Skip to main content

Integrate with AWS

Before starting

Before starting, you should decide which parts of your AWS ecosystem you want to monitor. You may choose to monitor the entire AWS organization or single accounts. If you want SlashID to protect all the data in your AWS Organization, you must use an organization management account for setup. Otherwise, SlashID will monitor only the data in the specified AWS account.

Set up the connection

  1. In your AWS Management Console > IAM > Policies, create a new policy:
  • Policy editor: JSON
  • Paste the following policy in the Policy editor. This policy contains all the permissions needed to automatically set up the connection between SlashID and AWS.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "cloudformation:DeleteStackInstances",
        "cloudformation:UpdateStackInstances",
        "cloudformation:ListStackSetOperations",
        "cloudformation:CreateStack",
        "cloudformation:DescribeStackSetOperation",
        "cloudformation:DeleteStack",
        "cloudformation:UpdateStack",
        "cloudformation:CreateStackSet",
        "cloudformation:UpdateStackSet",
        "cloudformation:DeleteStackSet",
        "cloudformation:CreateStackInstances"
      ],
      "Resource": [
        "arn:aws:cloudformation:*:*:stackset/slashid-*:*",
        "arn:aws:cloudformation:*:*:stack/slashid-*/*"
      ]
    },
    {
      "Sid": "VisualEditor2",
      "Effect": "Allow",
      "Action": [
        "cloudformation:DescribeStackSet",
        "cloudformation:ListStackInstances",
        "cloudformation:DescribeStacks"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor3",
      "Effect": "Allow",
      "Action": [
        "cloudtrail:PutEventSelectors",
        "cloudtrail:StopLogging",
        "cloudtrail:StartLogging",
        "cloudtrail:ListTrails",
        "cloudtrail:AddTags",
        "cloudtrail:DeleteTrail",
        "cloudtrail:UpdateTrail",
        "cloudtrail:CreateTrail",
        "cloudtrail:ListTags",
        "cloudtrail:GetTrailStatus",
        "cloudtrail:RemoveTags",
        "cloudtrail:DescribeTrails"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor5",
      "Effect": "Allow",
      "Action": [
        "events:DeleteRule",
        "events:ListApiDestinations",
        "events:DeleteApiDestination",
        "events:ListConnections",
        "events:CreateApiDestination",
        "events:DescribeConnection",
        "events:DeleteConnection",
        "events:ListRules",
        "events:ListEventBuses",
        "events:ListTargetsByRule"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor7",
      "Effect": "Allow",
      "Action": [
        "events:DescribeEventBus",
        "events:CreateEventBus",
        "events:DeleteEventBus"
      ],
      "Resource": "arn:aws:events:*:*:event-bus/slashid-*"
    },
    {
      "Sid": "VisualEditor8",
      "Effect": "Allow",
      "Action": [
        "events:CreateConnection",
        "events:DeleteConnection"
      ],
      "Resource": "arn:aws:events:*:*:connection/slashid-*"
    },
    {
      "Sid": "VisualEditor9",
      "Effect": "Allow",
      "Action": [
        "events:DeleteRule",
        "events:PutTargets",
        "events:DescribeRule",
        "events:PutRule",
        "events:RemoveTargets",
        "events:ListTargetsByRule"
      ],
      "Resource": [
        "arn:aws:events:*:*:rule/slashid-*",
        "arn:aws:events:us-east-1:*:rule/SlashIDS3LogDelivery"
      ]
    },
    {
      "Sid": "VisualEditor12",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole",
        "iam:GetRole",
        "iam:PutRolePolicy",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:ListPolicies",
        "iam:GetGroup",
        "iam:GetUser",
        "iam:CreateServiceLinkedRole",
        "iam:GetAccountAuthorizationDetails",
        "iam:GenerateCredentialReport",
        "iam:ListMFADevices",
        "iam:ListAccessKeys",
        "iam:GetAccessKeyLastUsed"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor13",
      "Effect": "Allow",
      "Action": [
        "iam:CreatePolicy",
        "iam:DeletePolicy"
      ],
      "Resource": "arn:aws:iam::*:policy/SlashID*"
    },
    {
      "Sid": "VisualEditor14",
      "Effect": "Allow",
      "Action": [
        "iam:DetachRolePolicy",
