Skip to content

Configuring Cloud Service Providers

To enable Cloud Access Management, you'll need to create native roles on each of your cloud accounts and set appropriate permissions to allow SailPoint to securely access the information it needs to govern your cloud workloads.

Follow the instructions for each supported cloud platform you want to govern.

Configuring Amazon Web Services Cloud

To configure Cloud Access Management for your Amazon Web Services account, you'll need to give it access to your Amazon Web Services policies and resources inventory, and the ability to read the logs in your CloudTrail bucket. To do this, you'll create a new role and associate it with the policies required to access resources in your Amazon Web Services account, and provide read access to your CloudTrail S3 bucket.

You can configure Amazon Web Services using a CloudFormation template or manually.

You can connect AWS accounts by adding the organization or by adding single accounts manually.

Note

We recommend you connect AWS organizations, as opposed to individual accounts, so that you can see the full hierarchy of your accounts.

Connecting AWS Organizations Using CloudFormation

To add user accounts by AWS organization, you can use a CloudFormation template and StackSets.

You can use StackSets to create resources for each account within the organizational unit or whole organization. This excludes the root account. Resources for the root account will not be created even if it's a part of an organizational unit. See the AWS documentation on creating a stack set.

You'll need to know your organization's CloudTrail. See the AWS documentation on how to create a trail for your organization. See how to find an existing organization CloudTrail ARN.

To allow Cloud Access Management to gather data from all accounts within organizations, the SecurityAudit role is required (read-only access to S3, DynamoDB, EC2, IAM, Lambda, SNS, CloudTrail, Cognito etc.) with an external ID that will be provided on onboarding.

To create permissions for organization onboarding with organization level CloudTrail:

Connecting Single AWS Accounts Using CloudFormation

In order to use CloudFormation, you will need to have CloudTrail enabled. While CloudFormation can be used to create an S3 bucket, the default and recommended behavior is to use CloudFormation with an existing S3 bucket.

Warning

If you choose to create a new S3 bucket for CloudTrail, Cloud Access Management will not have historical usage data and some of the capabilities will not work.

In Stacks, select the drop-down menu Create stack. Select With new resources (standard).

There are four steps to creating a stack:

  1. Specify template

    Select Upload a template file and choose the appropriate JSON file. We recommend you use an existing S3 bucket and this CloudFormation Template.

    Select Next.

  2. Specify stack details

    • BucketName

      In BucketName, add the name of the existing bucket with CloudTrail logs. You can find this information by going to CloudTrail configuration and viewing Trails.

    • ExternalID

      Enter any unique external ID. You will want to keep this information secret.

    • RoleName

      Create a name for this role.

    • RolePolicyName

      This role needs to have the SecurityAuditPolicy policy in order to receive read access to all the resources in that account. In addition to the SecurityAudit policy, this new role needs a policy to read the S3 objects under the CloudTrail bucket. Provide the name of this policy here. For example, "SailPointCAMAuditPolicy".

    • TopicName

      Name the SNS topic. All of the CloudTrail logs go to this defined SNS topic where Cloud Access Management picks up the usage data.

    • TrailName

      This is the name of the Trail, which you can find in the CloudTrail section.

  3. Configure stack options

    Scroll to the bottom and select Next.

  4. Review

    Scroll to the bottom and check the box under Capabilities to acknowledge that Amazon Web Services CloudFormation may create Identity Access Management (IAM) resources with custom names.

When you've completed all of these steps, you will be redirected to see your stacks. Select the name of the stack you just created and look at the Outputs tab to find the information you will need to enter into Cloud Access Management.

Configuring a Central CloudTrail Bucket

If you have set up CloudTrail logs and would like them to be sent to a bucket owned by a central, master account, follow these directions. After setting up CloudFormation in the subaccounts (accounts falling under the Master Logging Account), add a policy to the bucket owned by the Master Logging Account.

Note

This action only has to be taken on the bucket of the Master Logging Account. The CloudFormation template manages subaccounts.

