Integrate with AWS
Before starting
Before starting, you should decide which parts of your AWS ecosystem you want to monitor. You may choose to monitor the entire AWS organization or single accounts. If you want SlashID to protect all the data in your AWS Organization, you must use an organization management account for setup. Otherwise, SlashID will monitor only the data in the specified AWS account.
Set up the connection
- In your AWS Management Console > IAM > Policies, create a new policy:
- Policy editor: JSON
- Paste the following policy in the Policy editor. This policy contains all the permissions needed to automatically set up the connection between SlashID and AWS.
At this point you choose the authentication method that SlashID will use to access your AWS ecosystem:
- Access key: create an AWS access key ID/secret pair belonging to an IAM user that has been assigned the policy above
- Assume role: create a role with the above policy and a trust statement that allows the SlashID AWS account to assume the role
Access key
- In your AWS Management Console > IAM > Users, create a new user:
- Set permissions: Attach policies directly and select the policy created in step 1.
- Open the new user page. In the Security credentials tab, scroll down to Access keys and click on Create access key:
- Access key best practices & alternatives: Third-partyAuthentication method Access key service
- Retrieve access keys: copy and store the Access key and Secret access key which you will need in the next step.
- In the SlashID console, paste the relevant attributes
SlashID Console field | Description |
---|---|
Name of the connection | Arbitrary name you give to this connection |
Authoritative status | Decide whether AWS identities are the primary (or secondary) source of truth when reconciling identities across providers |
Account ID [or Organization ID] | Your AWS account ID or AWS organization ID |
Region | The region that the API calls target; for best performance, this should be the same region as the S3 bucket where historical log data is stored |
Authentication method | Access key |
Access key ID | The ID of the access key you created in step 3 |
Access key secret | The secret of the access key you created in step 3 |
CloudTrail S3 bucket (optional) | To pull historical log data, specify the name of the S3 bucket where CloudTrail logs are stored |
Days of CloudTrail logs to retrieve (optional) | Specify how many days of historical data should be retrieved (defaults to 90 days, max 3650). This operation will take time. |
CloudTrail digest path prefix (optional) | Prefix for the Cloudtrail logs digest objects within the CloudTrail S3 bucket where historical logs can be found (default is AWSLogs ) |
Assume role
- In your AWS Management Console > IAm > Roles, create a new role and follow the steps in the setup wizard for creating a role that can be accessed by AWS accounts belonging to a third party
- The account ID that should be allowed access is 469725248735
- You should set the external ID field to be your SlashID organization ID, which can be found in the SlashID console
Copy the ARN of the newly created role, which you will need in the next step
In the SlashID console, paste the relevant attributes
SlashID Console field | Description |
---|---|
Name of the connection | Arbitrary name you give to this connection |
Authoritative status | Decide whether AWS identities are the primary (or secondary) source of truth when reconciling identities across providers |
Account ID [or Organization ID] | Your AWS account ID or AWS organization ID |
Region | The region that the API calls target; for best performance, this should be the same region as the S3 bucket where historical log data is stored |
Authentication method | Assume role |
Assumable role ARN | The ARN opf the role you created in step 3 |
CloudTrail S3 bucket (optional) | To pull historical log data, specify the name of the S3 bucket where CloudTrail logs are stored |
Days of CloudTrail logs to retrieve (optional) | Specify how many days of historical data should be retrieved (defaults to 90 days, max 3650). This operation will take time. |
CloudTrail digest path prefix (optional) | Prefix for the Cloudtrail logs digest objects within the CloudTrail S3 bucket where historical logs can be found (default is AWSLogs ) |