/
Amazon Web Services

Amazon Web Services

This page outlines the steps to enable AWS Integration with Zilla. We will be using the Delegate access across AWS accounts using IAM roles tutorial as a guide to allow you to delegate access of your AWS account to Zilla’s AWS account using AWS IAM Roles.

 

Bring in IAM Users and Groups into Zilla

To bring in IAM Users and Groups of an AWS Account, you need to create an IAM Role and attach an IAM Policy to it.

The next step is to create a cross account Role.

Create an IAM Role for IAM Users and Groups

Below are the steps to create Zilla-IAM-Reader-Role manually using AWS IAM console. Another option is to use AWS CloudFormation to create this role. To use AWS CloudFormation follow the steps in - https://zilla.atlassian.net/wiki/spaces/ZILLASUP/pages/2348187741.

Steps to create an IAM Role Zilla-IAM-Reader-Role

  1. Login to the AWS Account via the AWS Management Console.

     

  2. Navigate to the IAM dashboard.

     

  3. Click on Roles from the left hand side menu to begin, then click Create role button to create a new IAM Role.

     

  4. Under An AWS account select Another AWS account and enter the 12 digit region specific Zilla Account ID (listed below). Select the Options checkbox for ‘Require external ID’ and enter the External ID field as your tenant’s domain name. Click Next.

    • US region Account ID: 087210011007

    • EU region Account ID: 319105906071

    • Australia/New Zealand region Account ID: 868976368166

       

  5. On the Add permissions page, search for the policy SecurityAudit, and select the checkbox. Click Next.

     

  6. On the Name, review, and create page, set the name of the role to Zilla-IAM-Reader-Role and optionally add a description. Review the trusted entity account id is region specific Zilla’s account Id and the ExternalId condition is your domain name and the permissions section contains SecurityAudit. Click Create role.

     

     

     

  7. Once the role is created you can search for it on the Roles tab and click on the role to check its details.

     

  8. On the role details page, double check the policy under Trust relationships tab that Trusted entities has region specific Zilla Account ID and your domain name as ExternalId condition.

     

Notes:

  1. Copy the Role ARN. For example: arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/Zilla-IAM-Reader-Role and keep it handy for later.

  2. Typically IAM Users and Groups are created against each AWS Account, so you will need to create the above role and policy for each of your AWS Accounts.

  3. Currently, the IAM Role and Policy creation to bring in IAM Users and Groups is mandatory in Zilla.

Bring SSO Users, Groups and Permission Sets into Zilla

To Bring the SSO users, Groups and Permission sets into an AWS app instance in Zilla, this AWS app instance must have AWS Organization app instance as Parent Application.

image-20250528-071740.png

 

Follow the steps here for AWS Organization Sync for this AWS app instance’s Parent Application.

 

Notes:

  1. “Discover Child Apps” configuration should be set to “Yes” in the AWS Organizations App which is parent of this AWS app.

  2. “Sync AWS SSO accounts in Child AWS Apps” configuration should also be set to “Yes” in the AWS Organizations parent App.

  3. The AWS Organizations App adds SSO configurations to its child AWS apps. These SSO configurations are hidden in the child AWS apps.

  4. The configurations of the discovered AWS child Apps should not be edited manually. If the configurations are edited manually, it removes the hidden SSO configurations.

  5. To restore the hidden SSO configurations to this child AWS app, sync the Parent AWS Organizations App.

Refer AWS - Hidden SSO configurations for more details.

 Notes:
To sync all S3 buckets data, Zilla requires the following permissions to be allowed in the Zilla IAM Reader Role:

  • ListAllMyBuckets

  • GetBucketLocation

  • GetBucketPolicy

  • GetBucketAcl

  • GetBucketPublicAccessBlock

  • GetBucketOwnershipControls

  • GetBucketPolicyStatus

  • GetEncryptionConfiguration

  • ListAccessPoints

  • GetAccessPoint

  • GetAccessPointPolicy

  • GetAccessPointPolicyStatus

To sync AWS SCP Policies, Zilla requires the following permissions to be allowed in the Zilla SSO Reader Role:

  • ListPoliciesForTarget

  • DescribePolicy

Set up AWS Application Integration on Zilla

  1. Login to Zilla using your admin credentials.

    image-20250528-070503.png

     

  2. Once you are signed in, you will land on the Applications page.

    image-20250528-070617.png

     

  3. Click Add Application. You will see a library of all applications listed which are supported by Zilla.

    image-20250528-070706.png

     

  4. Type “Amazon Web Services” into the search bar to filter the results.

    image-20250528-070749.png

     

  5. Click on Add to Applications next to the Amazon Web Services entry. You will see a dialog box appear.

    All the fields are optional except Display name which is pre-filled and can be updated. Click Add to Applications.

    image-20250528-070854.png

     

  6. Applicaiton detail page appears.

    image-20250528-071014.png

     

     

  7. Click Sync now in the top right corner. You will see a dialog box appear.

    image-20250528-070246.png

     

  8. Click the slider under API Integration to enable.

    image-20250526-061448.png

     

  9. Enter the Role ARN. For example: arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/Zilla-IAM-Reader-Role created above and if you want to sync AWS SCP policies, fill Yes in field. By default it is set to No and click Next/Sync Now.

    image-20250526-061522.png

     

  10. Click Next again.

    image-20250528-071322.png

     

  11. Your sync will begin. Once it completes, you will see the below message. Click Done.

    image-20250528-071411.png

     

  12. Sync summary would be shown, review and click Close.

     

  13. Navigate to the Accounts tab to view the IAM Users from your AWS account.

     

  14. Next, click the Permissions tab to browse the permissions assigned to each user.

     

  15. Click the Resources tab to browse the AWS resources (S3 Buckets and S3 Access points).

     

  16. Click the Profile tab to browse the AWS account Security Settings.

 

When you have finished with all the steps above, review the information in Zilla that was synced.

Having trouble? Try our https://zilla.atlassian.net/wiki/spaces/ZILLASUP/pages/2293203017 click Submit a request in the upper right corner of the page in the Help Center and submit a ticket.

Our support team will assist you in resolving the problem as quickly as possible.