AWS Account
AWS is a cloud-based infrastructure provider. This Raito plugin enables access management for AWS S3.
The connector is available here and supports
- Import users and groups from IAM in the AWS account to an identity store in Raito Cloud.
- Import AWS S3 meta data (S3 buckets, objects inside those buckets, …) via S3 itself or via Glue to a data source in Raito Cloud.
- Export access controls from Raito Cloud into IAM/S3 permissions (as IAM roles, IAM policies, S3 Access Points and Permission Sets).
- Import access controls from IAM/S3 permissions Raito Cloud (IAM roles, IAM policies, S3 Access Points and Permission Sets).
- Import the data usage from CloudTrail to Raito Cloud.
Prerequisites
AWS Credentials
The AWS account connector requires AWS credentials to access the AWS account. The credentials can be provided by one of the following options:
- Environment variables: The environment variables
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY, and (optionally)AWS_SESSION_TOKENare used. - Shared credentials file. Credentials defined on
~/.aws/credentialswill be used. A profile can be defined withaws-profile. - If running on an Amazon EC2 instance, IAM role for Amazon EC2.
Ensure the role/user has the following policy document attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1718867172297",
"Action": [
"iam:GetAccountEmailAddress",
"iam:GetAccountName",
"iam:GetAccountSummary",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccountAliases",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListPolicies",
"iam:ListPoliciesGrantingServiceAccess",
"iam:ListPolicyTags",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListUserTags",
"iam:ListUsers"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::${Account}:*"
},
{
"Sid": "Stmt1718867335513",
"Action": [
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:CreateRole",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteRole",
"iam:DeleteRolePermissionsBoundary",
"iam:DeleteRolePolicy",
"iam:PutGroupPolicy",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy",
"iam:PutUserPermissionsBoundary",
"iam:PutUserPolicy",
"iam:TagPolicy",
"iam:TagRole",
"iam:UntagPolicy",
"iam:UntagRole",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::${Account}:*"
},
{
"Sid": "Stmt1718867545031",
"Action": [
"s3:CreateAccessPoint",
"s3:DeleteAccessPoint",
"s3:DeleteAccessPointPolicy",
"s3:GetAccessPoint",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyStatus",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetDataAccess",
"s3:GetMultiRegionAccessPoint",
"s3:GetMultiRegionAccessPointPolicy",
"s3:GetMultiRegionAccessPointPolicyStatus",
"s3:GetMultiRegionAccessPointRoutes",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectAttributes",
"s3:GetObjectTagging",
"s3:GetObjectVersion",
"s3:GetObjectVersionAttributes",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:ListMultiRegionAccessPoints",
"s3:ListTagsForResource",
"s3:PutAccessPointPolicy",
"s3:PutBucketPolicy",
"s3:TagResource",
"s3:UntagResource"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "Stmt1718874249842",
"Action": [
"glue:DescribeEntity",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetSchema",
"glue:GetSchemaByDefinition",
"glue:GetSchemaVersion",
"glue:GetSchemaVersionsDiff",
"glue:GetTable",
"glue:GetTableOptimizer",
"glue:GetTableVersion",
"glue:GetTableVersions",
"glue:GetTables",
"glue:GetTags",
"glue:ListEntities",
"glue:ListSchemas",
"glue:ListTableOptimizerRuns"
],
"Effect": "Allow",
"Resource": "arn:aws:glue:*:${accountId}:*"
},
{
"Sid": "Stmt1718874927696",
"Action": [
"sts:GetAccessKeyInfo",
"sts:GetCallerIdentity"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::${Account}:*"
},
{
"Sid": "Stmt1718876817685",
"Action": [
"s3:GetAccessPoint",
"s3:GetAccessPointPolicy",
"s3:GetAccessPointPolicyStatus",
"s3:GetMultiRegionAccessPoint",
"s3:GetMultiRegionAccessPointPolicy",
"s3:GetMultiRegionAccessPointPolicyStatus"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:*:*:accesspoint/*"
}
]
}
Replace ${Account} with the AWS account ID.
AWS Organization (optional)
This prerequisite is optional and only necessary if you use IAM Identity Center and want to use Permission Sets (typically, to manage access across multiple AWS accounts). You need to set up an AWS Organization connector first, to import the users and groups into an AWS Organization identity store. In Raito cloud, this identity store then needs to be linked to each AWS Account data source that you would like to manage access for.
