Overview

Oort identity security can connect directly to SSO-enabled AWS environments and collect data regarding user accounts, activity, and more.

Known Issues

There is currently an issue with the AWS API where user accounts that are disabled in AWS will have their account status returned as active, even though they show as disabled in the AWS IAM console.

Assumptions

This integration assumes the following:

• SSO is configured for your AWS enterprise account at a parent level, with child AWS accounts using the same SSO connection (example shown below)

• If SSO is configured separately or discreetly for disparate AWS accounts, then you will need to set up an Oort AWS integration for each account

• If no SSO is configured for your AWS account(s), please speak with your Oort representative to determine the best course of action.

AWS Configuration

Note - there are many methods for creating accounts and granting access with AWS IAM. If you have questions or suggestions, please speak with your Oort technical representative.

1. Navigate to the AWS IAM service in the parent AWS account, where SSO is confgured.

2. Click Create user and then create an Oort integration user object.

3. Within the Permissions section, create an inline policy type and insert or paste the following JSON into it:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sso:List*",
                "sso:Describe*",
                "sso:Get*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "identitystore:List*",
                "identitystore:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "cloudtrail:LookupEvents",
            "Resource": "*"
        }
    ]
}

4. Within the User object page, click the Security Credentials tab

5. Click Create access key

6. Select Command Line Interface (CLI) and click the Confirmation box at the bottom of the page

7. Leave the Set description tag value blank and click Create access key

8. Copy the Access key name and the Secret for use in the Oort console

Oort Configuration

1. Within the Integrations tab, click Add Integration and click AWS

2. Enter a display name for the integration

3. Enter the AWS region where the IAM service account was created, in us-east-2 format

4. Enter the Access Key ID

5. Enter the Access Key secret

6. Click Save

Test Connectivity

Once saved, on the Integrations page, you can click the 3-dot menu on the right side for your AWS integration and click Test Connectivity.

If successful with a "Connected" message in the lower left of the screen, you can click the 3-dot menu again and select Collect Now to begin collection.