AWS Identity Center - temporary permission set - pod-based identity | Entitle
How does it work?
- Entitle connects to the root account of your organization using a dedicated IAM Role with an inline policy.
- From the root account, Entitle retrieves and manages the SSO users, groups, and permission sets.
- From the root account, Entitle assumes the roles configured for the sub-accounts.
- For every sub-account chosen to be managed by Entitle, it collects and manages the resources via the role.
- When an access request for a resource within a sub-account is approved, a new temporary permission set is created under the
entitle-<String>format, and attached to the user who requested the access. - When an access request for a resource within a sub-account expires, the temporary permission set will be deleted.
- When an access request for a group or permission set is approved, permission is granted directly.
- When an access request for a group or permission set expires, the permission will be revoked.
Integration resource structure in Entitle
When an AWS integration of this type is created, Entitle structures your resources and permission sets as follows:
On the integration page under Resources, you will see:
- Non-permission set resources (e.g., S3 Buckets, IAM Roles, Secrets Manager vaults, etc.)
- To distinguish between resources with the same name in different sub-accounts, a tag with the account's name will be added to each one.
- Sub-accounts (child AWS accounts tied to the integration).
- Inside a sub-account resource, you will see permission sets tied to that sub-account.
- SSO Groups
Prerequisites
To integrate AWS in Entitle, you will need to complete the following actions:
- Create an IAM Role with a trust relationship.
- Attach an access management policy to the role previously created.
- Create a role with the necessary permissions and establish a trust relationship for each chosen sub-account.
Set up AWS to work with Entitle
Non-pod-based AWS integration modes require a functional account within AWS which in many cases is a violation of the customers security policies, while pod-based prevents that side effect.
Setting up AWS accounts
For Entitle to connect and manage resource access for SSO users across different accounts in your organization, we will require a few things to be set up:
- For SSO control and initial access to the organization, Entitle will need an IAM role in the root account with SSO management access.
- For each sub-account, Entitle will need a role with management access to all the resources we want to manage from said account.
Root account - set up an IAM role
- Create the SSO Management Policy and the Base Permissions Management Policy policies with the contents below:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"VisualEditor0",
"Effect":"Allow",
"Action":[
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DetachUserPolicy",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetSAMLProvider",
"iam:UpdateSAMLProvider",
"iam:ListAttachedRolePolicies",
"iam:ListEntitiesForPolicy",
"iam:ListPolicies",
"iam:ListPolicyTags",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListUserPolicies",
"iam:ListUsers",
"identitystore:CreateGroupMembership",
"identitystore:DeleteGroupMembership",
"identitystore:DescribeGroup",
"identitystore:DescribeGroupMembership",
"identitystore:DescribeUser",
"identitystore:GetGroupId",
"identitystore:GetGroupMembershipId",
"identitystore:GetUserId",
"identitystore:IsMemberInGroups",
"identitystore:ListGroupMemberships",
"identitystore:ListGroupMembershipsForMember",
"identitystore:ListGroups",
"identitystore:ListUsers",
"organizations:ListAccounts",
"sso-directory:DescribeUsers",
"sso:AttachCustomerManagedPolicyReferenceToPermissionSet",
"sso:AttachManagedPolicyToPermissionSet",
"sso:CreateAccountAssignment",
"sso:CreatePermissionSet",
"sso:DeleteAccountAssignment",
"sso:DeletePermissionSet",
"sso:DescribeAccountAssignmentCreationStatus",
"sso:DescribeAccountAssignmentDeletionStatus",
"sso:DescribePermissionSet",
"sso:DetachCustomerManagedPolicyReferenceFromPermissionSet",
"sso:ListAccountAssignments",
"sso:ListCustomerManagedPolicyReferencesInPermissionSet",
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:ListTagsForResource",
"sso:TagResource",
"sso:UntagResource"
],
"Resource":"*"
}
]
}
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"VisualEditor0",
"Effect":"Allow",
"Action":[
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DetachUserPolicy",
"iam:DetachRolePolicy",
"iam:DeleteRole",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListRoles",
"iam:ListAttachedRolePolicies",
"iam:ListEntitiesForPolicy",
"iam:ListPolicies",
"iam:ListPolicyTags",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:TagPolicy",
"organizations:ListAccounts",
"organizations:DescribeAccount",
"iam:TagRole",
"iam:UnTagRole",
"iam:TagPolicy",
"iam:UntagPolicy"
],
"Resource":"*"
}
]
}
- Create a new role. Save that role's ARN for later; it will be used to configure your AWS integration under the field access_role_arn. See the Configuration part below.
