Skip to content

Configuring Cloud Service Providers

To enable Cloud Access Management, you'll need to configure each of your cloud sources to allow SailPoint to securely access the information it needs to govern your cloud workloads.

Follow the instructions below to connect Cloud Access Management with each supported cloud platform you want to govern.

Configuring Amazon Web Services Cloud

To configure Cloud Access Management for your Amazon Web Services source, you'll need to give it access to your Amazon Web Services policies and resources inventory, and the ability to read the logs in your CloudTrail bucket. To do this, you'll create a new role and associate it with the policies required to access resources in your Amazon Web Services source, and provide read access to your CloudTrail S3 bucket.

You can configure Amazon Web Services using a CloudFormation template or manually.

You can connect to AWS sources by adding the organization or by adding single member accounts manually.

Note

We recommend you connect to AWS organizations, as opposed to individual member accounts, so that you can see the full hierarchy of your organization.

Connecting AWS Organizations Using CloudFormation

To add AWS organization sources, you can use a CloudFormation template and StackSets.

You can use StackSets to create resources for each member account within the organizational unit or whole organization. This excludes the root management account. Resources for the root management account will not be created even if it's a part of an organizational unit. See the AWS documentation on creating a stack set.

You'll need to know your organization's CloudTrail. See the AWS documentation on how to create a trail for your organization. See how to find an existing organization CloudTrail ARN.

To allow Cloud Access Management to gather data from all member accounts within organizations, the SecurityAudit role is required (read-only access to S3, DynamoDB, EC2, IAM, Lambda, SNS, CloudTrail, Cognito etc.) with an external ID that will be provided on onboarding.

To create permissions for organization onboarding with organization level CloudTrail:

  • Create a stack set on the root management account using this CloudTrail template.

  • Create a stack on the root management account using this CloudTrail template.

  • Manually create an OrganizationTrail and add the subscription to a previously created SNS topic.

Connecting Single AWS Source Accounts Using CloudFormation

In order to use CloudFormation, you will need to have CloudTrail enabled. While CloudFormation can be used to create an S3 bucket, the default and recommended behavior is to use CloudFormation with an existing S3 bucket.

Warning

If you choose to create a new S3 bucket for CloudTrail, Cloud Access Management will not have historical usage data and some of the capabilities will not work.

In Stacks, select the dropdown menu Create stack. Select With new resources (standard).

There are four steps to creating a stack:

  1. Specify template

    Select Upload a template file and choose the appropriate JSON file. We recommend you use an existing S3 bucket and this CloudFormation Template.

    Select Next.

  2. Specify stack details

    • BucketName

      In BucketName, add the name of the existing bucket with CloudTrail logs. You can find this information by going to CloudTrail configuration and viewing Trails.

    • ExternalID

      Enter any unique external ID. You will want to keep this information secret.

    • RoleName

      Create a name for this role.

    • RolePolicyName

      This role needs to have the SecurityAuditPolicy policy in order to receive read access to all the resources in that source account. In addition to the SecurityAudit policy, this new role needs a policy to read the S3 objects under the CloudTrail bucket. Provide the name of this policy here. For example, "SailPointCAMAuditPolicy".

    • TopicName

      Name the SNS topic. All of the CloudTrail logs go to this defined SNS topic where Cloud Access Management picks up the usage data.

    • TrailName

      This is the name of the Trail, which you can find in the CloudTrail section.

  3. Configure stack options

    Scroll to the bottom and select Next.

  4. Review

    Scroll to the bottom and check the box under Capabilities to acknowledge that Amazon Web Services CloudFormation may create Identity Access Management (IAM) resources with custom names.

When you've completed all of these steps, you will be redirected to see your stacks. Select the name of the stack you just created and look at the Outputs tab to find the information you will need to enter into Cloud Access Management.

Configuring a Central CloudTrail Bucket

If you have set up CloudTrail logs and would like them to be sent to a bucket owned by a central, management account, follow these directions. After setting up CloudFormation in the subaccounts (accounts falling under the Management Logging Account), add a policy to the bucket owned by the Management Logging Account.

Note

This action only has to be taken on the bucket of the Management Logging Account. The CloudFormation template manages subaccounts.

