Integrating AWS with the Delinea Platform (PCCE)

Integrating AWS with the Delinea Platform enables Privilege Control for Cloud Entitlements (PCCE) so you can discover identities, groups, and assets on your AWS account.

Configure AWS CloudTrail (Required for Log Ingestion)

Before performing any AWS integration steps, ensure that AWS CloudTrail is properly configured.

Delinea Platform requires access to AWS CloudTrail logs to analyze activity across your AWS accounts. These logs must be delivered to an Amazon S3 bucket. If CloudTrail is not currently writing logs to an S3 bucket, configure this before proceeding.

To ensure accuracy of Delinea’s entitlements and activity analysis, CloudTrail must:

• Collect data from all regions

• Collect global service events (such as IAM and STS API calls)

After CloudTrail is configured, the S3 bucket that stores the logs must allow the integration role (by default named AuthomizeCrossAccountTrustRole) to read them.

Granting the Role Permission to Access CloudTrail Logs

1. In the AWS Management Console, go to S3.

2. Locate and open the S3 bucket used for CloudTrail logs.

3. Open the Permissions tab.

4. Scroll to Bucket policy and select Edit.

Add the following policy statement, adjusting the placeholders accordingly:

{
"Sid": "AllowGetObjectForDelineaRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR_BUCKET_ACCOUNT_ID>:role/AuthomizeCrossAccountTrustRole"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<YOUR_CLOUDTRAIL_BUCKET_NAME>/*"
}

Replace:

<YOUR_CLOUDTRAIL_BUCKET_NAME> with the exact S3 bucket name

<YOUR_BUCKET_ACCOUNT_ID> with the AWS account ID that owns the bucket

This CloudTrail configuration is an additional requirement and applies to all AWS integration methods described below.

AWS can be integrated for specific accounts or an entire organization, and your integration can also include the IAM Identity Center.

The integration operates by utilizing an assumed role on AWS, as per the following:

• The platform generates a role on AWS for initial integration and ongoing use.

• The platform randomly generates a unique ExternalID for each customer (as recommended by AWS).

• To make the connection more secure, the platform supplies the AWS role with a unique ExternalID

• All the integrations use assumed role-based integration.

Before performing any AWS integration steps, ensure that AWS CloudTrail is configured. All integration options below depend on CloudTrail log ingestion.

You can integrate AWS in the following ways:

• Integrating Individual AWS Accounts (via CloudFormation)

  • Create a role for each account

  • Allow a platform user to access the role.

• Integrating Multiple AWS Accounts (via CloudFormation StackSets)

  • Create a role and assign it to all your accounts.

  • Allow a platform user to access the role.

• Integrating Individual AWS Accounts via Third-Party Tools

  • Create roles to integrate with the platform.

• Integrating AWS Identity Center with the Delinea Platform (PCCE)

  • This can be done as part of the CloudFormation integrations.