Versions Compared

Version Old Version 5 New Version 6
Changes made by

Nathaniel Lichauco (Unlicensed)

Christine Gross

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page outlines the steps to enable AWS Integration with Zilla. We will be using the Delegate access across AWS accounts using IAM roles tutorial as a guide to allow you to delegate access of your AWS account to Zilla’s AWS account using AWS IAM Roles.

Bring in IAM Users and Groups into Zilla

To bring in IAM Users and Groups of an AWS Account, you need to create an IAM Role and attach an IAM Policy to it.

Create an IAM

...

Policy for IAM Users and Groups

Steps to create an IAM RolePolicy

  1. Login to the AWS Account via the AWS Management Console

    Enter your 12-digit account number. Click Next and then enter your username and password to login.

  2. Once you are logged in, you will land on the home page with a search bar on at the top.

     

  3. On In the search bar on top, search for IAM and click on the search result called IAM as shown below.

     

  4. You will be redirected to the IAM dashboard.

    Image Added

    Image Removed

     

  5. Before creating a role, we will first create a policy that will be assigned to the role. For that click on Click Policies on the left hand side menu.

     

  6. Click on Create policy and then click on the JSON tab.

  7. If you want to get just IAM users, enter IAM Policy Creation: Enter the following json snippet and click on next Next Tags. Replace <YOUR_AWS_ACCOUNT_ID> with your 12 digit AWS Account ID. The following policy allows Zilla to read the IAM Users and Groups information from your AWS account

    language
    Code Block
    json
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:GetGroup",
            "Resource": "arn:aws:iam::<YOUR_AWS_ACCOUNt_ID>:group/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "iam:GetAccountAuthorizationDetails",
            "Resource": "*"
        }
    ]
}

    Image Removed

    For both SSO and IAM Users, enter the following and click on next. Replace <YOUR_AWS_ACCOUNT_ID> with your 12 digit AWS Account ID. 
     
    Image Added
     
  8. Optionally add tags and click Next: Review.
  9. Image Added
    Review Policy: On the review page, enter the Name (Zilla-IAM-Reader-Policy) and optionally a description for the policy. Review the permissions assigned to the policy and then click Create policy The policy will look like this:
    Image Added
     
  10. You will see a success message that the policy has been created.
    Image Added
     
  11. To confirm that the policy is present, you can search for it in the policy search bar. You will see your newly added policy in the list.
    Image Added
     
  12. Click on the policy Zilla-IAM-Reader-Policy to double check the assigned permissions. The policy will look like this:
    Image Added
    Click on the {} JSON tab to double check the policy json. (Account ID redacted from screenshot)
    Image Added
     
Now that you have created the policy, the next step is to create a cross account Role.
Create an IAM Role for IAM Users and Groups
Steps to create an IAM Role
  1. Click on Roles from the left hand side menu to begin then click Create role button to create a new IAM Role.
    Image Added
     
  2. Under Select type of trusted entity select Another AWS account and enter the 12 digit Account ID of Zilla (087210011007). Click Next: Permissions.
    Image Added
     
  3. On the permissions page, search for the policy created ,Zilla-IAM-Reader-Policy , and select the checkbox. Click Next: Tags.
    Image Added
     
  4. Optionally add tags and click Next: Review.
    Image Added
     
  5. On the review page, add the name of the role Zilla-IAM-Reader-Role and optionally add a description. Review the trusted entity account id matches Zilla’s account Id (087210011007) and that the Policies section contains Zilla-IAM-Reader-Policy. Click Create role.
    Image Added
     
  6. Once the role is created, you can search for it on the roles tab and click on the role to check its details.
    Image Added
     
  7. On the role details page, double check the policy under Permissions and Trusted entities has Zilla Account ID (087210011007) under Trust relationships.
    Image Added
     