As the AWS account connector should be able to modify permission sets on the master account, the following CLI config parameters are required:
aws-organization-profile: The AWS SDK profile where the organization is defined (i.e. where permission sets are defined in AWS Identity Center).aws-organization-region: The region where the organization is defined (i.e. where permission sets are defined in AWS Identity Center).aws-organization-identity-center-instance-arn: The ARN of the AWS IAM Identity Center instance. Required if awsaws-organization-profileis defined.aws-organization-identity-store: The ARN of the AWS Identity Store. Required if awsaws-organization-profileis defined.
Note that an additional aws credentials profile is required to access the organization.
The user/role using the credentials should have the following policy document attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ssoInstanceReadWrite",
"Effect": "Allow",
"Action": [
"sso:CreatePermissionSet",
"sso:DescribePermissionSet",
"sso:DescribePermissionSetProvisioningStatus",
"sso:GetInlinePolicyForPermissionSet",
"sso:GetPermissionsBoundaryForPermissionSet",
"sso:GetPermissionSet",
"sso:ListAccountsForProvisionedPermissionSet",
"sso:ListCustomerManagedPolicyReferencesInPermissionSet",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListPermissionSetProvisioningStatus",
"sso:ListPermissionSets",
"sso:ListPermissionSetsProvisionedToAccount",
"sso:DeleteInlinePolicyFromPermissionSet",
"sso:DeletePermissionSet",
"sso:ProvisionPermissionSet",
"sso:PutInlinePolicyToPermissionSet",
"sso:AttachCustomerManagedPolicyReferenceToPermissionSet",
"sso:AttachManagedPolicyToPermissionSet",
"sso:DeletePermissionsBoundaryFromPermissionSet",
"sso:DetachCustomerManagedPolicyReferenceFromPermissionSet",
"sso:DetachManagedPolicyFromPermissionSet",
"sso:PutPermissionsBoundaryToPermissionSet",
"sso:UpdatePermissionSet",
"sso:TagResource",
"sso:ListAccountAssignments",
"sso:ListAccountAssignmentsForPrincipal",
"sso:CreateAccountAssignment",
"sso:DeleteAccountAssignment"
],
"Resource": [
"arn:aws:sso:::instance/ssoins-${instanceId}"
]
},
{
"Sid": "ssoPermissionSetReadWrite",
"Effect": "Allow",
"Action": [
"sso:ListAccountAssignments",
"sso:ListAccountsForProvisionedPermissionSet",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListTagsForResource",
"sso:DescribePermissionSet",
"sso:GetInlinePolicyForPermissionSet",
"sso:GetPermissionsBoundaryForPermissionSet",
"sso:GetPermissionSet",
"sso:CreateAccountAssignment",
"sso:DeleteAccountAssignment",
"sso:DeletePermissionSet",
"sso:ProvisionPermissionSet",
"sso:AttachCustomerManagedPolicyReferenceToPermissionSet",
"sso:AttachManagedPolicyToPermissionSet",
"sso:DeletePermissionsBoundaryFromPermissionSet",
"sso:DeletePermissionsPolicy",
"sso:DetachCustomerManagedPolicyReferenceFromPermissionSet",
"sso:DetachManagedPolicyFromPermissionSet",
"sso:PutPermissionsBoundaryToPermissionSet",
"sso:PutPermissionsPolicy",
"sso:UpdatePermissionSet",
"sso:TagResource",
"sso:DeleteInlinePolicyFromPermissionSet",
"sso:ListCustomerManagedPolicyReferencesInPermissionSet",
"sso:PutInlinePolicyToPermissionSet",
"sso:ListPermissionSetProvisioningStatus",
"sso:ListPermissionSets",
"sso:ListPermissionSetsProvisionedToAccount",
"sso:DescribePermissionSetProvisioningStatus"
],
"Resource": [
"arn:aws:sso:::permissionSet/ssoins-${instanceId}/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/creator": "RAITO"
}
}
},
{
"Sid": "ssoPermissionSetCreate",
"Effect": "Allow",
"Action": [
"sso:CreatePermissionSet"
],
"Resource": [
"arn:aws:sso:::permissionSet/ssoins-${instanceId}/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/creator": "RAITO"
}
}
},
{
"Sid": "ssoPermissionSetTag",
"Effect": "Allow",
"Action": [
"sso:TagResource"
],
"Resource": [
"arn:aws:sso:::permissionSet/ssoins-${instanceId}/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/creator": "RAITO",
"aws:RequestTag/creator": "RAITO"
}
}
},
{
"Sid": "ssoListTags",
"Effect": "Allow",
"Action": [
"sso:ListTagsForResource"
],
"Resource": [
"arn:aws:sso:::permissionSet/ssoins-${instanceId}/*",
"arn:aws:sso:::instance/ssoins-${instanceId}"
]
},
{
"Sid": "accountAssignment",
"Effect": "Allow",
"Action": [
"sso:CreateAccountAssignment",
"sso:DeleteAccountAssignment",