- Assign the SSO Management Policy above to the role.
- To set up a secure connection between your AWS instance and Entitle, you are required to establish a trust relationship with Entitle, allowing Entitle to assume the roles you intend to manage. Please add the trust relationship below to the role you created:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::321183744702:role/entitle-prod-ichilov@entitle"
},
"Action":"sts:AssumeRole",
"Condition":{
"StringEquals":{
"sts:ExternalId":"<EXTERNAL_ID>"
}
}
}
]
}
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"<Your agent-pod's AWS role ARN>"
},
"Action":"sts:AssumeRole",
"Condition":{
"StringEquals":{
"sts:ExternalId":"<EXTERNAL_ID>"
}
}
}
]
}
- Entitle uses AWS's external ID feature. Create a value for External ID, set it under
"sts:ExternalId"and save the value - you’ll need it later in this guide.
Root account - set up permissions to assume role in sub-accounts
- Decide on a role name, you will later need to create a role with that name in each sub-account you want Entitle to manage. From now on, we’ll refer to it as “sub-account role name”.
- Create a policy using the Root Account Access To Sub Account Policy below:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"VisualEditor0",
"Effect":"Allow",
"Action":"sts:AssumeRole",
"Resource":"arn:aws:iam::*:role/<SUBACCOUNT_ROLES_NAME>"
}
]
}
- Replace
SUBACCOUNT_ROLES_NAMEwith the sub account's role name you have chosen in the previous step, this will allow the root's role to assume any role with that name on every sub account.
Root account - retrieve SSO information
- Go to IAM Identity Center → Settings → Details → ARN and keep the ARN.
This is the SSO instance ARN you will need for the configuration. - Copy and keep the region in which the SSO is set up, as it will be required for the integration as well.
The following sections regarding the sub-accounts will need to be executed for each of the sub-accounts you want Entitle to manage.
Sub account - create a role
This should be repeated for each desired sub-account.
The role created in this step will be the way for Entitle to access the resources in this sub-account.
- Create a new IAM role:
- For Trusted Entity Type choose: AWS Account.
- Click on Another Account and enter the account ID of your root account.
- The IAM role name should be identical to the name you set in the Root Account - set up permissions to assume role in sub-accounts step.
- Create the Base Permissions Management Policy below, which is required to allow Entitle to manage permissions to the account.