 Info
Notes:
  1. Copy the Role ARN. For example: arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/Zilla-IAM-Reader-Role and keep it handy for later.
  2. Typically IAM Users and Groups are created against each AWS Account, so you will need to create the above role and policy for each of your AWS Accounts.
  3. Currently, the IAM Role and Policy creation to bring in IAM Users and Groups is mandatory in Zilla.
Bring SSO Users, Groups and Permission Sets into Zilla
Create an IAM Policy for SSO Users, Groups and Permission Set
Steps to create an IAM Policy
  1. Click on Policies on the left hand side menu of the IAM Dashboard.
    Image Added
     
  2. Click Create policy and click on the JSON tab.
    Image Added
  3. IAM Policy Creation: Enter the following json snippet and click Next: Tags. The following policy allows Zilla to read the SSO Users, Groups and Permission Sets information from your AWS account
     Code Block
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sso:ListAccountAssignments",
                "sso:ListPermissionSetsProvisionedToAccount",
                "sso:DescribePermissionSet",
                "iam:GetGroup"
            ],
            "Resource": [
                "arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:group/*",
                "arn:aws:sso:::instance/*",
                "arn:aws:sso:::permissionSet/*/*",
                "arn:aws:sso:::account/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "identitystore:DescribeUser",
                "identitystore:DescribeGroup",

               "iam:GetAccountAuthorizationDetails"
            ],
            "Resource": "*"
        }
    ]
}
     
    Image Added
     
  4. Optionally add tags and click next Next: Review.
  5. Review Policy: On the review page, enter the name Name (Zilla-IAMSSO-Reader-Policy) and optionally a description for the policy. Review the permission permissions assigned to the policy and then click on Create policy. The policy 
    Image Removed
    will look like this:
    Image Added
     
  6. You will see a success message like this:
    Image RemovedImage Added
     
  7. To confirm that the policy is present, you can search for it in the policy search bar. You will see your newly added policy in the list.
    Image Added
    Image Removed
     
  8. Click on the policy Zilla-IAMSSO-Reader-Policy to double check the assigned permissions
    Image Removed
    . The policy will look like this:
    Image Added
    Click on the {} JSON tab to double check the policy json. (Account ID redacted from screenshot)
    Image Removed
    Image Added
     
Now that you have created the 
...
 policy, the next step is to create a cross account Role.
...
Create an IAM Role for SSO Users, Groups and Permission Set
Steps to create an IAM Role
  1. Click Roles from the left hand side menu to begin.
     
  2. Click on Create Rolerole button to create a new IAM Role. 1st step is to Under Select type of trusted entity Select select Another AWS Accountaccount and enter the 12 digit Account ID of Zilla (087210011007) and then click on next.
    Image Removed
     Next: Permissions.
    Image Added
     
  3. On the permissions page, search for the policy we created ,Zilla-IAMSSO-Reader-Policy , and the select the checkbox. Then click next Next: Tags.
    Image RemovedImage Added
     
  4. Optionally add tags . Click nextand click Next: Review.
     
  5. On the review page, add the name of the role Zilla-IAMSSO-Reader-Role and optionally add a description. Review the trusted entity account id matches Zilla’s account Id (087210011007) and that the policies has Policies section contains Zilla-IAMSSO-Reader-Policy, then click on Create role .
    Image Added
    Image Removed
     
  6. Once the role is created, you can search for it on the roles tab and click on the role to check its details.
    Image Added
    Image Removed
     
  7. On the role details page, double check the policy under permissions Permissions and trusted entity Trusted entities has Zilla Account ID (087210011007) under trusted Trust relationships.
    Image Removed
    Image Removed
    Once everything looks good, copy 
    Image Added
     
 Info
Notes:
  1. Copy the Role ARN. For example: arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/Zilla-SSO-Reader-Role and keep it handy for later.
  2. Typically organizations will have one MASTER AWS ACCOUNT under which they will setup multiple Users, Groups, Permission Sets and AWS Accounts. So it’s likely you will need to create the SSO Role and Policy creation only once against your MASTER AWS ACCOUNT.
  3. Currently, the IAM Role and Policy creation to bring in SSO Users, Groups and Permission Sets is optional in Zilla.
 
