Nailing the Security Audit with RRCU

ConductorOne docs

Set up an Amazon Web Services (AWS) v2 connector

ConductorOne provides identity governance for AWS. Integrate your AWS instance with ConductorOne to run user access reviews (UARs) and enable just-in-time (JIT) access requests.

This is an updated and improved version of the AWS connector! If you’re setting up AWS with ConductorOne for the first time, you’re in the right place.

Capabilities

  • Sync IAM and Identity Center user identities from AWS to ConductorOne

  • Resources supported:

    • IAM roles
    • IAM groups
    • Identity Center groups
    • Accounts (via Permission Sets)
  • Provisioning supported:

    • Identity Center users to Identity Center groups
    • Identity Center users and Identity Center groups to Accounts (via Permission Sets)
    • IAM users to IAM groups

Known limitations

  • Cross-account Assume Role is not currently supported

Add a new AWS v2 connector

This task requires either the Connector Administrator or Super Administrator role in ConductorOne.

  1. In ConductorOne, click Connectors > Add connector.

  2. Search for AWS v2 and click Add.

  3. Choose how to set up the new AWS connector:

    • Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)

    • Add the connector to a managed app (select from the list of existing managed apps)

    • Create a new managed app

    Do you SSO into AWS using your identity, SSO, or federation provider? If so, make sure to add the connector to the unmanaged AWS app that was created automatically when you integrated your provider with ConductorOne, rather than creating a new managed app.

  1. Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.

    The AWS connector owner must have the following permissions:

    • Connector Administrator or Super Administrator role in ConductorOne
    • Ability to create an IAM Role in AWS ConductorOne uses an IAM Trust relationship between your AWS Account and ConductorOne’s Service AWS Account. This is the AWS recommended method of sharing access to AWS Accounts. ConductorOne has a specially created and isolated AWS Account dedicated to the AWS integration. For advanced configurations, the only trusted entity should be the following ARN: arn:aws:iam::765656841499:role/ConductorOneService
  1. Click Next.

Next steps

  • If you are the connector owner, proceed to Configure your AWS connector for instructions on integrating AWS with ConductorOne.

  • If someone else is the connector owner, ConductorOne will notify them by email that their help is needed to complete the setup process.

Configure your AWS connector

A user with the Connector Administrator or Super Administrator role in ConductorOne and the ability to create an IAM Role in AWS must perform this task.

Step 1: Get ConductorOne-provided External ID for AWS IAM Role

  1. In ConductorOne, navigate to the AWS connector by either:

    • Clicking the Set up connector link in the email you received about configuring the connector.

    • Navigate to Connectors > AWS v2 (if there is more than one AWS v2 listed, click the one with your name listed as owner and the status Not connected).

  2. Find the Settings area of the page and click Edit.

  3. Copy and save the External ID populated in the External ID field. We’ll use this in Step 2.

Step 2: Create an AWS IAM Role for ConductorOne to use

  1. In a new browser tab, sign in to your AWS Account using your existing credentials or SSO.

    To support use of AWS Organizations: You must create this IAM Role in the management (formerly called master) account of the AWS Organization.

  1. Navigate to the IAM Dashboard and select Roles > Create Role.

  2. Select Custom Trust Policy and paste the following into the Trust Policy JSON editor, replacing EXTERNAL_ID_FROM_C1_INTEGRATIONS_PAGE with the value from Step 1.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::765656841499:role/ConductorOneService"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "EXTERNAL_ID_FROM_C1_INTEGRATIONS_PAGE"
            }
          }
        }
      ]
    }
    
  3. Click Next.

  4. Skip Add permissions and click Next.

  5. Give the role a name, such as ConductorOneIntegration.

  6. Add any tags relevant to your organization and click Create Role.

  7. Find the newly created role, and click on it to view the role details page.

  8. Under Permissions Policies, click Add Permissions and select Create Inline Policy.

  9. Switch to the JSON Editor tab and paste the following policy into the editor:

    {
      "Statement": [
        {
          "Action": [
            "iam:GetGroup",
            "iam:ListAccountAliases",
            "iam:ListGroups",
            "iam:ListRoles",
            "iam:ListUsers",
            "identitystore:GetGroupMembershipId",
            "identitystore:ListGroupMemberships",
            "identitystore:ListGroups",
            "identitystore:ListUsers",
            "organizations:ListAccounts",
            "sso:DescribePermissionSet",
            "sso:ListAccountAssignments",
            "sso:ListInstances",
            "sso:ListPermissionSets",
            "sso:ListPermissionSetsProvisionedToAccount"
          ],
          "Effect": "Allow",
          "Resource": "*",
          "Sid": "ConductorOneReadAccess"
        },
        {
          "Action": [
            "iam:AddUserToGroup",
            "iam:RemoveUserFromGroup",
            "sso:CreateAccountAssignment",
            "sso:DeleteAccountAssignment",
            "identitystore:CreateGroupMembership",
            "identitystore:DeleteGroupMembership",
            "sso:DescribeAccountAssignmentCreationStatus",
            "sso:DescribeAccountAssignmentDeletionStatus"
          ],
          "Effect": "Allow",
          "Resource": "*",
          "Sid": "ConductorOneProvisionAccess"
        },
        {
          "Sid": "AccessToSSOProvisionedRoles",
          "Effect": "Allow",
          "Action": [
            "iam:AttachRolePolicy",
            "iam:CreateRole",
            "iam:DeleteRole",
            "iam:DeleteRolePolicy",
            "iam:DetachRolePolicy",
            "iam:GetRole",
            "iam:ListAttachedRolePolicies",
            "iam:ListRolePolicies",
            "iam:PutRolePolicy",
            "iam:UpdateRole",
            "iam:UpdateRoleDescription"
          ],
          "Resource": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*"
        },
        {
          "Sid": "IAMListPermissions",
          "Effect": "Allow",
          "Action": [
            "iam:ListRoles",
            "iam:ListPolicies"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "iam:GetSAMLProvider"
          ],
          "Resource": "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE"
        }
      ],
      "Version": "2012-10-17"
    }
    

