Skip to content

Prerequisites for AWS

To use the Data Access Security AWS connector, you must have sufficient permissions in AWS to create a dedicated IAM user.

Creating Dedicated IAM Users

To configure the connector, you will create dedicated IAM users with the policies and roles needed to allow Data Access Security to access your AWS objects.

  1. Sign into your organization’s management account.

  2. Use the SailPoint_DataAccessSecurity_AssumeRolePolicy.json script to create a policy titled "DataAccessSecurity_AssumeRolePolicy” so the Data Access Security user created in the next step can assume the roles created in each account.

  3. Create an IAM User for Data Access Security and select Programmatic access. This access requires an access key and secret key.

  4. Attach the "SailPoint_DataAccessSecurity_AssumeRolePolicy" policy created above to the new user.

    Important

    Save the generated Access Key and Secret Key in a secure place.

  5. On each organization account the connector should analyze, including the management account, use the SailPoint_DataAccessSecurity_S3IAMReadOnlyAccessPolicy.json script to create a policy titled “SailPoint_DataAccessSecurity_S3IAMReadOnlyAccessPolicy” with the required permissions for the connector. To exclude the management account from analysis, only include the permissions that start with organizations: for the management account.

  6. Create a new role titled “SailPoint_DataAccessSecurityRole”, which the Data Access Security user will assume on each organization account the connector should analyze. Select Another AWS Account to enter the user account ID.

  7. Attach the "SailPoint_DataAccessSecurity_S3IAMReadOnlyAccessPolicy" policy you created above.

  8. Enter the role name SailPoint_DataAccessSecurityRole.

    Important

    This name cannot be changed.

  9. Edit the trust relationship of the new role.

  10. Edit the JSON file.

    Use the DataAccessSecurity.json (Dedicated User) script and replace root in the Principal section with user/{DAS IAM User username} where DAS IAM User username is the user created above.

Appendix: AWS JSON Scripts

You can copy or download the following scripts to create the roles and policies required to connect AWS and Data Access Security.

Important

Do not change the file names.

Assume Role Policy

Download or copy the SailPoint_DataAccessSecurity_AssumeRolePolicy.json to create a policy defining the roles the IAM user can assume in each account.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::*:role/SailPoint_DataAccessSecurityRole"
        }
    ]
}

S3 IAM Read-Only Access Policy

Download or copy the SailPoint_DataAccessSecurity_S3IAMReadOnlyAccessPolicy.json to create a policy with read-only access to your S3 objects.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetAccountPublicAccessBlock",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "iam:ListAttachedGroupPolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListGroupPolicies",
                "iam:ListGroups",
                "iam:ListPolicies",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:ListUserPolicies",
                "iam:ListUsers",
                "iam:GetGroup",
                "iam:GetGroupPolicy",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRolePolicy",
                "iam:GetUserPolicy",
                "organizations:ListAccountsForParent",
                "organizations:ListRoots",
                "organizations:ListAccounts",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:DescribeAccount"
            ],
            "Resource": "*"
        }
    ]
}

Dedicated IAM User-Creation Policy

Download or copy the DataAccessSecurity.json (Dedicated User) script to set the dedicated IAM user who can use the roles and policies you've configured.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::{The user account ID}:user/{DAS IAM User username}"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Collecting Data Stored in an External Application

The list below describes the high-level installation process required to collect and analyze data from an external application. Most of these should already be set up in Data Access Security.

  1. Install one or more Permission Collection central engines using the server installer.
  2. Create an Application in Data Access Security. The application is linked to your installed central engines.

Comments