Things to keep handy
  1. For IAM Users and Groups: Copy the Role ARN. For eg: arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/Zilla-IAM-Reader-Role created above.
  2. For SSO Users and Groups:, you need to keep the following things handy:
    1. Copy the SSO Role ARN of your Master AWS Account. For eg: arn:aws:iam::<YOUR_AWS_SSO_MASTER_ACCOUNT_ID>:role/Zilla-SSO-Reader-Role
     You will need this later when you add the AWS application on Zilla.
    1.  created above
    2. ARN of the SSO Instance
    3. Identity Store Id of the Identity Provider of SSO Instance
    4. 12 digit Account ID of the AWS Instance for which you want to bring in SSO Users and Groups
    5. AWS Region under which AWS SSO is setup
    6. AWS SCIM Endpoint
    7. AWS SCIM Access Token
  3. Here are the instructions to get the above details:
    1. In the search bar at the top, search for AWS SSO and click on the search result called AWS Single Sign-On as shown below.
      Image Added
       
    2. You will land on the AWS SSO dashboard.
      Image Added
       
    3. Click the Settings option on the left menu.
      Image Added
       
    4. Copy the ARN of the SSO Instance and keep it handy. It will look something like this: arn:aws:sso:::instance/ssoins-<SOME_ALPHANUMERIC_ID>.
    5. Also, copy the Identity store ID. It will look something like this: d-<SOME_NUMBERS> .
    6. Next, click the AWS accounts option from the left menu.
      Image Added
       
    7. Copy the 12 digit Account Id of the AWS Account whose Permission sets assignments you want to get.
    8. Copy the region in which the AWS SSO Organization has been created. For eg: us-east-1.
      Image Added
       
    9. Go back to Settings to get the Automatic Provisioning (SCIM) details
      Image Added
      You can only get the SCIM details if Automatic Provisioning is enabled. You can choose to keep Automatic Provisioning disabled or choose to enable at this point. If Automatic Provisioning is disabled, Zilla won’t be able to track the Active Status of a user.
    10. To enable Automatic Provisioning, click Enable automatic provisioning.
      Image Added
      Copy the SCIM Endpoint and keep it handy.
    11. Click Show token and copy the token. Note that this token is available to be copied only once.
      Image Added
Set up AWS Application Integration on Zilla
  1. Go Login to Zilla at http://app.zillasecurity.com/ and follow the sign in to your Zilla account or if you are a first time user, sign up .
     
  2. Once you are signed in, you will land on the application Applications page.
     
  3. Click on Add Application. You will see a library of all applications listed here which are supported by Zilla.
    You can search for application using  
  4. Type “aws” into the search bar . Type aws here to filter the results.
     
  5. Click on Add Applicationto Applications next to the Amazon Web Services entry. You will see a dialog box appear.
    All the fields are optional. Click on Add to Applications.
  6. You will be redirected back to the Applications page and you will see the Amazon Web Services entry included in therethe list.
     
  7. Next, click on the application to configure its integration.
    Image RemovedImage Added
  8. Click on Update button on the Sync Now link in the top right corner. You will see a dialog box appear.
    Image RemovedImage Added
  9. Click on the toggle button under API Integration to enable the integrationAPI Integration.
    Image RemovedImage Added
  10. Now, enter Enter the RoleArn values you copied for the Zilla-IAM-Reader-Role in step #20 above and paste it in the textbox here and save. This is required for Zilla to recognize the AWS Account from which to bring in the users. 
    Image Removed
    Optionally, for SSO, you can find the Identity Store Id and SSO Instance ARN under the AWS SSO Service. Account Id is the same as <YOUR_AWS_ACCOUNT_ID>
    Image Removed
    from the Things to keep handy section above and click Next.
  11. Click Next again.
     
  12. Your sync will startbegin. Once it completes, you will see the below message.
     
  13. Click Done . You will then see a message like this if the sync completed successfully.
    Image RemovedImage Added
  14. You can close the message dialog and navigate to the Accounts tab to the IAM Users from your AWS account.
     
  15. Next, click on the permissions Permissions tab to browse the permission Permission assigned to each user.
 Include Page
Integrations Footer
Integrations Footer