Skip to content

Configuring Amazon Web Services Cloud

Cloud Access Management collects data on access paths and how networks, objects, and identities could gain access to your organization's Amazon Web Services cloud resources.

To configure Cloud Access Management with your Amazon Web Services source, you'll need to give it read-only access to your Amazon Web Services infrastructure to create an inventory and read the usage data in your CloudTrail bucket.

You can add all AWS accounts in your organization or connect a single account using the provided CloudFormation templates. You can also manually connect AWS accounts.

Note

SailPoint strongly recommends adding all organization accounts, as opposed to single accounts, to allow Cloud Access Management to display the hierarchy of your AWS cloud.

When you have completed your configuration, you should verify it before registering your AWS account with Cloud Access Management.

Configuring a Central CloudTrail Bucket

Cloud Access Management uses CloudTrail logs to track the actions taken by a user, role, or AWS service in your AWS account. You must create or use a bucket owned by a central management account to send CloudTrail logs to Cloud Access Management.

You will set up CloudFormation in the accounts falling under the Management Logging Account and add a policy to the bucket owned by that account:

  1. In the AWS Console, search for or select S3.

  2. Search for and select the Management Logging Account bucket you want the CloudTrails to be sent to.

  3. In the bucket menu, select Permissions and Bucket Policy.

  4. In the bucket policy editor, copy and paste the following JSON text and append it to the existing policy:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
    {
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "Stmt1",
           "Effect": "Allow",

           "Principal": {
               "AWS": "arn:aws:iam::<sailpoint-accountid>:root(1)"
           },
           "Action": "s3:GetObject",
           "Resource": "arn:aws:s3:::<central-cloud-trail-bucket>/*(3)"
   },
   {
      "Sid": "Stmt2",
      "Effect": "Allow",
      "Principal": {
          "AWS": "arn:aws:iam::<sailpoint-accountid>:root(2)"
      },
      "Action": [
          "s3:GetBucketLocation",
          "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::<central-cloud-trail-bucket>(4)"
   }
   ]            
}
    1. Replace <sailpoint-accountid> with SailPoint account number for Cloud Access Management.
    2. Replace <sailpoint-accountid> with SailPoint account number for Cloud Access Management.
    3. Replace <central-cloud-trail-bucket> with your bucket name.
    4. Replace <central-cloud-trail-bucket> with your bucket name.

  5. Edit the following 4 areas in the JSON file:

    • Replace the 2 instances of <sailpoint-accountid> with SailPoint account number for Cloud Access Management.

    • Replace the 2 instances of central-cloud-trail-bucket with your bucket name. In this example that would be travis-cloud-trail.

Once you have configured a central CloudTrail policy bucket, SailPoint recommends connecting all accounts simultaneously using AWS Organizations.

Connecting AWS Organizations

SailPoint provides CloudFormation templates to grant the permissions required to onboard all accounts using the AWS Organizations service.

  1. Follow the AWS directions to create a stack set with service-managed permissions.

    • Select Template is ready and upload stackset.json. This creates a role and policy with sufficient privileges to read data from your AWS cloud.

  2. Follow the AWS directions to create a stack on the root management account.

    • Select Template is ready and upload stacks.json. This describes the resources AWS CloudFormation will include in your stack.

  3. Follow the AWS directions to create an organizational CloudTrail, or use an existing CloudTrail Amazon Resource Name (ARN).

    • Enable SNS notification delivery to an existing SNS topic.

    • Enable Management events.

    Warning

    To avoid Amazon Web Services costs, ensure that you enable only management events in your organization's CloudTrail. If you enable all events or create a new organization CloudTrail, you will incur costs. Refer to the CloudTrail pricing for more details.

You should verify your configuration before registering your source.

Policy Requirements

If you want to use a custom IAM policy, it must contain the minimum permissions Cloud Access Management needs to read your AWS accounts.

