Connect an AWS account

You can connect one or more AWS accounts to Okta Privileged Access for entitlement analysis and discovery of high-risk AWS resources.

Okta Privileged Access uses an Okta-managed service account (referred to as an External ID) to interrogate your AWS accounts. These service accounts are unique to each connected cloud account and are necessary for Okta Privileged Access to access and obtain information from your AWS accounts. These accounts require minimal read permissions granted through an AWS IAM role. For more information on IAM roles, see the AWS documentation.

An AWS management account ID and AWS IAM roles are required for entitlement analysis to work correctly.

To connect your AWS account to Okta Privileged Access, create IAM roles, configure them with required permissions and policies, and connect those accounts to Okta Privileged Access.

  1. Create IAM policies in your AWS management account.
  2. Create IAM roles and add the policies. You need an Okta AWS account ID and an External ID when creating the roles.
  3. Create an AWS IAM connection in Okta Privileged Access and use of the ARN of the AWS IAM role for discovery.

Create and configure AWS IAM roles

  1. In a new browser window, access the Amazon Web Services management console and open the IAM console.
  2. Create a policy in the management account to allow Okta Privileged Access to connect to your AWS organization and discover accounts, users, and groups. For purposes of these steps, let's call this policy OktaPA_CIEM_Policies. The policy should contain the following permissions:
    Click here to see the permissions.

    Copy
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": [
    "iam:GetPolicyVersion",
    "sso-directory:ListGroupsForUser",
    "identitystore:ListGroupMemberships",
    "sso:ListTagsForResource",
    "organizations:ListRoots",
    "sso:ListCustomerManagedPolicyReferencesInPermissionSet",
    "organizations:ListDelegatedServicesForAccount",
    "organizations:DescribeAccount",
    "sso:DescribeRegisteredRegions",
    "organizations:ListChildren",
    "sso-directory:SearchGroups",
    "sso:ListPermissionSetProvisioningStatus",
    "organizations:DescribeOrganization",
    "sso:SearchGroups",
    "sso:ListInstances",
    "sso-directory:DescribeUser",
    "sso:DescribeAccountAssignmentDeletionStatus",
    "sso:ListAccountAssignmentDeletionStatus",
    "iam:ListPolicies",
    "ds:DescribeTrusts",
    "sso:DescribeAccountAssignmentCreationStatus",
    "identitystore:ListUsers",
    "organizations:ListAccountsForParent",
    "sso:ListAccountAssignments",
    "organizations:ListHandshakesForAccount",
    "sso:DescribeDirectories",
    "sso:GetInlinePolicyForPermissionSet",
    "sso:ListManagedPoliciesInPermissionSet",
    "sso-directory:DescribeDirectory",
    "sso:DescribePermissionSetProvisioningStatus",
    "organizations:ListOrganizationalUnitsForParent",
    "sso:GetTrust",
    "sso-directory:DescribeGroup",
    "identitystore:DescribeUser",
    "sso:DescribePermissionsPolicies",
    "identitystore-auth:BatchGetSession",
    "sso:DescribeInstanceAccessControlAttributeConfiguration",
    "account:ListRegions",
    "sso-directory:ListMembersInGroup",
    "sso:ListProfiles",
    "sso:SearchUsers",
    "sso:GetPermissionSet",
    "sso-directory:DescribeGroups",
    "organizations:ListCreateAccountStatus",
    "sso-directory:DescribeUserByUniqueAttribute",
    "identitystore:DescribeGroupMembership",
    "sso-directory:SearchUsers",
    "identitystore:ListGroups",
    "sso:DescribePermissionSet",
    "sso:GetProfile",
    "sso-directory:ListExternalIdPCertificates",
    "sso-directory:GetUserPoolInfo",
    "organizations:ListPoliciesForTarget",
    "sso:ListPermissionSets",
    "sso:ListPermissionSetsProvisionedToAccount",
    "organizations:ListTargetsForPolicy",
    "organizations:ListTagsForResource",
    "sso:GetPermissionsPolicy",
    "identitystore-auth:ListSessions",
    "sso-directory:DescribeProvisioningTenant",
    "sso:GetSsoConfiguration",
    "sso:GetPermissionsBoundaryForPermissionSet",
    "organizations:ListAWSServiceAccessForOrganization",
    "sso:ListAccountAssignmentCreationStatus",
    "organizations:ListPolicies",
    "sso-directory:DescribeUsers",
    "identitystore:ListGroupMembershipsForMember",
    "organizations:ListHandshakesForOrganization",
    "organizations:ListDelegatedAdministrators",
    "organizations:ListAccounts",
    "sso:ListAccountsForProvisionedPermissionSet",
    "iam:ListPolicyVersions",
    "sso-directory:ListGroupsForMember",
    "identitystore:DescribeGroup",
    "organizations:ListParents",
    "ds:DescribeDirectories",
    "sso-directory:IsMemberInGroup",
    "sso:GetSSOStatus",
    "sso-directory:ListProvisioningTenants"
    ],
    "Resource": "*"
    }
    ]
    }

  3. Create another policy in your AWS management account that contains permissions to discover resources. Call this policy, for example, OktaPA_CIEM_ResourceDiscovery_Policy. This policy should have the following permissions:
    Click here to see the permissions.

