Amazon Web Services
Connector name |
|
Connector type | Executable |
Type (UI field value) | Amazon Web Services |
Target system versions supported / tested | Bravura Security Fabric lists IAM (Identity and Access Management) accounts and EC2 (Elastic Compute Cloud) virtual servers on AWS (Amazon Web Services) using the |
Connector status / support | Bravura Security-Verified This connector has been tested and is fully supported by Bravura Security. |
The agtaws connector manages Amazon virtual servers (instances) by checking out, powering on/checking in, and powering off Instances. This feature is supported in Bravura Security Fabric 8.2.5 and newer.
The following Bravura Security Fabric operations are supported by this connector (depending on your product license and version):
administrator reset password
create account
delete account
disable account
create group
delete group
add user to group
delete user from group
lock account
update attributes
List:
accounts
attributes
groups
members
computer objects
Note
Accounts are disabled or locked by randomizing the account password, so that users can no longer log onto the AWS site.
Note
Virtual servers are listed as accounts with account IDs starting with the string _instance.
For a full list and explanation of each connector operation, see connector operations.
See also
See Platform specific SCIM connectors for an alternative connector for Amazon Web Services.
Preparation
Before you can target Amazon Web Services, you must:
Download the required AWS DLLs.
Create at least one template account.
Generate and download an API access key.
Ensure that the Bravura Security Fabric service user is allowed to access Amazon Web Services site via HTTPS.
Downloading the required AWS DLLs
The AWS DLLs must be obtained separately from the Nuget website and are required for the Amazon Web Services target.
They may be downloaded from the following locations:
Search for the following versions for each (the latest patch version for each is sufficient):
AWSSDK.Core: 3.3.107
AWSSDK.EC2: 3.3.189
AWSSDK.IdentityManagement: 3.3.106
AWSSDK.SecurityToken: 3.3.105
Download each of the packages; they will be .nupkg packages. Using a zip program such as 7-zip, extract the files from each package.
From the extracted files, locate the following DLLs in the lib\net45 directories:
AWSSDK.Core.dll
AWSSDK.EC2.dll
AWSSDK.IdentityManagement.dll
AWSSDK.SecurityToken.dll
Copy the above DLLs to the Connector Pack agent directory alongside agtaws.exe.
Creating a template account
Bravura Security Fabric uses template accounts as models or "blueprints" for creating new accounts in Amazon Web Services. The following example illustrates how you can create a template account in Amazon Web Services:
As an administrator, use a browser to log in to the Amazon Web Services site.
Under Administration & Security, click Identity & Access Management.
Click Users .
Click Create New Users.
Fill in the user name.
Click
Create.
Generating and downloading an API access key
An API access key is required to make secure requests to the AWS service API. The following example illustrates how you can generate and download an access key for AWS service API:
As an administrator, use a browser to log in to the Amazon Web Services site.
Under Administration & Security, click Identity & Access Management.
Click Users.
Click anywhere in the administrator row.
Under Security credentials, click Manage Access Keys.
Click Create Access Key.
Click Download Credentials.
Connector Pack 4.7 supports AWS .Net SDK version 3.3.
Ensuring Bravura Security Fabric service user access
The Bravura Security Fabric service user (psadmin) account must be able to access the Amazon Web Services site to list accounts and manage servers. To ensure that the psadmin account is allowed to access the Amazon Web Services site via HTTPS:
As psadmin, log onto your Bravura Security Fabric server.
Using a browser, access your Amazon Web Services site via HTTPS; for example,
https://console.aws.amazon.com/console/home.
Add the site as a trusted site.
Targeting the Amazon Web Services system
When targeting AWS, each region (such as us-west) must be targeted separately.
For each AWS system, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems):
Type is
Amazon Web Services.Address uses the following options:
Region AWS region
(key: Region)
Role Amazon Resource Name (Optional) Role to delegate access across AWS accounts .
(key: rolearn)
Network Proxy Host (Optional) The proxy server used to access Amazon Web Services.
(key: proxyhost)
Network Proxy Port (Optional) The port of proxy server.
(key: proxyport)
Set the Administrator ID and Password to the key pair Access key ID and Secret Access Key you downloaded earlier.
Managing check-in/check-out and power management of Instances
Bravura Security Fabric can manage Amazon virtual servers in addition to standard user management. In this case, Bravura Security Fabric can start and stop individual servers through Bravura Privilege check-out/check-in process.
Note
Virtual servers (instances) are listed as accounts in Bravura Privilege. In these cases, the account ID is prefixed with _instance.
Checking out an instance:
Ensures only a single person has access to it at any one given time.
Allows for authorization and approval of use of the instance via work-flow.
Powers on the instance, on demand, so that instances are not left running.
When the end user is finished with the instance they can check it in, which will:
Power off the instance, so that extra running costs are not incurred.
Allow access to the instance by other users.
Note
The instance is automatically checked in after the expiry time, in case the end user forgets to check it back in.
The following example shows how to check-out (or power on) an instance:
Add the AWS target.
Run
psupdateAdd an IDAPI user.
Manage the AWS accounts whose account ID is pre-fixed with
_instance.Copy the sample file
pxnull-awsco.cfgto the instance script folder.Update the credentials of the IDAPI user in
pxnull-awsco.cfg.Configure the plugin points RES_CHECKOUT_SUCCESS and RES_CHECKIN_SUCCESS to execute
pxnull.exe -cfg pxnull-awsco.cfg.As an end user, check-out the instance.
After the request is approved, verify the instance is powered on.
Check-in the instance, and verify the instance is powered off.
Delegating access across AWS accounts
In AWS you can use a role to delegate access to resources that are in different AWS accounts that you own. You share resources in one account with users in a different account. By setting up cross-account access in this way, you do not need to create individual IAM users in each account, and users do not have to sign out of one account and sign into another in order to access resources that are in different AWS accounts.
To learn how to create a role for cross-account access in AWS, visit:
http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-walkthrough-crossacct.html
The following example shows how to set up Bravura Security Fabric for cross-account access to IAM, assuming that you have AWS accounts, AWS1 and AWS2:
Add the target system for AWS1 with the address:
{Region=USwest2;}Set the administrator credentials of the AWS1 target system to the key pair Access key ID and Secret Access Key of the administrator of AWS1.
Ensure that the administrator of AWS1 has been granted an AWS role for cross-account access to AWS2.
Add a second target system for AWS2 with the address:
{Region=USWest2; rolearn=arn:aws:iam::012345678912:role/myRole; }Set the administrator credentials of the AWS2 target system to the same key pair as in step 2.
Run auto discovery.
Note
While using the AWS role, the administrator of AWS1 can only perform the actions and access the resources permitted by the role, but his original user permissions are inactive.