services to the Cloud Access Management portal. See Getting Started.