Amazon Web Services

This page outlines the steps to enable AWS Integration with Zilla. We will be using the Delegate access across AWS accounts using IAM roles tutorial as a guide to allow you to delegate access of your AWS account to Zilla’s AWS account using AWS IAM Roles.

Create an IAM Role

Steps to create an IAM Role

Login to the AWS Account via the AWS Management Console
Enter your 12-digit account number. Click Next and then enter your username and password to login
Once you are logged in, you will land on the home page with a search bar on top
On the search bar on top, search for IAM and click on the search result called IAM as shown below
You will be redirected to the IAM dashboard
Before creating a role, we will first create a policy that will be assigned to the role. For that click on Policies on the left hand side menu.
Click on Create policy and click on the JSON tab

If you want to get just IAM users, enter the following json snippet and click on next. Replace <YOUR_AWS_ACCOUNT_ID> with your 12 digit AWS Account ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:GetGroup",
            "Resource": "arn:aws:iam::<YOUR_AWS_ACCOUNt_ID>:group/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "iam:GetAccountAuthorizationDetails",
            "Resource": "*"
        }
    ]
}

For both SSO and IAM Users, enter the following and click on next. Replace <YOUR_AWS_ACCOUNT_ID> with your 12 digit AWS Account ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sso:ListAccountAssignments",
                "sso:ListPermissionSetsProvisionedToAccount",
                "sso:DescribePermissionSet",
                "iam:GetGroup"
            ],
            "Resource": [
                "arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:group/*",
                "arn:aws:sso:::instance/*",
                "arn:aws:sso:::permissionSet/*/*",
                "arn:aws:sso:::account/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "identitystore:DescribeUser",
                "identitystore:DescribeGroup",
                "iam:GetAccountAuthorizationDetails"
            ],
            "Resource": "*"
        }
    ]
}

Optionally add tags and click next.
On the review page, enter the name (Zilla-IAM-Reader-Policy) and optionally a description for the policy. Review the permission assigned to the policy and then click on Create policy
You will a success message like this
To confirm that the policy is present, you can search for it in the policy search bar. You will see your newly added policy in the list.
Click on the policy Zilla-IAM-Reader-Policy to double check the assigned permissions
Click on the JSON tab to double check the policy json. (Account ID redacted from screenshot)
Now that you have created the desired policy, the next step is to create a cross account Role. Click on Roles from the left hand side menu to begin.
Click on Create Role button to create a new IAM Role. 1st step is to Select type of trusted entity Select Another AWS Account and enter the 12 digit Account ID of Zilla (087210011007) and then click on next.
On the permissions page, search for the policy we created Zilla-IAM-Reader-Policy and the select the checkbox. Then click next.
Optionally add tags. Click next.
On the review page, add the name of the role Zilla-IAM-Reader-Role and optionally add a description. Review the trusted entity account id matches Zilla’s account Id (087210011007) and that the policies has Zilla-IAM-Reader-Policy then click on Create role
Once the role is created, you can search for it on the roles tab and click on the role to check its details
On the role details page, double check the policy under permissions and trusted entity has Zilla Account ID (087210011007) under trusted relationships.
Once everything looks good, copy the Role ARN. For eg: arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/Zilla-IAM-Reader-Role You will need this later when you add the AWS application on Zilla.

Set up AWS Application Integration on Zilla

Go to Zilla at http://app.zillasecurity.com/ and follow the sign in to your Zilla account or if you are a first time user, sign up.
Once you are signed in, you will land on the application page.
Click on Add Application . You will see a library of all applications listed here supported by Zilla.
You can search for application using the search bar. Type aws here to filter the results.
Click on Add Application next to the Amazon Web Services entry. You will see a dialog box appear.
All the fields are optional. Click on Add to Applications
You will be redirected back to the Applications page and you will see the Amazon Web Services entry in there.
Next, click on the application to configure its integration.
Click on Update button on the top right corner. You will see a dialog box appear
Click on the toggle button to enable the integration.
Now, enter the RoleArn you copied for the Zilla-IAM-Reader-Role in step #20 above and paste it in the textbox here and save. This is required for Zilla to recognize the AWS Account from which to bring in the users.
Optionally, for SSO, you can find the Identity Store Id and SSO Instance ARN under the AWS SSO Service. Account Id is the same as <YOUR_AWS_ACCOUNT_ID>
Click Next again.
Your sync will start. Once it completes, you will see the below message.
Click Done . You will then see a message like this if the sync completed successfully.
You can close the message dialog and navigate to the Accounts tab to the IAM Users from your AWS account.
Next, click on the permissions tab to browse the permission assigned to each user.