Display required permissions 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
{
    "Version":"2012-10-17",
    "Statement":[
    {
        "Effect":"Allow",
        "Resource":"*",
        "Action":[
            "cloudtrail:DescribeTrails",
            "cloudtrail:GetEventSelectors",
            "cloudtrail:GetTrailStatus",
            "cloudtrail:ListTags",
            "cloudtrail:LookupEvents",
            "cloudwatch:Describe*",
            "cloudwatch:ListTagsForResource",
            "config:BatchGetAggregateResourceConfig",
            "config:BatchGetResourceConfig",
            "config:Deliver*",
            "config:Describe*",
            "config:Get*",
            "config:List*",
            "dynamodb:DescribeContinuousBackups",
            "dynamodb:DescribeGlobalTable",
            "dynamodb:DescribeTable",
            "dynamodb:DescribeTimeToLive",
            "dynamodb:ListBackups",
            "dynamodb:ListGlobalTables",
            "dynamodb:ListStreams",
            "dynamodb:ListTables",
            "dynamodb:ListTagsOfResource",
            "ec2:Describe*",
            "ec2:DescribeTransitGatewayAttachments",
            "ec2:DescribeTransitGatewayMulticastDomains",
            "ec2:DescribeTransitGatewayPeeringAttachments",
            "ec2:DescribeTransitGatewayRouteTables",
            "ec2:DescribeTransitGatewayVpcAttachments",
            "ec2:DescribeTransitGateways",
            "ec2:GetManagedPrefixListAssociations",
            "ec2:GetManagedPrefixListEntries",
            "ec2:GetTransitGatewayAttachmentPropagations",
            "ec2:GetTransitGatewayMulticastDomainAssociations",
            "ec2:GetTransitGatewayPrefixListReferences",
            "ec2:GetTransitGatewayRouteTableAssociations",
            "ec2:GetTransitGatewayRouteTablePropagations",
            "elasticloadbalancing:Describe*",
            "es:Describe*",
            "es:ListDomainNames",
            "es:ListElasticsearchInstanceTypeDetails",
            "es:ListElasticsearchVersions",
            "es:ListTags",
            "events:Describe*",
            "events:List*",
            "events:TestEventPattern",
            "iam:GenerateCredentialReport",
            "iam:GenerateServiceLastAccessedDetails",
            "iam:Get*",
            "iam:List*",
            "iam:SimulateCustomPolicy",
            "iam:SimulatePrincipalPolicy",
            "kms:Describe*",
            "kms:Get*",
            "kms:List*",
            "lambda:GetAccountSettings",
            "lambda:GetFunctionConfiguration",
            "lambda:GetFunctionEventInvokeConfig",
            "lambda:GetLayerVersionPolicy",
            "lambda:GetPolicy",
            "lambda:List*",
            "logs:Describe*",
            "logs:ListTagsLogGroup",
            "organizations:Describe*",
            "organizations:List*",
            "rds:Describe*",
            "rds:DownloadDBLogFilePortion",
            "rds:ListTagsForResource",
            "s3:GetAccelerateConfiguration",
            "s3:GetAccessPoint",
            "s3:GetAccessPointPolicy",
            "s3:GetAccessPointPolicyStatus",
            "s3:GetAccountPublicAccessBlock",
            "s3:GetAnalyticsConfiguration",
            "s3:GetBucket*",
            "s3:GetEncryptionConfiguration",
            "s3:GetInventoryConfiguration",
            "s3:GetLifecycleConfiguration",
            "s3:GetMetricsConfiguration",
            "s3:GetObjectAcl",
            "s3:GetObjectVersionAcl",
            "s3:GetReplicationConfiguration",
            "s3:ListAccessPoints",
            "s3:ListAllMyBuckets",
            "sns:GetTopicAttributes",
            "sns:ListSubscriptions",
            "sns:ListSubscriptionsByTopic",
            "sns:ListTagsForResource",
            "sns:ListTopics",
            "sqs:GetQueueAttributes",
            "sqs:ListDeadLetterSourceQueues",
            "sqs:ListQueueTags",
            "sqs:ListQueues",
            "tag:GetResources",
            "tag:GetTagKeys"
        ]
    },
    {
        "Effect":"Allow",
        "Action":[
            "apigateway:GET"
        ],
        "Resource":[
            "arn:aws:apigateway:*::/apis",
            "arn:aws:apigateway:*::/apis/*/routes",
            "arn:aws:apigateway:*::/apis/*/stages",
            "arn:aws:apigateway:*::/apis/*/stages/*",
            "arn:aws:apigateway:*::/clientcertificates/*",
            "arn:aws:apigateway:*::/restapis",
            "arn:aws:apigateway:*::/restapis/*/authorizers",
            "arn:aws:apigateway:*::/restapis/*/authorizers/*",
            "arn:aws:apigateway:*::/restapis/*/documentation/versions",
            "arn:aws:apigateway:*::/restapis/*/resources",
            "arn:aws:apigateway:*::/restapis/*/resources/*",
            "arn:aws:apigateway:*::/restapis/*/resources/*/methods/*",
            "arn:aws:apigateway:*::/restapis/*/stages",
            "arn:aws:apigateway:*::/restapis/*/stages/*",
            "arn:aws:apigateway:*::/tags/*",
            "arn:aws:apigateway:*::/vpclinks"
        ]
      }
      ]
 }