  1. In Amazon Web Services Console, search for or select S3.

  2. Search for and select the Master Logging Account bucket you want the CloudTrails to be sent to.

  3. In the bucket menu, select Permissions and Bucket Policy.

  4. In the bucket policy editor, copy and paste the following .json text and append it to the existing policy:

        { 
    "Version": "2012-10-17", 
    "Id": "Policy1583895588766", 
    "Statement": [ 
        { 
            "Sid": "Stmt1583895586297", 
            "Effect": "Allow", 
            "Principal": { 
                "AWS": "<RoleARN>" 
            }, 
            "Action": "s3:GetObject", 
            "Resource": "arn:aws:s3:::foo/*" 
        }, 
        { 
            "Sid": "Stmt1583895586297", 
            "Effect": "Allow", 
            "Principal": { 
                "AWS": "RoleARN" 
            }, 
            "Action": [ 
                "s3:GetBucketLocation", 
                "s3:ListBucket" 
            ], 
            "Resource": "arn:aws:s3:::foo" 
        } 
    ] 
    }
    
  5. There are four areas in the JSON file that need editing to make it appropriate for your project:

    • Replace the two instances of RoleARN with the Role ARN you created earlier with CloudFormation (visible on the Outputs tab).

    • Replace the two instances of foo with your bucket name. In this example, that would be travis-cloud-trail.

Connecting AWS Manually

Follow these directions for each Amazon Web Services account within your organization unit that you want to govern.

  1. Create a new Identity and Access Management role within your Amazon Web Services account.

  2. Create a New Managed IAM Policy to assign policies to roles, users, and groups in your Amazon Web Services account.

  3. Enable CloudTrail logging and SNS notifications to store trail information.

  4. Register your Amazon Web Services Cloud account with Cloud Access Management.

Creating a New IAM Role

  1. Log in to the Amazon Web Services Management console.

  2. Search for "IAM".

  3. On the left, select Roles and choose Create Role.

  4. Choose the Another Amazon Web Services Account option.

  5. In the Account ID field, enter the account number as 874540850173.

  6. Check the Require external ID option and enter any string in the External ID field. You will need this later to connect your account with Cloud Access Management.

  7. Select Next: Permissions.

  8. Search for and select the following policy to associate it with the role you're creating: SecurityAudit

    Note

    Policies stay selected when you search for other policies.

  9. Select Next: Tags. Tags are optional.

  10. Select Next: Review. Enter an appropriate name for the role (e.g., "SailPointAuditRole"), and a meaningful description such as "Used by SailPoint to read security policies".

  11. Select Create role to complete the process. The new role is displayed in the list of all roles.

  12. Select the new role name to view its details and make note of the following information:

    • The Role ARN listed on the Summary page for the newly created role.

    • Select Trust relationships, and under Conditions, locate the Key ExternalId generated for the role.

    Important

    You'll need this information to register your AWS accounts with Cloud Access Management.

Creating a New Managed IAM Policy

In order to grant Cloud Access Management access to your CloudTrail events, create a new managed IAM policy using the following steps.

  1. In IAM, expand Access management in the left menu and select Policies.
  2. Select Create policy to create a managed policy (e.g., SPGovernIAMPolicy).
  3. Add the following permissions to the JSON file:

    { 
            "Version": "2012-10-17", 
            "Statement": [ 
                { 
                    "Effect": "Allow", 
                    "Action": "s3:GetObject", 
                    "Resource": "arn:aws:s3:::YourCloudtrailBucketName/*" 
                }, 
                { 
                    "Effect": "Allow", 
                    "Action": [ 
                        "s3:GetBucketLocation", 
                        "s3:ListBucket" 
                    ], 
                    "Resource": "arn:aws:s3:::YourCloudtrailBucketName" 
                } 
            ] 
    }
    

    Note

    Replace YourCloudtrailBucketName with the name of your CloudTrail bucket.

  4. Select Review policy at the bottom. Enter a name and optional description.

  5. Select Create policy.
  6. This directs you to the policy overview page. Select the radio button next to the policy name.
  7. Select the Policy actions drop-down menu and choose Attach to attach the policy to users, groups, or roles in your accounts.
  8. Select Attach policy to assign the new managed policy to the SailPointAuditRole you created previously.

Enabling CloudTrail Logging and SNS Notifications

After you've created a role with sufficient permissions, you'll want to enable CloudTrail event processing and log delivery. You can use an existing S3 bucket to store the CloudTrail logs or create a new one.

  1. In the Amazon Web Services Management console, select Services and search for "CloudTrail". Select Trails to access the CloudTrail service page.

  2. Select the trail name you want to use, or to create a new S3 bucket for your CloudTrail logs, select Create trail. Under Storage location, select Create new S3 bucket.

