and more in a single search tool across platforms. Read the announcement here. |
03/15/2023 01:44 PM - edited 03/16/2023 11:55 AM
Hello Community
I am looking for the minimum permissions required for the integration account for AWS integration
Context:
Based on the Saviynt documentation to integrate with AWS, Saviynt provides 3 options for the Cloudformation template. All the 3 PAM templates contain minimum IGA and Security Analyzer.
I would like to integrate AWS only for PAM, so looking if someone have any information on the minimum permissions required for this purpose along with expected impact if we modify the OOTB Cloudformation template.
Note: I am aware that all the IAM permissions like "Update password"... are required.
Any input is appreciated.
03/16/2023 02:27 PM
Hello Dheeraj,
Thanks for the question, we will verify if we have an available template for PAM only. Please note that this might take time to verify and revert, hence in the meanwhile, please use the available templates only.
https://docs.saviyntcloud.com/bundle/AWS-v2022x/page/Content/Preparing-for-Integration.htm
Thanks
03/20/2023 09:55 AM
Hi Anirudhsen,
Do you have any update on this. Please help us to configure CloudFormation template for PAM only.
Thanks,
Umesh
03/28/2023 07:45 AM
Hi Anirudh,
Do you have any update on this.
Thanks,
03/22/2023 10:26 AM
@anirudhsen, do you have an estimated time for this request?
05/11/2023 12:57 PM
@NageshK, as discussed please consider below use cases for CF template
AWS CloudFormation Template- PAM Use Cases | |
Requirement | Need to perform AWS Console integration with Saviynt and manage only IAM users. End-users should be able to perfom privilege activity on AWS console using credential and credential-less approach, as a part of this requirement cross-account role used in CF template should be able to perform the least privilege activities mentioned in below use cases |
Use Cases | 1. Import specific AWS IAM users to Saviynt using AWS account filter |
2. Restrict the cross-account role to have the least privilege access to AWS console | |
3. Restrict the cross-account role to change the password of IAM users | |
4. Perform bootstrap on the imported IAM users and make them as PAM enabled | |
5. End-users should be able to access AWS console through Credential and Credential-less access | |
6. Logs of the IAM users if required by Saviynt best practices | |
Note | AWS workload access is not in scope |
05/31/2023 10:59 AM
Hi Team, @anirudhsen @NageshK,
We are seeing below Principal element defined under resources of CloudFormation Template.
https://saviyntcftemplates.s3.amazonaws.com/DeploymentTemplates/Saviynt_CFT_Analyzer_IGA_PAM.json
Here we wound like to understand the meaning of ":root" :
1. Is it asking for Root access in AWS to establish trust between Saviynt's AWS and Client AWS(Cross role setup)?
2. What do we mean by Assume the role of root?
--------------------
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{
"Ref": "MasterAccID"
},
":root"
]
]
}
},
-------------------
Thanks,
Umesh