  1. In Amazon Web Services Console, search for or select S3.

  2. Search for and select the Management Logging Account bucket you want the CloudTrails to be sent to.

  3. In the bucket menu, select Permissions and Bucket Policy.

  4. In the bucket policy editor, copy and paste the following .json text and append it to the existing policy:

        { 
    "Version": "2012-10-17", 
    "Id": "Policy1583895588766", 
    "Statement": [ 
        { 
            "Sid": "Stmt1583895586297", 
            "Effect": "Allow", 
            "Principal": { 
                "AWS": "<RoleARN>" 
            }, 
            "Action": "s3:GetObject", 
            "Resource": "arn:aws:s3:::foo/*" 
        }, 
        { 
            "Sid": "Stmt1583895586297", 
            "Effect": "Allow", 
            "Principal": { 
                "AWS": "RoleARN" 
            }, 
            "Action": [ 
                "s3:GetBucketLocation", 
                "s3:ListBucket" 
            ], 
            "Resource": "arn:aws:s3:::foo" 
        } 
    ] 
    }
    
  5. There are four areas in the JSON file that need editing to make it appropriate for your project:

    • Replace the two instances of RoleARN with the Role ARN you created earlier with CloudFormation (visible on the Outputs tab).

    • Replace the two instances of foo with your bucket name. In this example, that would be travis-cloud-trail.

Connecting AWS Manually

If you are not using the AWS Organizations feature, follow these directions for each Amazon Web Services account within your organization unit that you want to govern:

  1. Create a new Identity and Access Management role within your Amazon Web Services source account.

  2. Create a New Managed IAM Policy to assign policies to roles, users, and groups in your Amazon Web Services source account.

  3. Enable CloudTrail logging and SNS notifications to store trail information.

  4. Register your Amazon Web Services Cloud source account with Cloud Access Management.

Creating a New IAM Role

  1. Log in to the Amazon Web Services Management console.

  2. Search for "IAM".

  3. On the left, select Roles and choose Create Role.

  4. Choose the Another Amazon Web Services Account option.

  5. In the Account ID field, enter the SailPoint account number for Cloud Access Management: 874540850173.

  6. Check the Require external ID option and enter any string in the External ID field. You will need this later to connect your AWS source account with Cloud Access Management.

  7. Select Next: Permissions.

  8. Search for and select the SecurityAudit policy to associate it with the role you're creating.

  9. Select Next: Tags. Tags are optional.

  10. Select Next: Review. Enter an appropriate name for the role (e.g., "SailPointAuditRole"), and a meaningful description such as "Used by SailPoint to read security policies".

  11. Select Create role to complete the process. The new role is displayed in the list of all roles.

  12. Select the new role name to view its details and make note of the following information:

    • The Role ARN listed on the Summary page for the newly created role.

    • Select Trust relationships, and under Conditions, locate the Key ExternalId generated for the role.

    Important

    You'll need this information to register your AWS source accounts with Cloud Access Management.

Creating a New Managed IAM Policy

In order to grant Cloud Access Management access to your CloudTrail events, create a new managed IAM policy using the following steps.

  1. In IAM, expand Access management in the left menu and select Policies.
  2. Select Create policy to create a managed policy (e.g., SPGovernIAMPolicy).
  3. Add the following permissions to the JSON file:

    { 
            "Version": "2012-10-17", 
            "Statement": [ 
                { 
                    "Effect": "Allow", 
                    "Action": "s3:GetObject", 
                    "Resource": "arn:aws:s3:::YourCloudtrailBucketName/*" 
                }, 
                { 
                    "Effect": "Allow", 
                    "Action": [ 
                        "s3:GetBucketLocation", 
                        "s3:ListBucket" 
                    ], 
                    "Resource": "arn:aws:s3:::YourCloudtrailBucketName" 
                } 
            ] 
    }
    

    Note

    Replace YourCloudtrailBucketName with the name of your CloudTrail bucket.

  4. Select Review policy at the bottom. Enter a name and optional description.

  5. Select Create policy.
  6. This directs you to the policy overview page. Select the radio button next to the policy name.
  7. Select the Policy actions dropdown menu and choose Attach to attach the policy to users, groups, or roles in your accounts.
  8. Select Attach policy to assign the new managed policy to the SailPointAuditRole you created previously.

Enabling CloudTrail Logging and SNS Notifications

After you've created a role with sufficient permissions, you'll need to enable CloudTrail event processing and log delivery. You can use an existing S3 bucket to store the CloudTrail logs or create a new one.

  1. In the Amazon Web Services Management console, select Services and search for "CloudTrail". Select Trails to access the CloudTrail service page.

  2. Select the trail name you want to use or select Create trail to create a new S3 bucket for your CloudTrail logs. Under Storage location, select Create new S3 bucket.

    Important

    Save your CloudTrail name as you'll need it to register your AWS source cloud accounts.