    Important

    Save your CloudTrail name as you'll need it to register your AWS cloud accounts.

  3. To configure the Simple Notification Service (SNS) for log file delivery, expand Additional settings and:

    a. SNS notification delivery — Select Enabled to send an SNS notification for every log file delivery.

    b. Create a new SNS topic — Select New.

    c. SNS topic — Enter an appropriate name and select Next.

    d. Create an access policySet up your access policy to allow Cloud Access Management to subscribe to the CloudTrail logs.

  4. Verify that the status of the CloudTrail subscription is healthy by looking for the green check mark in the Status column.

  5. Copy the Amazon Resource Name (ARN) of the SNS topic that's created to somewhere accessible.

  6. To allow Cloud Access Management to subscribe to the CloudTrail logs, you will need to create an access policy.
    1. In the AWS Console, select Services and search for "SNS".
    2. Select Topics from the left menu.
    3. Select the topic you created for Cloud Access Management and select Edit.
    4. Expand Access policy to show the .json editor. Append the following code into the .json editor:
      {
          "Effect":"Allow",
          "Principal":{
              "AWS":[
                  "arn:aws:iam::874540850173:root"
              ]
          },
          "Action":[
              "SNS:Subscribe",
              "SNS:Receive"
          ],
          "Resource":"<ARN of the SNS topic created for CAM>"
      }
      

After you've completed all of the steps above, you're ready to connect the two services to the Cloud Access Management portal. See Getting Started.

Configuring Azure Cloud

To configure Cloud Access Management for Azure Cloud, you'll need to register Cloud Access Management and give it the permissions required to read your Azure policies and resources inventory.

Note

You'll need Azure admin privileges to configure the access required by Cloud Access Management to govern Azure Cloud.

Follow these high-level steps:

  1. Register Cloud Access Management as a new application with Azure Cloud.

  2. Grant the permissions required to read your Azure Cloud policies and resources inventory.

Registering Cloud Access Management with Azure Cloud

The first thing you need to do is register Cloud Access Management with Azure Cloud to begin connecting the two services.

  1. Log in to the Azure Cloud portal and select Azure Active Directory.

  2. Select Properties in the left sidebar.

  3. Copy the tenant ID that's displayed and save it somewhere accessible, as you'll need this information to register the cloud account with Cloud Access Management.

  4. Select App registrations in the left sidebar and select New registration to register Cloud Access Management.

  5. Enter an appropriate user-facing name for the new application (e.g., "SailPoint Cloud Access Management"), and keep the default single tenant option checked to ensure that only accounts in the organizational directory will be able to access this application.

  6. Under Redirect URI, select Web from the drop-down menu, and enter https://cam.sailpoint.com in the field provided.

  7. Select Register to register Cloud Access Management with Azure Cloud.

  8. Copy the Application ID that's generated, as you'll need this information to register the cloud account with Cloud Access Management.

Granting Read Permissions to Cloud Access Management

After you've registered Cloud Access Management with Azure Cloud, you can grant it the permissions required to read the security policies configured for the Azure account and the resources inventory of the account.

Using a global admin role, you can enable this at the root management group level so that all subscriptions inherit the reader role from their management group.

To set up the global admin role:

  1. Select Properties in Azure Active Directory.
  2. Select the toggle for "Access management for Azure resources" to set it to Yes. This will allow you to manage access to all Azure subscriptions and management groups in the tenant.

You will also need to enable the Directory.Read.All setting so that Cloud Access Management can read the Azure AD inventory.

In the Azure Cloud portal:

  1. Select API Permissions in the left sidebar and choose Add a permission.
  2. In the list of APIs, select Azure Active Directory Graph.
  3. Select Application permissions and expand the Directory category.
  4. Select the Directory.Read.All option to allow Cloud Access Management to read directory data on your Azure Cloud.
  5. Select Add permissions and Grant admin consent for SailPoint to add the permissions to Cloud Access Management.

Once you have the correct permissions, you will need to grant access to the entire management groups tree.

  1. Select Management groups service in the Azure Cloud portal.
  2. Select (details) next to the Tenant Root Group.
  3. In the sidebar, select Access control (IAM).
  4. Select + Add.
  5. On the Add a role assignment card, select Add.
  6. In the Role field, select the Reader role.
  7. In the Select field, search for the application name you created earlier, such as SailPoint Cloud Access Management.
  8. Select Save to assign the Reader role to Cloud Access Management.