Connecting Single AWS Source Accounts

If you do not want to add all accounts in your organization, you can add individual accounts. SailPoint provides a CloudFormation template to create a role and CloudTrail allowing access to the objects in your Amazon S3 bucket.

To connect a single account using CloudFormation:

  1. In the AWS console, select CloudFormation > Stacks.

  2. In Stacks, select the Create stack dropdown menu and choose With new resources (standard).

    Stack creation window to specify the template type and source.

  3. Select Template is ready and Upload a template file.

  4. Based on your organization configuration, select the appropriate template:

    Use Case Template
    Use an existing CloudTrail with an existing S3 bucket aws-onboarding-existing-cloudtrail.json
    Create a CloudTrail to use with an existing S3 Bucket aws-onboarding-nobucket.json
    Create a CloudTrail and an S3 bucket aws-onboarding.json

    Caution

    If you create an S3 bucket for CloudTrail, Cloud Access Management will not have historical usage data, and some of the capabilities will not work.

  5. Name your bucket.

    • If you are using an existing S3 bucket, enter the name in the BucketName field. This can be found in the S3 bucket column of your Trails.

    • If you are creating an S3 bucket, name the bucket for collecting CloudTrail logs.

  6. Enter a unique ExternalId. Keep this information secret.

  7. The template populates the other fields. Continue using the stack wizard, setting the Stack failure option to Roll back all stack resources.

  8. Complete the setup and select Create stack.

You should verify your configuration before registering your source.

Connecting AWS Manually

If you do not have access to CloudFormation, you can manually add AWS accounts within your organization.

Caution

Connecting AWS manually can leave gaps in your data. SailPoint strongly recommends using CloudFormation templates with AWS Organizations or single AWS source accounts.

Creating an IAM Role

You must create an identity and access management role on your Amazon Web Services source account where you will attach the policy defining what data Cloud Access Management can read.

  1. Sign in to the Amazon Web Services Management console.

  2. Search for "IAM".

  3. On the left, select Roles and choose Create role.

  4. Select AWS account and choose the Another AWS account option.

  5. In the Account ID field, enter the SailPoint account number for Cloud Access Management: 874540850173.

  6. Select the Require external ID option and enter any string in the External ID field. You will need this later to connect your AWS source account with Cloud Access Management.

  7. Select Next. You will be taken to the Add Permissions section.

  8. Select Create policy and choose the JSON tab.

  9. Replace the JSON text with the required permissions.

  10. Select Next: Tags. Tags are optional.

  11. Select Next: Review. Enter an appropriate name and description for the role.

  12. Select Create policy. The new policy will be displayed in the list of IAM policies.

  13. Select the checkbox next to the new policy and select Next.

  14. Enter a role name and details. Review the information and select Create Role. You will be redirected to the Roles page.

  15. Search for and select the new role to view its summary. You will need the following information from the summary page to register your AWS source accounts with Cloud Access Management:

    • Role ARN
    • Select Trust relationships, and under Condition, locate the Key ExternalId generated for the role.

Creating a Managed IAM Policy

In order to grant Cloud Access Management access to your CloudTrail events, you must create a managed IAM policy.

  1. In IAM, expand Access management in the left menu and select Policies.
  2. Select Create policy to create a managed policy.