  3. To configure the Simple Notification Service (SNS) for log file delivery, expand Additional settings and:

    a. SNS notification delivery — Select Enabled to send an SNS notification for every log file delivery.

    b. Create a new SNS topic — Select New.

    c. SNS topic — Enter an appropriate name and select Next.

    d. Create an access policySet up your access policy to allow Cloud Access Management to subscribe to the CloudTrail logs.

  4. Verify that the status of the CloudTrail subscription is healthy by looking for the green check mark in the Status column.

  5. Copy the Amazon Resource Name (ARN) of the SNS topic that's created to somewhere accessible.

  6. To allow Cloud Access Management to subscribe to the CloudTrail logs, you will need to create an access policy.
    1. In the AWS Console, select Services and search for "SNS".
    2. Select Topics from the left menu.
    3. Select the topic you created for Cloud Access Management and select Edit.
    4. Expand Access policy to show the JSON editor. Append the following code into the editor:
      {
          "Effect":"Allow",
          "Principal":{
              "AWS":[
                  "arn:aws:iam::874540850173:root"
              ]
          },
          "Action":[
              "SNS:Subscribe",
              "SNS:Receive"
          ],
          "Resource":"<ARN of the SNS topic created for CAM>"
      }
      

After you've completed all of the steps above, you're ready to connect the two services to the Cloud Access Management portal. See Getting Started.

Configuring Azure Cloud

To configure Cloud Access Management for Azure Cloud, you'll need to register Cloud Access Management and give it the permissions required to read your Azure policies and resources inventory.

Note

You'll need Azure admin privileges to configure the access required by Cloud Access Management to govern Azure Cloud.

Follow these high-level steps:

  1. Register Cloud Access Management as a new application with Azure Cloud.

  2. Grant the permissions required to read your Azure Cloud policies and resources inventory.

Registering Cloud Access Management with Azure Cloud

The first thing you need to do is register Cloud Access Management with Azure Cloud to begin connecting the two services.

  1. Log in to the Azure Cloud portal and select Azure Active Directory.

  2. Select Properties in the left sidebar.

  3. Copy the tenant ID that's displayed and save it somewhere accessible, as you'll need this information to register the cloud source with Cloud Access Management.

  4. Select App registrations in the left sidebar and select New registration to register Cloud Access Management.

  5. Enter an appropriate user-facing name for the new application (e.g., "SailPoint Cloud Access Management"), and keep the default single tenant option checked to ensure that only accounts in the organizational directory can access this application.

  6. Under Redirect URI, select Web from the dropdown menu, and enter https://cam.sailpoint.com in the field provided.

  7. Select Register to register Cloud Access Management with Azure Cloud.

  8. Copy the Application ID that's generated, as you'll need this information to register the cloud source with Cloud Access Management.

Granting Read Permissions to Cloud Access Management

After you've registered Cloud Access Management with Azure Cloud, you must grant it the permissions required to read the security policies configured for the Azure source and the resources inventory. Specifically, you'll need to set up a global admin role in order to enable read settings for your Azure Active Directory and Microsoft Azure sources.

Setting Up the Global Admin Role

Using a global admin role, you can enable this at the root management group level so that all subscriptions inherit the reader role from their management group.

To set up the global admin role:

  1. Select Properties in Azure Active Directory.
  2. Select the toggle for "Access management for Azure resources" to set it to Yes. This will allow you to manage access to all Azure subscriptions and management groups in the tenant.

Enabling Read Access to Azure AD

You will need to enable the Directory.Read.All setting so that Cloud Access Management can read the Azure AD inventory.

In the Azure Cloud portal:

  1. Select API Permissions in the left sidebar and choose Add a permission.
  2. In the list of APIs, select Azure Active Directory Graph.
  3. Select Application permissions and expand the Directory category.
  4. Select the Directory.Read.All option to allow Cloud Access Management to read directory data on your Microsoft Azure source.
  5. Select Add permissions and Grant admin consent for SailPoint to add the permissions to Cloud Access Management.

Enabling Read Access to Microsoft Azure

You will need to enable the Directory.Read.All setting so that Cloud Access Management can read the Microsoft Azure inventory.

In the Azure Cloud portal:

  1. Select API Permissions in the left sidebar and choose Add a permission.
  2. In the list of APIs, select Microsoft Graph.
  3. Select Application permissions and expand the Directory category.
  4. Select the Directory.Read.All option to allow Cloud Access Management to read directory data on your Microsoft Azure source.
  5. Select Add permissions and Grant admin consent for SailPoint to add the permissions to Cloud Access Management.

Granting Access to the Management Groups Tree

Once you have the correct permissions, you will need to grant access to the entire management groups tree.