Create a Client Secret for Cloud Access Management

Next, you'll need to create a client (application) secret for Cloud Access Management.

  1. Remaining in the Azure Cloud portal, select Certificates and secrets in the left sidebar.

  2. Under Client secrets, select + New client secret, add a description and expiration date.

  3. Copy the client secret value that's generated and enter the client secret in the Application Secret field when you register the cloud account with Cloud Access Management.

Configuring Google Cloud Platform

To configure Google Cloud Platform to work with Cloud Access Management, you'll need to create a project and service account, manage access, check APIs, register your Google Cloud Platform organization with SailPoint, and set up your command-line interface.

Creating Project and Service Accounts

To set up a new project:

  1. In the IAM & admin tab on the left, select Service accounts.

  2. Select CREATE PROJECT on the right.

  3. Enter the Project name. This will create a Project ID that cannot be changed later.

  4. Select the Organization and Location of the Project.

  5. Select CREATE.

To create a service account for an existing project:

  1. In the IAM & admin tab on the left, select Service accounts.

  2. Select + CREATE SERVICE ACCOUNT at the top.

  3. Name your service account and add a description, then select CREATE.

  4. Do not grant this service account access to project.

  5. On the Grant users access to this service account step, select + CREATE KEY to pair your service account with a key.

  6. Create your key, which allows the code to provide credentials to the API and will generate a JSON file for you.

    Caution

    Any application can access the organization through this .json file, so save it in a secure place.

Granting Service Account Access to an Organization

  1. Select IAM from the IAM & admin panel on the left.

  2. Select Add and search for or paste the service account email into the New members field.

  3. Use the drop-down menu to add these roles:

    • Security Reviewer
    • Organization Policy Viewer
    • Folder Viewer
    • Storage Object Viewer
    • Viewer
    • Organization Role Viewer
    • Organization Viewer

Granting Service Account Access to the Domain

You will need to grant the service account access to your G Suite domain.

  1. Select Service accounts in the IAM & admin panel.

  2. Choose the email of the desired service account. This will open the Service account details.

  3. Select Edit and check the Enable G Suite Domain-wide Delegation box.

  4. Enter a product name in the the OAuth consent field and select SAVE. The service account now has domain-wide access.

Establishing Privileges and Access for the Service Account

To determine the access and privileges assigned to your service account, log in to the admin console of the G Suite domain. Use an account that can make security changes.

  1. In https://admin.google.com, select Security > Advanced Settings > Manage API client access.

  2. Enter the exact scope of what the service account is allowed to do on the domain:

    • https://www.googleapis.com/auth/admin.directory.user.readonly
    • https://www.googleapis.com/auth/admin.directory.group.readonly
  3. In the Client Name box, enter the Unique ID that was generated when you created the service account. This can be found in the Service accounts details page.

  4. Select Authorize.

Checking APIs

When using the API with Cloud Access Management for the first time in your project, you might get an error through the SDK. The API access has to be explicitly enabled on the Google Cloud console before Cloud Access Management can call these APIs.

  1. Navigate to the API & Services dashboard to enable APIs and services.

  2. Use the API Library to select and enable the following APIs:

    • IAM API
    • Compute Engine API
    • Service Management API
    • Cloud Resource management API
    • Cloud Functions API
    • Cloud SQL API

Additional APIs may be needed to process new types of resources.

Registering Your Google Cloud Platform Organization with SailPoint

  1. Open the drop-down menu in the Google Cloud Platform console and copy the organization ID.

  2. Enter your administrator email. This email must have admin access to G Suite. The domain must be the same as the organization name. For example, if the organization name is "testorg.com", then the admin email will need to be formatted like "smith@testorg.com".

  3. In the IAM & admin panel, select Settings.

  4. Enter any custom name as the account name.

  5. Enter the administrator email.

  6. Paste the organization ID.

  7. Upload or paste the JSON file you received when creating the key for the service account. See step six of creating service accounts.

Setting up the Command-Line Interface

Setting up the Google Cloud Platform Google Cloud command-line interface can be done by following the instructions in the Google documentation.

Once you've installed the gcloud CLI, open the terminal, run glcoud init, and log in using a browser.