AWS Identity and Access Management (IAM)
Setup
Setting up AWS accounts for Entitle's access
- Create an IAM User with programmatic credentials and keep the credentials for that user, they will be needed for Entitle to connect.
- Create the IAM Management Policy and the Base Permissions Management Policy policies with the contents below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:AddUserToGroup",
"iam:RemoveUserFromGroup",
"iam:ListGroupsForUser",
"iam:ListUsers",
"iam:ListGroups",
"iam:GetUser",
"iam:GetGroup"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DetachUserPolicy",
"iam:DetachRolePolicy",
"iam:DeleteRole",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListRoles",
"iam:ListAttachedRolePolicies",
"iam:ListEntitiesForPolicy",
"iam:ListPolicies",
"iam:ListPolicyTags",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:TagPolicy",
"organizations:ListAccounts",
"organizations:DescribeAccount",
"iam:TagRole",
"iam:UnTagRole",
"iam:TagPolicy",
"iam:UntagPolicy",
],
"Resource": "*"
}
]
}
- Assign the policies you created to Entitle's user.
- For each of the resource types you want Entitle to manage access to, create, and assign to the user a corresponding policy from the Resource Specific Policies section below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:TagRole",
"iam:ListEntitiesForPolicy",
"iam:AttachUserPolicy",
"iam:ListUsers",
"iam:ListUserPolicies",
"iam:ListPolicyTags",
"iam:TagPolicy",
"iam:TagUser"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:GetRole",
"iam:GetPolicyVersion",
"s3:GetBucketTagging",
"ec2:DescribeInstances",
"iam:GetPolicy",
"ec2:DescribeTags",
"ec2:DescribeRegions",
"iam:ListEntitiesForPolicy",
"iam:AttachUserPolicy",
"s3:ListBucket",
"iam:ListUserPolicies",
"iam:CreatePolicy",
"s3:ListAllMyBuckets",
"iam:ListUsers",
"iam:ListPolicyTags",
"iam:DetachUserPolicy"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:GetRole",
"iam:GetPolicyVersion",
"iam:ListRoleTags",
"iam:GetPolicy",
"iam:AttachUserPolicy",
"iam:ListEntitiesForPolicy",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:CreatePolicy",
"iam:ListUsers",
"iam:ListPolicyTags",
"iam:DetachUserPolicy"
],
"Resource": "*"
}
]
}
Entitle integration setup
- tags - Optional - only resources with the listed tags will be retrieved.
{
"credentials": {
"access_key_id": "<ACCESS_KEY_ID>",
"secret_access_key": "<SECRET_ACCESS_KEY>",
"region": "<REGION>"
},
"options": {
"tags": [
{
"key": "<TAG_KEY>",
"value": "<TAG_VALUE>"
}
]
}
}
Updated about 1 month ago