  3. Add the following permissions to the JSON file, replacing YourCloudtrailBucketName with the name of your CloudTrail bucket:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
    { 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": "s3:GetObject", 
            "Resource": "arn:aws:s3:::YourCloudtrailBucketName/*(1)" 
        }, 
        { 
            "Effect": "Allow", 
            "Action": [ 
                "s3:GetBucketLocation", 
                "s3:ListBucket" 
            ], 
            "Resource": "arn:aws:s3:::YourCloudtrailBucketName(2)" 
        } 
    ] 
  }
    1. Replace YourCloudtrailBucketName with the name of your CloudTrail bucket.
    2. Replace YourCloudtrailBucketName with the name of your CloudTrail bucket.

  4. Select Review policy. Enter a name and optional description.

  5. Select Create policy. This directs you to the policy overview page.
  6. Select the radio button next to the policy name.
  7. Select the Policy actions dropdown menu and choose Attach to attach the policy to users, groups, or roles in your accounts.
  8. Select Attach policy to assign the new managed policy to the role you created previously.

Enabling CloudTrail Logging and SNS Notifications

After you've created a role with sufficient permissions, you'll need to enable CloudTrail event processing and log delivery. You can use an existing S3 bucket to store the CloudTrail logs or create a new one.

  1. In the Amazon Web Services Management console, select Services and search for "CloudTrail". Select Trails to access the CloudTrail service page.

  2. Select the trail name you want to use or select Create trail to create a new S3 bucket for your CloudTrail logs.

  3. Under Storage location, select Create new S3 bucket.

    Note

    Save your CloudTrail name as you'll need it to register your AWS source cloud accounts.

  4. To configure the Simple Notification Service (SNS) for log file delivery, expand Additional settings and complete the following:

    a. SNS notification delivery - Select Enabled to send an SNS notification for every log file delivery.

    b. Create a new SNS topic - Select New.

    c. SNS topic - Enter an appropriate name and select Next.

    d. Create an access policy - Set up your access policy to allow Cloud Access Management to subscribe to the CloudTrail logs.

  5. Verify that the status of the CloudTrail subscription is healthy by looking for the green check mark in the Status column.

  6. Copy the Amazon Resource Name (ARN) of the SNS topic that's created and store it somewhere easily accessible.

  7. To allow Cloud Access Management to subscribe to the CloudTrail logs, you will need to create an access policy.

    1. In the AWS Console, select Services and search for "SNS".
    2. Select Topics from the left menu.
    3. Select the topic you created for Cloud Access Management and select Edit.

    4. Expand Access policy to show the JSON editor. Append the following code into the editor:

       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
      {
    "Effect":"Allow",
    "Principal":{
        "AWS":[
            "arn:aws:iam::874540850173:root"
        ]
    },
    "Action":[
        "SNS:Subscribe",
        "SNS:Receive"
    ],
    "Resource":"<ARN of the SNS topic created for Cloud Access Management>(1)"
}
      1. Replace with your SNS Topic ARN

Verifying Your Configuration

When you have finished connecting your AWS accounts, you should verify the configuration was successful:

  1. In the AWS Console IAM service, select Roles.

  2. Search for the IAM role created by CloudFormation. Select the role and save its name and ARN. For example, arn:aws:iam::443361460944:role/SailPointCAMAuditRoleStack.

  3. Select the Trust relationships tab and confirm the principal displays 874540850173.

  4. Select Policies and search for the IAM role created by CloudFormation. For example, "SailPointCAMAuditPolicy".

  5. Select Permissions and verify the bucket name in the JSON. This policy should allow s3:GetBucketLocation and s3:ListBucket actions on the CloudTrail bucket. It should also allow s3:GetObject action on the S3 bucket contents.

  6. Browse to the SNS service. Confirm the topic was created for you to subscribe to and note the ARN of the SNS topic. For example, arn:aws:sns:us-east-2:443361460944:sailpoint-cam-topic.

You need the following details to register your AWS source with Cloud Access Management:

  • Role ARN

  • External ID

  • CloudTrail ARN

  • CloudTrail Bucket Account ID, if different from the management account

Comments