Versions Compared

Version Old Version 5 New Version Current
Changes made by

Nathaniel Lichauco (Unlicensed)

Maeve O'Malley

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page outlines the steps to enable AWS Integration with Zilla. We will be using the Delegate access across AWS accounts using IAM roles tutorial as a guide to allow you to delegate access of your AWS account to Zilla’s AWS account using AWS IAM Roles.

Create an IAM Role

Steps to create an IAM Role

...

Login to the AWS Account via the AWS Management Console

...

Enter your 12-digit account number. Click Next and then enter your username and password to login

...

Once you are logged in, you will land on the home page with a search bar on top

...

...

On the search bar on top, search for IAM and click on the search result called IAM as shown below

...

...

You will be redirected to the IAM dashboard

...

...

Before creating a role, we will first create a policy that will be assigned to the role. For that click on Policies on the left hand side menu.

...

...

Click on Create policy and click on the JSON tab

...

If you want to get just IAM users, enter the following json snippet and click on next. Replace <YOUR_AWS_ACCOUNT_ID> with your 12 digit AWS Account ID.

Code Block
languagejson
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:GetGroup",
            "Resource": "arn:aws:iam::<YOUR_AWS_ACCOUNt_ID>:group/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "iam:GetAccountAuthorizationDetails",
            "Resource": "*"
        }
    ]
}

Image Removed

...

For both SSO and IAM Users, enter the following and click on next. Replace <YOUR_AWS_ACCOUNT_ID> with your 12 digit AWS Account ID.

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sso:ListAccountAssignments",
                "sso:ListPermissionSetsProvisionedToAccount",
                "sso:DescribePermissionSet",
                "iam:GetGroup"
            ],
            "Resource": [
                "arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:group/*",
                "arn:aws:sso:::instance/*",
                "arn:aws:sso:::permissionSet/*/*",
                "arn:aws:sso:::account/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "identitystore:DescribeUser",
                "identitystore:DescribeGroup",
                "iam:GetAccountAuthorizationDetails"
            ],
            "Resource": "*"
        }
    ]
}

...

Optionally add tags and click next.

...

...

On the review page, enter the name (Zilla-IAM-Reader-Policy) and optionally a description for the policy. Review the permission assigned to the policy and then click on Create policy

...

...

You will a success message like this

...

...

To confirm that the policy is present, you can search for it in the policy search bar. You will see your newly added policy in the list.

...

...

Click on the policy Zilla-IAM-Reader-Policy to double check the assigned permissions

...

Click on the JSON tab to double check the policy json. (Account ID redacted from screenshot)

...

...

Now that you have created the desired policy, the next step is to create a cross account Role. Click on Roles from the left hand side menu to begin.

...

...

Click on Create Role button to create a new IAM Role. 1st step is to Select type of trusted entity Select Another AWS Account and enter the 12 digit Account ID of Zilla (087210011007) and then click on next.

...

...

On the permissions page, search for the policy we created Zilla-IAM-Reader-Policy and the select the checkbox. Then click next.

...

...

Optionally add tags. Click next.

...

...

On the review page, add the name of the role Zilla-IAM-Reader-Role and optionally add a description. Review the trusted entity account id matches Zilla’s account Id (087210011007) and that the policies has Zilla-IAM-Reader-Policy then click on Create role

...

Once the role is created, you can search for it on the roles tab and click on the role to check its details

...

On the role details page, double check the policy under permissions and trusted entity has Zilla Account ID (087210011007) under trusted relationships.

...

Image Removed

...

Table of Contents
minLevel1
maxLevel7
printablefalse

Bring in IAM Users and Groups into Zilla

To bring in IAM Users and Groups of an AWS Account, you need to create an IAM Role and attach an IAM Policy to it.

The next step is to create a cross account Role.

Create an IAM Role for IAM Users and Groups

Include Page
AWS - Create an IAM Role for IAM Users, Groups, Roles and Resources
AWS - Create an IAM Role for IAM Users, Groups, Roles and Resources

Bring SSO Users, Groups and Permission Sets into Zilla

To Bring the SSO users, Groups and Permission sets into an AWS app instance in Zilla, this AWS app instance must have AWS Organization app instance as Parent Application.

...

Follow the steps here for AWS Organization Sync for this AWS app instance’s Parent Application.

Info

Notes:

  1. “Discover Child Apps” configuration should be set to “Yes” in the AWS Organizations App which is parent of this AWS app.

  2. “Sync AWS SSO accounts in Child AWS Apps” configuration should also be set to “Yes” in the AWS Organizations parent App.

  3. The AWS Organizations App adds SSO configurations to its child AWS apps. These SSO configurations are hidden in the child AWS apps.

  4. The configurations of the discovered AWS child Apps should not be edited manually. If the configurations are edited manually, it removes the hidden SSO configurations.

  5. To restore the hidden SSO configurations to this child AWS app, sync the Parent AWS Organizations App.

Refer AWS - Hidden SSO configurations for more details.

Info

 Notes:
To sync all S3 buckets data, Zilla requires the following permissions to be allowed in the Zilla IAM Reader role:

  • ListAllMyBuckets

  • GetBucketLocation

  • GetBucketPolicy

  • GetBucketAcl

  • GetBucketPublicAccessBlock

  • GetBucketOwnershipControls

  • GetBucketPolicyStatus

  • GetEncryptionConfiguration

  • ListAccessPoints

  • GetAccessPoint

  • GetAccessPointPolicy

  • GetAccessPointPolicyStatus

Set up AWS Application Integration on Zilla

...

  1. Login to Zilla at http://app.zillasecurity.com/

...

  1. .

    Image Modified

     

  2. Once you are signed in, you will land on the

...

  1. Applications page.

    Image Modified

     

  2. Click

...

  1. Add Application. You will see a library of all applications listed

...

  1. which are supported by Zilla.

    Image Modified

...

  1.  

  2. Type “aws” into the search bar

...

  1. to filter the results.

    Image Modified

     

  2. Click on Add

...

  1. to Applications next to the Amazon Web Services entry. You will see a dialog box appear.

...

  1. All the fields are optional. Click

...

  1. Add to Applications.

    Image Added

  2. You will be redirected back to the Applications page and you will see the Amazon Web Services entry included in

...

  1. the list.

    Image Modified

  1.  

  2. Click the application instance to configure its integration.

...

  1. Image Added

  2. Click

...

  1. Sync now in the top right corner. You will see a dialog box appear.

...

  1. Image Added

  2. Click

...

  1. the slider under API Integration to enable

...

  1. .

...

  1. Image Added

...

  1. Enter the Role ARN. For example: arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/Zilla-IAM-Reader-Role

...

Optionally, for SSO, you can find the Identity Store Id and SSO Instance ARN under the AWS SSO Service. Account Id is the same as <YOUR_AWS_ACCOUNT_ID>

...

  1. created above. and click Next.

    Image Added

  2. Click Next again.

    Image Modified

     

  3. Your sync will

...

  1. begin. Once it completes, you will see the below message.

    Image Modified

     

  2. Click Done . You will then see a message like this if the sync completed successfully.

...

  1. Image Added

  2. You can close the message dialog and navigate to the Accounts tab to the IAM Users from your AWS account.

    Image Modified

     

  3. Next, click

...

  1. the

...

  1. Permissions tab to browse the

...

  1. permissions assigned to each user.

    Image Modified

  2. Click the Resources tab to browse the AWS resources (S3 Buckets and S3 Access points).

    Image Added

  3. Click the Profile tab to browse the AWS account Security Settings.

...

Include Page
Integrations Footer
Integrations Footer

...