  1. Select Management groups service in the Azure Cloud portal.
  2. Select (details) next to the Tenant Root Group.
  3. In the sidebar, select Access control (IAM).
  4. Select + Add.
  5. On the Add a role assignment card, select Add.
  6. In the Role field, select the Reader role.
  7. In the Select field, search for the application name you created earlier, such as SailPoint Cloud Access Management.
  8. Select Save to assign the Reader role to Cloud Access Management.

Creating a Client Secret for Cloud Access Management

Next, you'll need to create a client (application) secret for Cloud Access Management.

  1. Remaining in the Azure Cloud portal, select Certificates and secrets in the left sidebar.

  2. Under Client secrets, select + New client secret and add a description and expiration date.

  3. Copy the client secret value that's generated and enter the client secret in the Application Secret field when you register the cloud source with Cloud Access Management.

Configuring Google Cloud Platform

To configure Google Cloud Platform to work with Cloud Access Management, you'll need to create a project and service account, manage access, check APIs, register your Google Cloud Platform organization with SailPoint, and set up your command-line interface.

Creating Project and Service Accounts

To set up a new project:

  1. In the IAM & admin tab on the left, select Service accounts.

  2. Select CREATE PROJECT on the right.

  3. Enter the Project name. This will create a Project ID that cannot be changed later.

  4. Select the Organization and Location of the Project.

  5. Select CREATE.

To create a service account for an existing project:

  1. In the IAM & admin tab on the left, select Service accounts.

  2. Select + CREATE SERVICE ACCOUNT at the top.

  3. Name your service account and add a description then select CREATE.

  4. Select DONE to see the Service accounts page. From the Actions column, select Manage keys to pair your service account with a key.

  5. Create your key, which allows the code to provide credentials to the API and will generate a JSON file.

    Caution

    Any application can access the organization through this JSON file so save it in a secure place.

Granting Service Account Access to an Organization

  1. Select IAM from the IAM & admin panel on the left.

  2. Select Add and search for or paste the service account email into the New members field.

  3. Use the dropdown menu to add these roles:

    • Security Reviewer
    • Organization Policy Viewer
    • Folder Viewer
    • Storage Object Viewer
    • Viewer
    • Organization Role Viewer
    • Organization Viewer

Granting Service Account Access to the Domain

You will need to grant the service account access to your G Suite domain.

  1. Select Service accounts in the IAM & admin panel.

  2. Choose the email of the desired service account. This will open the Service account details.

  3. Select Edit and check the Enable G Suite Domain-wide Delegation box.

  4. Enter a product name in the the OAuth consent field and select SAVE. The service account now has domain-wide access.

Establishing Privileges and Access for the Service Account

To determine the access and privileges assigned to your service account, log in to the admin console of the G Suite domain. Use an account that can make security changes.

  1. In https://admin.google.com, select Security > API Controls > Domain-wide Delegation.

  2. Enter the exact scope of what the service account is allowed to do on the domain:

    • https://www.googleapis.com/auth/admin.directory.user.readonly
    • https://www.googleapis.com/auth/admin.directory.group.readonly
  3. In the Client ID box, enter the Unique ID that was generated when you created the service account. This can be found in the Service accounts details page.

  4. Select Authorize.

Checking APIs

When using the API with Cloud Access Management for the first time in your project, you might get an error through the SDK. The API access has to be explicitly enabled on the Google Cloud console before Cloud Access Management can call these APIs.

  1. Navigate to the API & Services dashboard to enable APIs and services.

  2. Use the API Library to select and enable the following APIs:

    Compute Engine Cloud Bigtable Admin
    Cloud Functions Cloud SQL Admin
    Cloud Logging Identity and Access Management (IAM)
    Cloud Resource Manager Admin SDK
    Cloud Key Management Service (KMS) BigQuery

Additional APIs may be needed to process new types of resources.

Registering Your Google Cloud Platform Organization with SailPoint

  1. Select the dropdown menu in the Google Cloud Platform console and copy the organization ID.

  2. In Cloud Access Management, enter any custom name as the source name or paste the organization ID.

  3. Enter your administrator email. This email must have admin access to G Suite. The domain must be the same as the organization name. For example, if the organization name is "testorg.com", then the admin email will need to be formatted like "smith@testorg.com".

  4. Upload or paste the JSON file you received when creating the key for the service account. See step five of creating service accounts.

Setting up the Command-Line Interface

Setting up the Google Cloud Platform Google Cloud command-line interface can be done by following the instructions in the Google documentation.

Once you've installed the gcloud CLI, open the terminal, run glcoud init, and log in using a browser.