Enabling AWS Discovery

AWS Identity and Access Management (IAM)

  1. For Secret Server to communicate with AWS, users with sufficient privileges need to create an access key for their account in AWS Identity and Access Management (IAM). The account used to do this requires the following permissions to discover users and access keys:

    • iam:ListUsers
    • iam:GetLoginProfile
    • iam:ListAccessKeys
    These permissions are limited to the resources the user is allowed to access.

  2. Once this access key is created, use the access key and secret key to create a secret in Secret Server using the Amazon IAM key template.

  3. Create a new AWS discovery source and use the Amazon IAM key as the credentials secret for that discovery source.

    AWS only allows programmatic integration through access keys. This type of secret is required for discovery to work. Discovery must be enabled in Secret Server for this feature to work.

Amazon Elastic Compute Cloud (EC2)

Amazon Elastic Compute Cloud (EC2) is a part of AWS that allows users to rent virtual computers on which to run their own computer applications. The EC2 account used to do this requires the following permissions to discover users and access keys:

  • EC2:DescribeInstances
  • EC2:DescribeAvailabilityZones

The configuration is very similar to IAM.