-
{ "Version":"2012-10-17", "Statement":[ { "Sid":"VisualEditor0", "Effect":"Allow", "Action":[ "iam:AttachRolePolicy", "iam:PutRolePolicy", "iam:AttachUserPolicy", "iam:CreateRole", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:DetachUserPolicy", "iam:DetachRolePolicy", "iam:DeleteRole", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:ListRoles", "iam:ListAttachedRolePolicies", "iam:ListEntitiesForPolicy", "iam:ListPolicies", "iam:ListPolicyTags", "iam:ListPolicyVersions", "iam:ListRolePolicies", "iam:ListRoleTags", "iam:ListUserPolicies", "iam:ListUsers", "iam:TagPolicy", "organizations:ListAccounts", "organizations:DescribeAccount", "iam:TagRole", "iam:UnTagRole", "iam:TagPolicy", "iam:UntagPolicy" ], "Resource":"*" } ] } - Create the policies for the resources you want to manage in that account using the Resource-Specific Policies below:
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:TagRole",
"iam:ListEntitiesForPolicy",
"iam:AttachUserPolicy",
"iam:ListUsers",
"iam:ListUserPolicies",
"iam:ListPolicyTags",
"iam:TagPolicy",
"iam:TagUser"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:GetRole",
"iam:GetPolicyVersion",
"s3:GetBucketTagging",
"ec2:DescribeInstances",
"iam:GetPolicy",
"ec2:DescribeTags",
"ec2:DescribeRegions",
"iam:ListEntitiesForPolicy",
"iam:AttachUserPolicy",
"s3:ListBucket",
"iam:ListUserPolicies",
"iam:CreatePolicy",
"s3:ListAllMyBuckets",
"iam:ListUsers",
"iam:ListPolicyTags",
"iam:DetachUserPolicy"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:GetRole",
"iam:GetPolicyVersion",
"iam:ListRoleTags",
"iam:GetPolicy",
"iam:AttachUserPolicy",
"iam:ListEntitiesForPolicy",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:CreatePolicy",
"iam:ListUsers",
"iam:ListPolicyTags",
"iam:DetachUserPolicy"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListEntitiesForPolicy",
"iam:AttachUserPolicy",
"iam:ListUserPolicies",
"iam:CreatePolicy",
"iam:ListUsers",
"iam:ListPolicyTags",
"iam:DetachUserPolicy",
"secretsmanager:ListSecrets",
"secretsmanager:DescribeSecret"
],
"Resource": "*"
}
]
}
- Assign the policies you have just created to the role you created for this sub-account.
Set up the integration in Entitle
-
Log in to Entitle and go to the Integrations page.
-
After clicking the Add Integration button, type AWS in the Application field.
-
Don’t forget to set the Save on field with your configuration, i.e., your own hosted agent or Entitle’s cloud.
-
Under Connection, ensure that SSO Multi-Account - Pod Based Identity is selected.
-
Fill in the required components in the configuration:
- Paste the account ID of the account you wish to manage resources on as the
account_idvalue. - Paste the ARN of the Entitle role as the
access_role_arn value. - Paste your external ID as the
external_idvalue. - Paste your region code as the
regionvalue. - For each sub-account that you'd like to have different settings from the options, fill in the details within its scope. Add the tags'
keyandvaluein case you wish to retrieve only resources with the listed tags. - Under the
optionsconfiguration, add the specific ARN of the Entitle role, resource types, and tags, in case you wish to retrieve only specific resource types within the listed tags.
- Paste the account ID of the account you wish to manage resources on as the
Sub account Auto-Discovery feature
- This feature addresses the challenge of managing environments with a large number of AWS accounts, where manually listing each account under sub_accounts becomes inefficient.
- By using the configuration below, the integration automatically discovers all accounts in the AWS Organization and fetches resources from each account using the specified role:
"sub_accounts": [ { "account_id": "*", "access_role_arn": "arn:aws:iam::*:role/entitle-access-role" } ]
{
"root_account":{
"account_id":"<ROOT_ACCOUNT_ID>",
"access_role_arn":"<YOUR_ACCESSROLE_ARN>",
"external_id":"<YOUR_EXTERNAL_ID>",
"region":"<REGION>"
},
"sub_accounts":[
{
"account_id":"<SUB_ACCOUNT_ID>",
"access_role_arn":"<SUB_ACCOUNT_ROLE_ARN>",
"region":"<REGION>",
"tags":[
{
"key":"ENVIRONMENT",
"value":"TEST"
}
]
}
],
"options":{
"sso_instance_arn":"<YOUR_SSO_INSTANCE_ARN>",
"resource_types":[
],
"tags":[
]
}
}
- Click Save.
Updated about 11 hours ago
