Skip to content

Prerequisites for AWS

This section describes the minimal set of permissions required to configure a File Access Manager AWS connector.

It is a step-by-step guide, including AWS Console Screens.

Make sure your system fits the descriptions below before starting the installation.

There are two methods to configure the AWS File Access Manager connector, and the require configuration is different for each.

  • EC2 instance to run File Access Manager (This is the recommended method).

  • Dedicated IAM user.

Software Requirements

File Access Manager requires the latest ASP.NET Core 6.0.x Hosting Bundle. This bundle consists of .NET Runtime and ASP .NET Core Runtime. You can download the latest 6.0.x Hosting Bundle version from here.

Configuring an EC2 for File Access Manager Connector

This is the recommended connection method for the File Access Manager connector.

Create a role and policies to enable running the File Access Manager activities on all accounts in the organization.

  1. Sign into your AWS account. AWS Sign In

  2. Create a new policy “FileAccessManager_AssumeRolePolicy”.

    This policy will allow the File Access Manager application, created in the next step, to perform an Assume Role on the roles that will be created in each account.

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "VisualEditor0",
                  "Effect": "Allow",
                  "Action": "sts:AssumeRole",
                  "Resource": "arn:aws:iam::*:role/IdentityIQ_FileAccessManagerRole"
              }
          ]
      }
    

    Create policy

  3. Create a new role.

    • Select AWS Service as the trusted entity type.

    • Select EC2 as the service.

    Create Role

  4. Attach the role to the FileAccessManager_AssumeRolePolicy policy created above. Attach Role

  5. Give the role a name (e.g. FileAccessManager_EC2_Role) and create it. Name Role

  6. If you are creating a new EC2 instance select the above role as the IAM role for the instance. Configure EC2 Instance

  7. If you are using an existing EC2 instance, modify the IAM role to the role above in the option EC2 > Instances > Actions > Security > Modify IAM role. Modify IAM Role

  8. Create a new policy for each organization account the connector is supposed to analyze.

    Create a new policy called “FileAccessManager_S3IAMReadOnlyAccessPolicy” with all the required permissions for the connector.

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "s3:ListAllMyBuckets",
                      "s3:ListBucket",
                      "s3:GetBucketAcl",
                      "s3:GetBucketLocation",
                      "s3:GetBucketPolicy",
                      "s3:GetBucketPolicyStatus",
                      "s3:GetBucketPublicAccessBlock",
                      "s3:GetAccountPublicAccessBlock",
                      "s3:GetObject",
                      "s3:GetObjectAcl",
                      "iam:ListAttachedGroupPolicies",
                      "iam:ListAttachedRolePolicies",
                      "iam:ListAttachedUserPolicies",
                      "iam:ListGroupPolicies",
                      "iam:ListGroups",
                      "iam:ListPolicies",
                      "iam:ListPolicyVersions",
                      "iam:ListRolePolicies",
                      "iam:ListRoles",
                      "iam:ListUserPolicies",
                      "iam:ListUsers",
                      "iam:GetGroup",
                      "iam:GetGroupPolicy",
                      "iam:GetPolicy",
                      "iam:GetPolicyVersion",
                      "iam:GetRolePolicy",
                      "iam:GetUserPolicy",
                      "organizations:ListAccountsForParent",
                      "organizations:ListRoots",
                      "organizations:ListAccounts",
                      "organizations:ListOrganizationalUnitsForParent"
                  ],
                  "Resource": "*"
              }
          ]
      }
    

    Read Only Access Policy

  9. Create a new role for the File Access Manager user to assume.

    On each organization account the connector should analyze, create a new role called “FileAccessManagerRole” which the FAM user will assume. Select Another AWS Account and enter the account Id of the organization’s management account.

    Important

    The role name should be kept as FileAccessManagerRole.