        "iam:ListPolicyVersions",
        "iam:DeleteRolePolicy",
        "iam:DeletePolicy",
        "iam:CreateRole",
        "iam:DeleteRole",
        "iam:AttachRolePolicy"
      ],
      "Resource": [
        "arn:aws:iam::*:policy/SlashID*",
        "arn:aws:iam::*:policy/slashid-*",
        "arn:aws:iam::*:role/slashid-*",
        "arn:aws:iam::*:role/SlashID*",
        "arn:aws:iam::*:role/AWSCloudFormationStackSet*",
        "arn:aws:iam::*:role/service-role/AWSCloudFormationStackSet*",
        "arn:aws:iam::*:role/aws-service-role/cloudtrail.amazonaws.com/*"
      ]
    },
    {
      "Sid": "VisualEditor15",
      "Effect": "Allow",
      "Action": [
        "identitystore:ListUsers",
        "identitystore:ListGroups",
        "identitystore:ListGroupMemberships"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor16",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "rds:DescribeDBInstances",
        "ec2:DescribeInstances",
        "ec2:DescribeRegions",
        "eks:ListClusters",
        "lambda:ListFunctions",
        "secretsmanager:ListSecrets",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor17",
      "Effect": "Allow",
      "Action": [
        "lambda:CreateFunction",
        "lambda:UpdateFunctionCode",
        "lambda:AddPermission",
        "lambda:GetFunction",
        "lambda:DeleteFunction"
      ],
      "Resource": "arn:aws:lambda:us-east-1:*:function:*"
    },
    {
      "Sid": "VisualEditor18",
      "Effect": "Allow",
      "Action": [
        "organizations:ListDelegatedAdministrators",
        "organizations:EnableAWSServiceAccess",
        "organizations:ListRoots",
        "organizations:ListAccounts",
        "organizations:ListAccountsForParent",
        "organizations:DescribeOrganization",
        "organizations:ListDelegatedServicesForAccount",
        "organizations:DescribeAccount",
        "organizations:RegisterDelegatedAdministrator",
        "organizations:ListOrganizationalUnitsForParent",
        "organizations:DeregisterDelegatedAdministrator",
        "organizations:ListAWSServiceAccessForOrganization",
        "organizations:ListChildren",
        "organizations:EnablePolicyType"
      ],
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor19",
      "Effect": "Allow",
      "Action": [
        "organizations:ListPoliciesForTarget",
        "organizations:ListTargetsForPolicy",
        "organizations:UpdatePolicy",
        "organizations:DetachPolicy",
        "organizations:AttachPolicy",
        "organizations:DeletePolicy",
        "organizations:DescribePolicy",
        "organizations:CreatePolicy",
        "organizations:ListPolicies"
      ],
      "Resource": [
        "arn:aws:organizations::*:policy/service_control_policy/*",
        "*",
        "arn:aws:organizations::*:root/*"
      ]
    },
    {
      "Sid": "VisualEditor24",
      "Effect": "Allow",
      "Action": [
        "s3:PutEncryptionConfiguration",
        "s3:PutBucketNotification",
        "s3:PutBucketLogging",
        "s3:PutBucketAcl",
        "s3:PutBucketPolicy",
        "s3:CreateBucket",
        "s3:DeleteBucketPolicy",
        "s3:GetBucketLocation",
        "s3:DeleteBucket",
        "s3:GetBucketPolicy"
      ],
      "Resource": "arn:aws:s3:::slashid-*"
    },
    {
      "Sid": "VisualEditor25",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::slashid-*/*"
    },
    {
      "Sid": "VisualEditor26",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:PutResourcePolicy",
        "secretsmanager:CreateSecret",
        "secretsmanager:DeleteSecret",
        "secretsmanager:TagResource"
      ],
      "Resource": "arn:aws:secretsmanager:us-east-1:228209566706:secret:events!connection/*"
    },
    {
      "Sid": "VisualEditor27",
      "Effect": "Allow",
      "Action": [
        "ssm:PutParameter",
        "ssm:DeleteParameter",
        "ssm:GetParameter"
      ],
      "Resource": "arn:aws:ssm:*:*:*/slashid/*"
    },
    {
      "Sid": "VisualEditor28",
      "Effect": "Allow",
      "Action": [
        "sso:ListAccountAssignments",
        "sso:ListPermissionSets",
        "sso:ListAccountsForProvisionedPermissionSet",
        "sso:ListInstances",
        "sso:DescribePermissionSet",
        "sts:AssumeRole",
        "sts:GetCallerIdentity"
      ],
      "Resource": "*"
    }
  ]
}

