SailPoint Amazon Web Services Identity and Access Management Connector

Amazon Web Services (AWS) Identity and Access Management (IAM) helps you securely control access to Amazon Web Services and your account resources. With IAM, you can create multiple IAM users under your AWS account or enable temporary access through identity federation with your corporate directory. In some cases, you can also enable access to resources across AWS accounts. IAM offers greater security, flexibility, and control when using AWS.

Without IAM, however, you must either create multiple AWS accounts-each with its own billing and subscriptions to AWS products-or share the security credentials of a single AWS account. In addition, without IAM, you cannot control the tasks a particular user or system can do and what AWS resources they might use.

IAM enables identity federation between your corporate directory and AWS services. This enables you to use your existing corporate identities to grant secure and direct access to AWS resources, such as Amazon S3 buckets, without creating a new AWS identity for those users.

IAM is a web service that enables AWS customers to manage users and user permissions under their AWS account.
For more information about this product, see AWS Identity and Access Management (IAM).
The objective of this connector is to support reading and provisioning of AWS IAM accounts, account groups and account group assignment.

Supported features

SailPoint Amazon Web Services Identity and Access Management Connector supports the following features:
• Account Management
-Manages IAM Users under the AWS Account as Accounts
-Aggregate, Refresh Accounts
-Create, Update, Delete
-Change Password
-Add/Remove Entitlements
-Enable: Activates only one existing Access Key and Signing Certificate
-Disable: Deactivates and/or deletes ALL existing Security Credentials
• Account – Group Management
-Manages IAM Groups under the AWS Account as Account-Groups
-Aggregate, Refresh Group
-Create, Update, Delete
• Permissions Management
-The application reads permissions directly assigned to accounts and groups as direct permissions during account and group aggregation respectively.
-The connector does not support automated revocation of the aggregated permissions and creates work item for such requests.

Pre-requisites

Note: If AWS Identity and Access Management Connector is behind the proxy server, see the “Special Java Considerations” section of the SailPoint IdentityIQ Installation Guide.

The connector requires the following Access Credentials to access the various IAM APIs:
• Access Key ID
• Secret Access Key

IAM is a feature of AWS account. If you are already signed up for a product that is integrated with IAM, you do not need to do anything else to sign up for IAM, and you will also not be charged extra for using it. You will be charged only for use of other AWS services by your users.

Note: IAM works only with AWS products that are integrated with IAM. For a list of such products, see Integrating with Other AWS Products.

If you do not already have an AWS account, you need to create one to use IAM. You can create an AWS account when you sign up to use an AWS product for the first time. To sign up for AWS, perform the following:

1.Navigate to http://aws.amazon.com, and then click Sign Up Now.
2.Follow the on-screen instructions.

Part of the sign-up procedure involves receiving a phone call and entering a PIN using the phone keypad.
An Access Key is automatically created upon creating an account. See the “Security Credentials” section of your account to obtain your Access Keys from the following link:
http://aws-portal.amazon.com/gp/aws/developer/account/index.html?action=access-key

To create SSL communication between IdentityIQ and AWS Server, perform the following:

1.Export server certificate and copy the exported .cer file to the Java client computer (IdentityIQ computer).

2.At the client computer execute the following command from the bin directory of JDK:
keytool -importcerts –trustcacert –alias aliasName –file -keystore /jre/lib/security/cacerts
In the preceding command line, aliasName is the name of the alias.

Administrator permissions

Custom policies must be created and these policies must be attached to the users.

Creating Custom Policy

To create a custom policy, perform the following steps:

1. Log in to AWS server with administrator privileges to create a custom policy.

2. On the left-hand side of the screen, click on Policies.

3. On the right-hand side of the screen, click on the Create Policy button.

4. On Step 1: Create Policy page, select Create Your Own Policy section.

5. On Step 2: Set Permissions page, enter the following data respectively (based on the operation) and click on Validate Policy:

The Review Policy page is displayed.

6.On Step 3: Review Policy page, review and validate the policy and click on Create Policy.On successfully creating the policy the following message is displayed:
SPTestConnectionPolicy has been created.
Now you are ready to attach your policy to users, groups, and roles.

Attaching the Policy to users
To attach the policies to the users, perform the following:

1.Navigate to a home page and click on Users on the left-hand side of the homepage.

2.Click on the user for which the policy must be attached.

3.Under the Permissions tab click on Attach Policy.

4.On the Attach Policy page, search for SP policies (created in “Creating Custom Policy” section) under the Policy Type field.

5.Select the policy that must be attached to the user and click on Attach Policy button.

Perform the above steps to add more than one policy to the user.

Schema attributes

The following schema attributes are defined:
• Account schema
• Group schema
• Schema extension and custom attributes

Account schema

The following table lists the accounting schema:

Note: Attributes with the * sign must be manually deleted only when upgrading IdentityIQ from version 7.0 or above to IdentityIQ version 7.1.

Group schema

The following table lists the group schema:

Schema extension and custom attributes

The connector handles all the attributes currently retrieved or provisioned by the respective IAM APIs at the time of designing and developing the connector. In addition, AWS IAM has fixed schemas and does not support adding custom attributes to any of the schemas. Therefore, the connector does not provide support for extending the schema and defining custom attributes.

Provisioning Policy attributes

The following default provisioning policies are defined for Account and Account-Group.

Account

Create: The following table lists the attributes that are required for creating an account.

Update: The following table lists the attributes that are required for updating an account.

Account-Group

Create: The following table lists the attributes that are required for creating a group.

Update: The following table lists the attributes that are required for updating a group.

Additional information

This section describes the additional information related to the AWS Connector.

Amazon Web Services Identity and Access Management API’s

This section describes the API method used by the AWS IAM Connector.

Interaction with the application

The connector makes use of the REST requests to call the functionality exposed by an Amazon Web Services (AWS) API. REST or Query requests are simple HTTP or HTTPS requests that use an HTTP verb (such as GET or POST) and the Action or Operation parameter that specifies the API you are calling.
Calling an API using a REST or Query request is the most direct way to access a web service, but requires that your application handles low-level details such as generating the hash to sign the request and error handling.
The benefit of using a REST or Query request is that you have access to the complete functionality of an API. The connector makes use of the REST requests and has the provision to handle the low-level details.

APIs used

The following table lists the IdentityIQ operations along with the corresponding IAM APIs (Actions) used:

Troubleshooting

1 – Restore (Enable) security credentials

Restore security credentials for your IAM users.

CreateLoginProfile: Creates a password for the specified user, giving the user the ability to access AWS services through the AWS Management Console. IdentityIQ does not allow specifying the Password, which is a required parameter for this API, during Account Enable operation.

Workaround: The password must be set/created using Set/Reset Password operation to enable the account.
2 – Request timestamp is skewed

The test connection failed with the following error message:
open connector.ConnectorException: Error Code 400 – RequestExpired – Request timestamp is too skewed. Timestamps must be within 900 seconds of server time. Timestamp date: 2015-04-01T19:07:51.185Z

Resolution: Timestamp of server instance and IdentityIQ must be same.

About the author: Devender

Devender is an enthusiastic independent blogger, consultant and freelance trainer whose main area of interests are identity and access management related technologies. His areas of interest are OIM, SailPoint IdentityIQ and much more.

Leave a Reply

Your email address will not be published.