SailPoint AWS Identity and Access Management Connector

Amazon web Services (AWS) Identity and Access Management (IAM) helps you firmly control access to Amazon web Services and your account resources. With IAM, you'll produce collective IAM users underneath your SailPoint AWS account or modify temporary access through identity federation with your company directory. In some cases, you'll additionally modify access to resources across AWS accounts. IAM offers larger security, flexibility, and management when using AWS.

Without Identity and Access Management, however, you need to either produce collective AWS accounts-each with its own billing and subscriptions to AWS products-or share the safety credentials of one AWS account. additionally, without Identity and Access Management, you {cannot|you can't|you can not} control the tasks a selected user or system can do and what AWS resources they could use.

Identity and Access Management allows identity federation between your company directory and AWS services. this allows you to use your existing company identities to grant secure and direct access to SailPoint AWS resources, like Amazon S3 buckets, without making a brand new AWS identity for those users.

Identity and Access Management is a web service that allows AWS customers to manage users and user permissions below their AWS account. For more info regarding this product, see AWS Identity and Access Management (IAM). The objective of this connector is to provide help reading and provisioning of Amazon Web Services IAM accounts, account groups and account group assignment.

Supported features are:

SailPoint AWS Identity and Access Management connector supports the following features:
• Account Management
-Manages IAM Users beneath the AWS Account as Accounts
-Aggregate, Refresh Accounts
-Create, Update, Delete
-Change password
-Add/Remove Entitlements
-Enable: Activates just one existing Access Key and signing Certificate
-Disable: Deactivates and/or deletes ALL existing Security Credentials
• Account – cluster Management
-Manages IAM groups beneath the AWS Account as Account-Groups
-Aggregate, Refresh cluster
-Create, Update, Delete
• Permissions Management
-The application reads permissions directly allotted to accounts and groups as direct permissions throughout account and group aggregation severally.
-The connector doesn't support automatic revocation of the aggregated permissions and creates work item for such requests.

Pre-requisites

Note: If Amazon Web Services Identity and Access Management connector is behind the proxy server, see the “Special Java Considerations” part of the SailPoint IdentityIQ Installation Guide.

The connector needs the following Access Credentials to access the various IAM APIs:
• Access Key ID
• Secret Access Key

Identity and Access Management is a feature of SailPoint AWS account. If you're already signed up for a product that's integrated with Identity and Access Management, you do not ought to do anything to sign in for IAM, and you may also not be charged further for using it. you will be charged just for use of different AWS services by your users.

Note: IAM works solely with SailPoint AWS products that are integrated with IAM. For a listing of such products, see integrating with different AWS products.

If you do not have already got an AWS account, you would like to make one to use Identity and Access Management. you can produce an AWS account once you sign in to use an AWS product for the first time. To sign in for AWS and to perform connection between SailPoint AWS, perform the following:

1.Navigate to http://aws.amazon.com, then click sign in currently.
2.Follow the on-screen directions.

Part of the sign-up procedure involves receiving a call and entering a PIN using the phone keyboard. An Access key is automatically created upon making an account. See the “Security Credentials” section of your account to get your Access Keys from the following link:

http://aws-portal.amazon.com/gp/aws/developer/account/index.html?action=access-key
To create SSL connection between IdentityIQ and Amazon Web Services Server, perform the following:
1.Export server certificate and copy the exported .cer file to the Java client laptop (IdentityIQ computer).
2.At the client laptop execute the following command from the bin directory of JDK:
keytool -importcerts –trustcacert –alias aliasName –file -keystore /jre/lib/security/cacerts In the preceding program line, aliasName is the name of the alias.

Administrator permissions

Custom pointers should be created and these pointers should be attached to the users.
Creating Custom Policy
To create a custom policy, perform the following steps:
1. Log in to AWS server with administrator privileges to make a custom policy.
2. On the left-hand side of the screen, click on Policies.
3. On the right side of the screen, select the create Policy button.
4. On Step 1: create Policy page, choose create Your Own Policy section.
5. On Step 2: Set Permissions page, enter the following information respectively (based on the operation) and click on Validate Policy:

The Review Policy page is displayed.
6.On Step 3: Review Policy page, review and validate the policy and click on produce Policy.On successfully making the policy the following message is displayed:
SPTestConnectionPolicy has been created.
Now you're able to attach your policy to users, groups, and roles.
Attaching the Policy to users
To attach the guidelines to the users, perform the following:
1.Navigate to a home page and select Users on the left side of the homepage.
2.Click on the user for which the policy should be attached.
3.Under the Permissions tab click on Attach Policy.
4.On the Attach Policy page, look for SP pointers (created in “Creating Custom Policy” section) below the Policy type field.
5.Select the policy that has to be attached to the user and click on Attach Policy button.
Perform the all these steps to add greater then one policy to the user.

Schema attributes

The following schema attributes are defined:
• Account schema
• group schema
• Schema extension and custom attributes
Account schema
The following table lists the accounting schema:

Note: Attributes with the * sign should be manually deleted only when upgrading IdentityIQ from version seven.0 or above to IdentityIQ version 7.1.

Group schema
The following table lists the group schema:

Schema extension and custom attributes

The connector handles all the attributes currently retrieved or provisioned by the various IAM apis at the time of coming up with and developing the connector. additionally, AWS IAM has fixed schemas and doesn't support adding custom attributes to any of the schemas. Therefore, the connector doesn't offer support for extending the schema and shaping custom attributes.

Provisioning Policy attributes

The following default provisioning pointers are outlined for Account and Account-Group.
Account
• Create: the following table lists the attributes that are needed for making an account.

• Update: the following table lists the attributes that are needed for modifying an account.

Account-Group
• Create: the following table lists the attributes that are needed for making a group.

• Update: the following table lists the attributes that are needed for modifying a group.

Additional info

This section describes the extra info regarding the SailPoint AWS connector.
Amazon net Services Identity and Access Management API’s
This section describes the API methodology used by the AWS IAM connector.
Interaction with the application

The connector uses the rest requests to call the functionality exposed by an Amazon web Services API. REST or question requests are easy http or httpS requests that use an HTTP verb (such as GET or POST) and also the Action or Operation parameter that specifies the API you're calling.

Calling an API using a REST or query request is that the most direct way to access an internet service, however needs that your application handles low-level details like generating the hash to sign the request and error handling.

The good thing about employing a REST or query request is that you simply have access to the entire functionality of an API. The connector makes use of the remainder requests and has the provision to handle the low-level details.

APIs used
The following table lists the IdentityIQ operations together with the corresponding Identity and Access Management Apis (Actions) used:

Troubleshooting

1 – Restore (Enable) security credentials
Restore security credentials for your Identity and Access Management users.
CreateLoginProfile: Creates a password for the desired user, giving the user the power to access SailPoint AWS services through the AWS Management Console. IdentityIQ doesn'tpermit specifying the password, which is a needed parameter for this API, throughout Account enable operation.
Workaround: The password should be set/created using Set/Reset password operation to start the account.
2 – Request timestamp is skewed
The test connection failing with the following error message:
open connector.ConnectorException: Error Code four hundred – RequestExpired – Request timestamp is just too skewed. Timestamps should be inside 900 seconds of server time. Timestamp date: 2015-04-01T19:07:51.185Z
Resolution: Timestamp of server instance and IdentityIQ should be same.