At this point you choose the authentication method that SlashID will use to access your AWS ecosystem:

  • Access key: create an AWS access key ID/secret pair belonging to an IAM user that has been assigned the policy above
  • Assume role: create a role with the above policy and a trust statement that allows the SlashID AWS account to assume the role

Access key

  1. In your AWS Management Console > IAM > Users, create a new user:
  • Set permissions: Attach policies directly and select the policy created in step 1.
  1. Open the new user page. In the Security credentials tab, scroll down to Access keys and click on Create access key:
  • Access key best practices & alternatives: Third-partyAuthentication method Access key service
  • Retrieve access keys: copy and store the Access key and Secret access key which you will need in the next step.
  1. In the SlashID console, paste the relevant attributes
SlashID Console fieldDescription
Name of the connectionArbitrary name you give to this connection
Authoritative statusDecide whether AWS identities are the primary (or secondary) source of truth when reconciling identities across providers
Account ID [or Organization ID]Your AWS account ID or AWS organization ID
RegionThe region that the API calls target; for best performance, this should be the same region as the S3 bucket where historical log data is stored
Authentication methodAccess key
Access key IDThe ID of the access key you created in step 3
Access key secretThe secret of the access key you created in step 3
CloudTrail S3 bucket (optional)To pull historical log data, specify the name of the S3 bucket where CloudTrail logs are stored
Days of CloudTrail logs to retrieve (optional)Specify how many days of historical data should be retrieved (defaults to 90 days, max 3650). This operation will take time.
CloudTrail digest path prefix (optional)Prefix for the Cloudtrail logs digest objects within the CloudTrail S3 bucket where historical logs can be found (default is AWSLogs)

Assume role

  1. In your AWS Management Console > IAm > Roles, create a new role and follow the steps in the setup wizard for creating a role that can be accessed by AWS accounts belonging to a third party
  • The account ID that should be allowed access is 469725248735
  • You should set the external ID field to be your SlashID organization ID, which can be found in the SlashID console

  1. Copy the ARN of the newly created role, which you will need in the next step

  2. In the SlashID console, paste the relevant attributes

SlashID Console fieldDescription
Name of the connectionArbitrary name you give to this connection
Authoritative statusDecide whether AWS identities are the primary (or secondary) source of truth when reconciling identities across providers
Account ID [or Organization ID]Your AWS account ID or AWS organization ID
RegionThe region that the API calls target; for best performance, this should be the same region as the S3 bucket where historical log data is stored
Authentication methodAssume role
Assumable role ARNThe ARN opf the role you created in step 3
CloudTrail S3 bucket (optional)To pull historical log data, specify the name of the S3 bucket where CloudTrail logs are stored
Days of CloudTrail logs to retrieve (optional)Specify how many days of historical data should be retrieved (defaults to 90 days, max 3650). This operation will take time.
CloudTrail digest path prefix (optional)Prefix for the Cloudtrail logs digest objects within the CloudTrail S3 bucket where historical logs can be found (default is AWSLogs)