Announcing the SAVIYNT KNOWLEDGE EXCHANGE unifying the Saviynt forums, documentation, training, and more in a single search tool across platforms. Click HERE to read the Announcement.

Minimum Permissions Saviynt-AWS integration account required

Dheeraj_Reddy
New Contributor III
New Contributor III

Hello Community

I am looking for the minimum permissions required for the integration account for AWS integration

Context:

Based on the Saviynt documentation to integrate with AWS, Saviynt provides 3 options for the Cloudformation template. All the 3 PAM templates contain minimum IGA and Security Analyzer.

I would like to integrate AWS only for PAM, so looking if someone have any information on the minimum permissions required for this purpose along with expected impact if we modify the OOTB Cloudformation template.

Note: I am aware that all the IAM permissions like "Update password"... are required.

Any input is appreciated.

6 REPLIES 6

anirudhsen
Saviynt Employee
Saviynt Employee

Hello Dheeraj, 

Thanks for the question,  we will verify if we have an available template for PAM only.  Please note that this might take time to verify and revert, hence in the meanwhile, please use the available templates only. 

https://docs.saviyntcloud.com/bundle/AWS-v2022x/page/Content/Preparing-for-Integration.htm

Thanks

UVP
New Contributor II
New Contributor II

Hi Anirudhsen,

Do you have any update on this. Please help us to configure CloudFormation template for PAM only.

Thanks,

Umesh

UVP
New Contributor II
New Contributor II

Hi Anirudh,

Do you have any update on this.

Thanks,

Dheeraj_Reddy
New Contributor III
New Contributor III

@anirudhsen, do you have an estimated time for this request?

Dheeraj_Reddy
New Contributor III
New Contributor III

@NageshK, as discussed please consider below use cases for CF template

 

AWS CloudFormation Template- PAM Use Cases
RequirementNeed to perform AWS Console integration with Saviynt and manage only IAM users. End-users should be able to perfom privilege activity on AWS console using credential and credential-less approach, as a part of this requirement cross-account role used in CF template should be able to perform the least privilege activities mentioned in below use cases
  
Use Cases1. Import specific AWS IAM users to Saviynt using AWS account filter
 2. Restrict the cross-account role to have the least privilege access to AWS console
 3. Restrict the cross-account role to change the password of IAM users
 4. Perform bootstrap on the imported IAM users and make them as PAM enabled
 5. End-users should be able to access AWS console through Credential and Credential-less access
 6. Logs of the IAM users if required by Saviynt best practices
  
Note AWS workload access is not in scope

UVP
New Contributor II
New Contributor II

Hi Team, @anirudhsen  @NageshK

We are seeing below Principal element defined under resources of CloudFormation Template.

https://saviyntcftemplates.s3.amazonaws.com/DeploymentTemplates/Saviynt_CFT_Analyzer_IGA_PAM.json

Here we wound like to understand the meaning of ":root"  :

1. Is it asking for Root access in AWS to establish trust between Saviynt's AWS and Client AWS(Cross role setup)?

2. What do we mean by Assume the role of root?

--------------------

"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "MasterAccID"
},
":root"
]
]
}
},

-------------------

 

Thanks,

Umesh