AWS IAM Onboarding
Overview
LightBeam Spectra users can connect AWS IAM as an IDP to the lightbeam. We will discover all IAM Users, IAM Groups, IAM Roles, Identity Center Users and Identity Center Groups. Along with that we will also find group user membership, which users can assume which roles and which roles can assume other roles.
Only a single account is supported per IDP. If identities are spread across multiple AWS account, then multiple IDPs can be onboarded.
Generate credentials
Create IAM User (Access Key/Secret Key)
To onboard AWS S3 datasource we need the AWS Access key and AWS Secret key of the IAM user with the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "STSAndGeneralDiscovery",
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity"
],
"Resource": "*"
},
{
"Sid": "IAMReadAccess",
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListUserPolicies",
"iam:GetUserPolicy",
"iam:ListAttachedUserPolicies",
"iam:ListGroups",
"iam:GetGroup",
"iam:ListGroupPolicies",
"iam:GetGroupPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:GetPolicyVersion"
],
"Resource": "*"
},
{
"Sid": "IdentityCenterAndStoreReadAccess",
"Effect": "Allow",
"Action": [
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:DescribePermissionSet",
"sso:ListAccountAssignments",
"identitystore:ListUsers",
"identitystore:ListGroups",
"identitystore:ListGroupMemberships"
],
"Resource": "*"
}
]
}Onboard AWS IAM to Lightbeam
Navigate to the Access Governance tab.
Select Directory Services.
Click New Directory Service.
Choose AWS IAM
Enter the connection credentials.
Configure the Scanner schedule.
Your AWS IAM onboarding is now complete.
Last updated