Configuring Federated Token Access to AWS API

PrivX Authentication to AWS Services via token federation

An alternative way for PrivX for accessing AWS API is to use Federation Tokens.
Federation Tokens allow longer validity periods (up to 36 hours) and can be configured to give AWS users different permissions even when accessing the same target roles by configuring user specific AWS role policies.
Instead of assuming the role identity completely, the federated tokens will access the AWS via session policies.
PrivX will fetch AWS target role's policies and use those as session policies for the federation request. The final permissions for the token are an intersection between PrivX AWS user and target role. At the moment, only managed role policies are used. Group and inline policies are not included to the request.

Configuring federation token access to AWS IAM

  1. In your AWS management interface, create an IAM user for obtaining AWS roles.
    PrivX uses this AWS user to import and delegate AWS roles. For this reason you must also create Security Credentials/Access Keys for the user. Copy the Access Key ID and the Secret Access Key of the user, which are required later for configuring PrivX AWS Directory.

  2. Provide the IAM user with the following permission policy:

    {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": "sts:GetFederationToken",
             "Resource": [ "*" ]
         },
         {
             "Effect": "Allow",
             "Action": "sts:AssumeRole",
             "Resource": [ "*" ]
         },
         {
             "Effect": "Allow",
             "Action": [
                 "iam:ListRoles",
                 "iam:ListAttachedRolePolicies",
                 "iam:GetPolicy",
                 "iam:GetPolicyVersion",
                 "iam:ListPolicies",
                 "iam:ListPolicyVersions",
                 "ec2:DescribeInstances",
                 "ec2:DescribeRegions",
             ],
             "Resource": [ "*" ]
         }
     ]
    }
    

    ec2:Describe* -IAM permissions are required for AWS host scanning.

  3. In your AWS management interface, create additional AWS policy for your PrivX AWS user.
    This policy needs to contain the permissions you want to acquire from the another AWS role. The granted permissions are an intersection between your PrivX user policies and target role managed policies.

    {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": [
                 "s3:Get*",
                 "s3:List*",
             ],
             "Resource": [
                 "arn:aws:s3::anotherAccountId:targetBucketName"
             ]
         }
     ]
    }
    

In this example, the policy tries to get read access to S3-bucket 'targetBucketName' on another AWS account 'anotherAccountId'.

  1. In AWS management interface, create AWS role(s) that grant access to AWS services.
    As PrivX fetches the target role policies to figure out which permissions the user should be granted,
    this role needs be in the same AWS account as the user created in step #1. If you need to access roles belonging to another AWS account, see Configuring assume-role access to AWS API .
    The AWS role(s) should have permissions like the following (replace the example Actions with services and actions this role should allow access to):

    {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": [
                 "iam:ListRoles",
             ],
             "Resource": [
                 "*"
             ]
         },
         {
             "Effect": "Allow",
             "Action": [
                 "s3:Get*",
                 "s3:List*",
             ],
             "Resource": [
                 "arn:aws:s3:::targetBucketName"
             ]
         }
     ]
    }
    

    iam:ListRoles -permission is required by PrivX for role federation, for fetching a list of AWS roles for administrator to map PrivX roles against.
    s3:Get and s3:List -permissions are permissions used in this example, to give read access to files to S3 bucket called 'targetBucketName', owned by this AWS account.

PrivX will fetch all managed role policies (not inline- and group policies) attached to the target role and merge them to create the policy document for federation request. Note that the maximum policy document size for federation request is 2048 bytes (AWS limitation).

Also set the trust relationships of the AWS role similar to the following (replace <iam_user_arn> with the ARN of the previously-created IAM user):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "<iam_user_arn>"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

See GetFederationToken to see the token restrictions and
AWS Access Policies
for more information.

Configuring PrivX AWS directory to use federated tokens

  1. On the Administration→Directories page of the PrivX GUI, add a directory of the type Amazon Web Services. Provide the Access key ID and Secret Access Key of the previously-created IAM user.

    Also under Advanced AWS settings, select Enable AWS Role Federation. If you only want to import roles under a certain path, set this path to AWS Role Prefix for Federated Roles.
    You can also filter imported AWS roles by configuring "AWS Role Filter" (since PrivX 17).

    Save the directory configuration. To verify that roles were imported successfully, ensure that the previously-configured AWS roles are visible on the page Administration→Deployment→Configure Amazon Web Service role grants.

  2. Grant AWS roles to PrivX roles. To do this, go to the page Administration→Deployment→Configure Amazon Web Service role grants, and Edit the AWS roles. PrivX users belonging to specified roles can now gain access according to any AWS roles granted to them.

Was this page helpful?