Configuration

AWS Configuration

In AWS get the following role settings:

  • Role name: AuthomizeCrossAccountTrustRole

  • Role policy: aws:iam::aws:policy/SecurityAudit

  • Role trust policy

The External ID should be copied from the platform AWS Integration dialog.
Copy

Role trust policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::291883359082:user/AuthomizeCustomerRoleAssumer"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "enter_unique_value}"
                }
            }
        }
    ]
}

If you are installing this role on the management account and wish to integrate AWS Identity Center or for Delinea to automatically list accounts, add the following policies to this role, in addition to the security audit policy:

    • arn:aws:iam::aws:policy/AWSSSOReadOnly

    • arn:aws:iam::aws:policy/AWSSSODirectoryReadOnly

If you update the role name, you must add the updated name in the integration dialog.

Do not change the trust policy principal.

Configuration in the Delinea Platform

To configure AWS in the Delinea Platform, follow this procedure:

  1. Log in to the Delinea Platform.

  2. Navigate to Discovery > Entitlement & Threat Sources.

  3. Go to Create, and select the AWS option. The Integrate AWS dialog opens.

    1. In the Account Number field, add account numbers if you wish to focus on specific accounts, or leave empty to automatically list all active accounts under the organization. See Listing of Org Accounts for more details.

      If there are multiple account numbers, enter them in comma-delimited format.

    2. (Optional) To also integrate the AWS Identity Center, enter the Management account number.

      If you are including the Management account number, also add that number in the Account Number field in case you decided to list specific accounts

    3. Skip Assume Role.

    4. Leave the Regions field empty if you want to retrieve data from all regions in your organization or add a comma-delimited list of regions.

      If you specify regions, data will be retrieved only from those regions listed.

  4. (Optional) You can enter a unique name for this integration.

    By default, the integration will be named AWS.

  5. Scroll up at the top of the page, and select Save.

The AWS option is displayed as a connected app. The synchronization process begins, and its status will be shown when it is completed.