    A note about permissions. The permissions listed in the "Sid": "IAMListPermissions" and "Sid": "AccessToSSOProvisiondRoles" sections are required only if you want to use ConductorOne to create assignments in the AWS Organization’s management account. In certain cases, you may also need to add iam:UpdateSAMLProvider to these sections.

  1. Click Review Policy.

  2. Give the policy a name, such as ConductorOnePermissions and click Create Policy.

  1. Copy the Role ARN for the Role we created, it should look like: arn:aws:iam::NNNNNNNNNN:role/ConductorOneIntegration (we’ll use this in Step 3).

Step 3: Add your AWS credentials to ConductorOne

  1. Return to ConductorOne and paste the AWS Role ARN you generated in Step 2 into the Role ARN field.

  2. Optional. Click the checkbox to Enable support for AWS Organizations.

    If support for AWS Organizations is enabled, the IAM Role (as described in Step 2) must be created in the management (formerly called master) account of the AWS Organization. If the IAM Role is created on a member account and support for AWS Organizations is enabled, the integration will return a 400 error.

  3. Optional. Click the checkbox to Enable support for AWS IAM Identity Center and select the region for AWS IAM Identity Center from the dropdown.

  4. Optional. To enable ConductorOne to sync the statuses of SSO accounts, click the checkbox to Enable usage of the AWS IAM Identity Center SCIM API and enter the SCIM endpoint and access token in the relevant fields.

  5. Click Save.

  6. The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your AWS connector is now pulling access data into ConductorOne.

Integrate using Terraform

As an alternative to the instructions above, use the following Terraform script to integrate your AWS instance with ConductorOne.

Step 1: Get ConductorOne-provided External ID for AWS IAM Role

  1. Log into ConductorOne.

  2. Click Connectors > AWS Connector.

  3. Copy and save the External ID populated in the External ID field. We’ll use this in Step 2.

Step 2: Use a Terraform script to set up the AWS integration

variable "EXTERNAL_ID_FROM_C1_INTEGRATIONS_PAGE" {
  description = "ConductorOne-provided External ID for AWS IAM Role from Step 1"
  type        = string
}

resource "aws_iam_role" "ConductorOneIntegration" {
  name = "ConductorOneIntegration"
  assume_role_policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect" : "Allow",
          "Principal" : {
            "AWS" : "arn:aws:iam::765656841499:role/ConductorOneService"
          },
          "Action" : "sts:AssumeRole",
          "Condition" : {
            "StringEquals" : {
              "sts:ExternalId" : var.EXTERNAL_ID_FROM_C1_INTEGRATIONS_PAGE
            }
          }
        }
      ]
    })

  inline_policy {
    name = "ConductorOnePermissions"
    policy = jsonencode({
      "Statement" : [
        {
          "Action" : [
            "iam:GetGroup",
            "iam:ListAccountAliases",
            "iam:ListGroups",
            "iam:ListRoles",
            "iam:ListUsers",
            "identitystore:ListGroupMemberships",
            "identitystore:ListGroups",
            "identitystore:ListUsers",
            "organizations:ListAccounts",
            "sso:DescribePermissionSet",
            "sso:ListAccountAssignments",
            "sso:ListInstances",
            "sso:ListPermissionSets",
            "sso:ListPermissionSetsProvisionedToAccount"
          ],
          "Effect" : "Allow",
          "Resource" : "*",
          "Sid" : "ConductorOneReadAccess"
        },
        {
          "Action" : [
            "iam:AddUserToGroup",
            "iam:RemoveUserFromGroup",
            "sso:CreateAccountAssignment",
            "sso:DeleteAccountAssignment",
            "identitystore:CreateGroupMembership",
            "identitystore:DeleteGroupMembership",
            "sso:DescribeAccountAssignmentCreationStatus",
            "sso:DescribeAccountAssignmentDeletionStatus"
          ],
          "Effect" : "Allow",
          "Resource" : "*",
          "Sid" : "ConductorOneProvisionAccess"
        },
        {
          "Sid" : "AccessToSSOProvisionedRoles",
          "Effect" : "Allow",
          "Action" : [
            "iam:AttachRolePolicy",
            "iam:CreateRole",
            "iam:DeleteRole",
            "iam:DeleteRolePolicy",
            "iam:DetachRolePolicy",
            "iam:GetRole",
            "iam:ListAttachedRolePolicies",
            "iam:ListRolePolicies",
            "iam:PutRolePolicy",
            "iam:UpdateRole",
            "iam:UpdateRoleDescription"
          ],
          "Resource" : "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*"
        },
        {
          "Sid" : "IAMListPermissions",
          "Effect" : "Allow",
          "Action" : [
            "iam:ListRoles",
            "iam:ListPolicies"
          ],
          "Resource" : "*"
        },
        {
          "Effect" : "Allow",
          "Action" : [
            "iam:GetSAMLProvider"
          ],
          "Resource" : "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE"
        }
      ],
      "Version" : "2012-10-17"
    })
  }
}