    Role for User to Assume

  10. Attach the FileAccessManager_S3IAMReadOnlyAccessPolicy policy created above. Attach Policy

  11. Enter the role name - FileAccessManagerRole. Role Name

  12. Edit the trust relationship of the new role. Edit Role

  13. Edit the json file. Replace “root” in the Principal section with

    assumed-role/{**EC2 role name**}/{**EC2 instance ID**}

    Where:

    • “EC2 role name” is the name of the role created above (“FileAccessManager_EC2_Role“ in this manual).
    • “EC2 instance ID” is the ID of the instance on which the FAM application is installed.
         {
           "Version": "2012-10-17",
           "Statement": [
             {
               "Effect": "Allow",
               "Principal": {
                 "AWS": [
                 "AWS": "arn:aws:iam::{The EC2 instance account Id}:assumed-role/{EC2 instance role name}/{EC2 instance Id}"
                 ]
               },
               "Action": "sts:AssumeRole"
             }
           ]
         }
      

    Edit Trust Relationship

Creating a Dedicated IAM User

Note

The recommended method to install the File Access Manager connector is using the EC2 Login method. See Configuring an EC2 for File Access Manager Connector. If you wish to use a dedicated IAM user login instead, follow this section:

To configure the connector, create dedicated users with the appropriate users and policies:

  1. Sign into your organization’s management account. Login In

  2. Create a new policy “IdentityIQ_FileAccessManager_AssumeRolePolicy”.

    This policy will allow the File Access Manager user created in the next step to perform an Assume Role on the roles that will be created in each account.

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "VisualEditor0",
                  "Effect": "Allow",
                  "Action": "sts:AssumeRole",
                  "Resource": "arn:aws:iam::*:role/IdentityIQ_FileAccessManagerRole"
              }
          ]
      }
    

    Create Policy

  3. Create an IAM User for File Access Manager and select Programmatic access. This access requires an access key and secret key. Create IAM User

  4. Attach the policy IdentityIQ_FileAccessManager_AssumeRolePolicy policy created above to the new user. Add Policy

  5. Save the generated Access Key and Secret Key in a secure place. Generate and Save Access Key and Secret Key

  6. On each organization account the connector should analyze - Create new policy “IdentityIQ_FileAccessManager_S3IAMReadOnlyAccessPolicy” with all the required permissions for the connector.

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "s3:ListAllMyBuckets",
                      "s3:ListBucket",
                      "s3:GetBucketAcl",
                      "s3:GetBucketLocation",
                      "s3:GetBucketPolicy",
                      "s3:GetBucketPolicyStatus",
                      "s3:GetBucketPublicAccessBlock",
                      "s3:GetAccountPublicAccessBlock",
                      "s3:GetObject",
                      "s3:GetObjectAcl",
                      "iam:ListAttachedGroupPolicies",
                      "iam:ListAttachedRolePolicies",
                      "iam:ListAttachedUserPolicies",
                      "iam:ListGroupPolicies",
                      "iam:ListGroups",
                      "iam:ListPolicies",
                      "iam:ListPolicyVersions",
                      "iam:ListRolePolicies",
                      "iam:ListRoles",
                      "iam:ListUserPolicies",
                      "iam:ListUsers",
                      "iam:GetGroup",
                      "iam:GetGroupPolicy",
                      "iam:GetPolicy",
                      "iam:GetPolicyVersion",
                      "iam:GetRolePolicy",
                      "iam:GetUserPolicy",
                      "organizations:ListAccountsForParent",
                      "organizations:ListRoots",
                      "organizations:ListAccounts",
                      "organizations:ListOrganizationalUnitsForParent"
                  ],
                  "Resource": "*"
              }
          ]
      }
    

Create Policy JSON.

  1. Create a new role “IdentityIQ_FileAccessManagerRole” which the File Access Manager user will assume on each organization account the connector should analyze. Select Another AWS Account and enter the user account ID. Select Trusted Entity

  2. Attach the policy IdentityIQ_FileAccessManager_S3IAMReadOnlyAccessPolicy created above. Attach Policy

  3. Enter the role name - IdentityIQ_FileAccessManagerRole.

    Important

    This name cannot be changed.

    Enter Role Name

  4. Edit the trust relationship of the new role. Edit Trust Relationship

  5. Edit the json file. Replace “root” in the Principal section with

    user/{FAM IAM User username}

    Where:

    • “FAM IAM User username” is the user created above.
         {
           "Version": "2012-10-17",
           "Statement": [
             {
               "Effect": "Allow",
               "Principal": {
                 "AWS": [
                   "arn:aws:iam::{The user account ID}:user/{FAM IAM User username}"
                 ]
               },
               "Action": "sts:AssumeRole"
             }
           ]
         }
      

    Edit Trust Relationship