    Copy
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": [
    "rds:DescribeDBInstances",
    "iam:GetPolicyVersion",
    "iam:ListPolicyVersions"
    ],
    "Resource": "*"
    }
    ]
    }

  4. For each member account in your AWS organization, create another OktaPA_CIEM_ResourceDiscovery_Policy. Grant the same permissions as in the previous step to allow for the discovery of resources in all member accounts.

    If this policy and a suitable role aren't created in a member account, Okta Privileged Access can't discover entitlements and resources in that account.

  5. Sign in to your Okta Privileged Access account and create an AWS connection. Note the Okta AWS Account ID and External ID, you need them in a subsequent step. See Connect your AWS acco unt to Okta Privileged Access.
  6. Create an IAM role in the AWS management account that will be linked to the policies you created.
    1. In the IAM console, go to the Roles page and click Create role.
    2. In the Select trusted entity page, select AWS AccountAnother AWS Account.
    3. Paste the Okta AWS account ID that you copied earlier.
    4. Select the Require external ID option, and paste the Okta AWS account External ID you copied earlier.
    5. Select the two permissions policies that you created and associate them with the role.
    6. Give the role a meaningful name, such as OktaPA_CIEM_Role.
    7. After the role is created, copy the ARN of the role.
    8. Go to your Okta Privileged Access dashboard, paste it into the connection Create connection screen, and test the connection. See Connect your AWS acco unt to Okta Privileged Access.
  7. Create another role in the AWS management account.
    1. In the IAM console, go to the Roles page and click Create role.
    2. In the Select trusted entity page, select Custom trust policy.
    3. In the policy editor, select Add a principal, and then choose IAM Roles for Principal type.
    4. Paste the ARN of the OktaPA_CIEM_Role you copied earlier into the ARN field.
    5. Click Add a condition. Choose sts:ExternalId as the condition key.
    6. Choose StringEquals for the Operator, and then paste the Okta AWS account External ID you copied earlier into the value field.
    7. Add the resource discovery policy that you created earlier to the role, in this example, it's the policy named OktaPA_CIEM_ResourceDiscovery_Policy.
    8. Click Next.
    9. Provide the exact name for this role: OktaPAMResourcesReadOnlyRole.

      The role name must match the exact name. If another role name is used, discovery won't function.

    10. Copy the ARN for this role once it's created; you need it in subsequent steps.
  8. Repeat the previous step to create this OktaPAMResourcesReadOnlyRole in all downstream member accounts in your organization. Copy the ARN for this role for each account that you create it in.

    If this policy and a suitable role aren't created in a member account, Okta Privileged Access can't discover entitlements and resources in that account.

  9. Create another policy in your management account that will be used to enable your management account and Okta's AWS account to interact with your member accounts. You can call this policy OktaPA_CIEM_Assume_Role.
    1. Choose STS as the service for this policy.
    2. For actions Allowed, choose WriteAssumeRole.
    3. For Resources, choose Specific, and then click Add ARNs link to restrict access.
    4. Select Text on the dialog that appears, and then paste in the ARN values for the OktaPAMResourcesReadOnlyRole you copied earlier for each individual AWS member account role you created.
    5. Click Add ARNs.
    6. Name the policy OktaPA_CIEM_Assume_Role.
  10. Finally, attach the policy to the role created earlier in your management account. In this case, the management account is OktaPA_CIEM_Role.

Connect your AWS acco unt to Okta Privileged Access

  1. Identify your AWS account ID.
    1. Go to the Amazon Web Services management console.
    2. At the top of the page, select the dropdown menu next to your profile name and click My Account.
    3. Under Account Settings, note your account ID number.
  2. Open a new browser, and sign in to your Okta Privileged Access account.

  3. Create an AWS IAM connection. Keep this window open as you're configuring AWS IAM roles and creating this connection simultaneously.
    1. In your Okta Privileged Access dashboard, go to Resource AdministrationConnections.
    2. Click Create connection AWS IAM connection.
    3. Configure the cloud account settings:
      SettingAction

      Connection name

      Enter a connection name.

      AWS Management account ID

      Enter the ID of your main AWS management account that you noted earlier.

      AWS role

      Enter the ARN of the AWS IAM role. See Create and configure AWS IAM roles roles to get the ARN.

      Okta AWS Account ID and External ID fields are automatically populated.

      Make note of the External ID value, as you require it when creating AWS IAM roles. It's related to an AWS service account managed by Okta and is distinct from your AWS Account ID. For details on using an External ID, see the AWS documentation.

    4. Click Test, and verify that the connection was successful.
    5. Click Save.

Next steps

Entitlement analysis