Authenticating to multiple AWS accounts using a single Amazon Credential

If you have multiple AWS accounts—such as production accounts and testing or QA accounts—you can configure Trust Protection Platform to authenticate to multiple AWS accounts at once. This configuration lets you authenticate to a single AWS account and execute different types of work—provisioning, and Onboard Discovery—across any other AWS accounts in which you've added the same cross-account role.

You can configure an Amazon credential object in Trust Protection Platform with a single set of AWS access keys (ID and Secret), specifying an Amazon cross-account IAM role (defined in one of your AWS accounts) and an External ID (if one is used).

The primary function of External ID is to address and prevent the "confused deputy" issue. The External ID makes it less likely that a non-Trust Protection Platform user can access the other AWS account. Without the External ID protection, any IAM user within the AWS account where the Trust Protection Platform user resides, would be able to access the other AWS accounts simply by knowing the name of the role in the other account. 

When applying account credentials to provision a certificate, Amazon requires an External ID. The value must have a minimum of 2 characters and a maximum of 1,224 characters. The value must be alphanumeric without white spaces. It can also include the following symbols: plus (+), equal (=), comma (,), period (.), at (@), colon (:), forward slash (/), and hyphen (-).

For more information, visit Amazon's article, How to Use an External ID When Granting Access to Your AWS Resources to a Third Party.

DID YOU KNOW?  Like most Trust Protection Platform applications, AWS makes use of the Hostname/Address setting from its parent device object, even though it's a cloud service and not a typical device. This is because AWS is an Internet-based service with a public interface that is the same for all customers. But if you're provisioning to a secondary account, the parent device's Hostname/Address setting in Trust Protection Platform is actually used to specify the AWS account ID (rather than the expected hostname or address).

This is a confusing but temporary method for managing this specific use case.

For more information about AWS configuration, see Amazon Web Services (AWS)—Overview.

For the ADFS Amazon credential, no additional setup steps are required. This is because ADFS is already tied to a specific account and role. So on the credential, you don't specify the account information.

NOTE  The following procedure is a high-level overview of the steps you need to take in both AWS and Trust Protection Platform. However, you should refer to your AWS documentation for details related to the AWS-specific steps in the following procedure.

TIP  Consider reviewing the Amazon tutorial found at https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html.

To configure authentication to multiple AWS accounts using a single Amazon Credential

  1. In a secondary AWS account—as apposed to your primary account where your Trust Protection Platform/Amazon Credential resides—do the following:
    1. Create a policy with the permissions outlined in AWS permission requirements.

    2. Create a role that gives access to your primary AWS account.

  2. In your AWS primary account, do the following:

    1. Create an AWS policy that allows a user in the primary account to execute the AssumeRole operation in each of the secondary accounts.

    2. Grant the user referenced by the Trust Protection Platform's Amazon Credential the role from step 2a.

  3. In Trust Protection Platform, create an Amazon Credential and specify the Access Key ID, Secret Access Key, and cross-account role of the AWS account (from Step 1b where you created the new role).

    For configuration details, see About Amazon credentials.

Related Topics Link IconRelated Topics