Configuring an EC2 for File Access Manager Connector

This is the recommended connection method for the File Access Manager connector.

Create a role and policies to enable running the File Access Manager activities on all accounts in the organization.

1. Sign into your AWS account.

   

2. Create a new policy “FileAccessManager_AssumeRolePolicy”.

   This policy will allow the File Access Manager application, created in the next step, to perform an Assume Role on the roles that will be created in each account.

   See IdentityIQ_FileAccessManager_AssumeRolePolicy.json in Appendix A.

   

3. Create a new role

   • Select AWS Service as the trusted entity type.

   • Select EC2 as the service.

   

4. Attach the role to the FileAccessManager_AssumeRolePolicy policy created above.

   

5. Give the role a name (e.g. FileAccessManager_EC2_Role) and create it.

   

6. If you are creating a new EC2 instance select the above role as the IAM role for the instance.

   

7. If you are using an existing EC2 instance, Modify the IAM role to the role above

   In the option

   EC2 > Instances > Actions > Security > Modify IAM role

   

8. Create a new policy for each organization account the connector is supposed to analyze

   Create a new policy called “FileAccessManager_S3IAMReadOnlyAccessPolicy” with all the required permissions for the connector.

   See IdentityIQ_FileAccessManager_S3IAMReadOnlyAccessPolicy.json in Appendix A.

   

9. Create a new role for the File Access Manager user to assume.

   On each organization account the connector should analyze, create a new role called “FileAccessManagerRole” which the FAM user will assume. Select “Another AWS Account” and enter the account Id of the organization’s management account.

   The role name should be kept as FileAccessManagerRole.

   

10. Attach the FileAccessManager_S3IAMReadOnlyAccessPolicy policy created above.

    

11. Enter the role name - FileAccessManagerRole.

    

12. Edit the trust relationship of the new role.

    

13. Edit the json file

    Replace “root” in the Principal section with

    “assumed-role/{EC2 role name}/{EC2 instance ID}” 

    where “EC2 role name” is the name of the role created above (“FileAccessManager_EC2_Role“ in this manual) and “EC2 instance ID” is the ID of the instance on which the FAM application is installed.

    See IdentityIQ_FileAccessManagerRole.json [EC2] in Appendix A.