"sso:ProvisionPermissionSet",
"sso:ListAccountAssignments"
],
"Resource": [
"arn:aws:sso:::account/*"
]
},
{
"Sid": "identitystoreRead",
"Effect": "Allow",
"Action": [
"identitystore:ListGroupMemberships",
"identitystore:ListGroupMembershipsForMember",
"identitystore:ListGroups",
"identitystore:ListUsers",
"identitystore:DescribeGroup",
"identitystore:DescribeGroupMembership",
"identitystore:DescribeUser",
"identitystore:GetGroupId",
"identitystore:GetGroupMembershipId",
"identitystore:GetUserId",
"identitystore:IsMemberInGroups"
],
"Resource": [
"*"
]
},
{
"Sid": "enrichRoles",
"Effect": "Allow",
"Action": [
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:DescribePermissionSet",
"sso:ListAccountAssignments"
],
"Resource": [
"*"
]
}
]
}
Replace ${instanceId} with the available SSO instance ID.
AWS Account-specific CLI parameters
To see all parameters, execute
$> raito info raito-io/cli-plugin-aws-account
in a terminal window.
Currently, the following configuration parameters are available:
| Configuration name | Description | Mandatory | Default value |
|---|---|---|---|
aws-profile |
The AWS SDK profile to use for connecting to the AWS account to synchronize. When not specified, the default profile is used (or what is defined in the AWS_PROFILE environment variable). | False | ${AWS_PROFILE} |
aws-regions |
A comma separated list of AWS regions to deal with. When not specified, only the default region as found by the AWS SDK is used. The first region in the list must be the default region. | False | |
aws-organization-profile |
The AWS SDK profile where the organization is defined (e.g. where permission sets are defined in AWS Identity Center). This is optional and can be used to get a full access trace in case access is granted through the AWS IAM Identity Center. | False | |
aws-organization-region |
The AWS region where the organization is defined (e.g. where permission sets are defined in AWS Identity Center). If not set and aws-organization-profile is defined, the default region for the profile will be used. |
False | |
aws-organization-identity-center-instance-arn |
The ARN of the AWS IAM Identity Center instance. Required if aws aws-organization-profile is defined. |
False | |
aws-organization-identity-store |
The ARN of the AWS Identity Store. Required if aws aws-organization-profile is defined. |
False | |
aws-s3-enabled |
If set to true, S3 buckets and objects will be retrieved directly from the S3 API. See all other ‘aws-s3-‘ parameters for more control over what is imported and what not. This cannot be enabled together with the aws-glue-enabled parameter. |
False | true |
aws-s3-emulate-folder-structure |
Emulate a folder structure for S3 objects, just like in the AWS UI. | False | |
aws-s3-max-folder-depth |
If aws-s3-enabled is set to true, fetch all objects up to a certain folder depth. |
False | 20 |
aws-s3-include-buckets |
Comma-separated list of buckets to include. If specified, only these buckets will be handled. Wildcards (*) can be used. | False | * |
aws-s3-exclude-buckets |
Comma-separated list of buckets to exclude. If specified, these buckets will not be handled. Wildcard (*) can be used. Excludes have preference over includes. | False | |
aws-concurrency |
The number of threads to use for concurrent API calls to AWS. | False | 5 |
aws-glue-enabled |
If set to true, AWS Glue Catalog will be used to fetch data objects. This approach is recommended instead of using S3 directly, because Glue allows you to define your data on a more logical level. The imported data objects will still be represented as S3 objects. This cannot be enabled together with the aws-s3-enabled parameter. |
False | false |
aws-s3-cloudtrail-bucket |
The name of the bucket where the usage data for S3 is stored by AWS Cloud Trail. This is necessary to fetch usage data. If not set, no usage data is gathered. | False | |
aws-access-skip-iam |
If set to true, all IAM access entities (roles and policies) will not be read to import into Raito Cloud as access controls. | False | false |
aws-access-skip-user-inline-policies |
If set to true, inline policies on users will not be read to import into Raito Cloud as access controls. | False | false |
aws-access-skip-group-inline-policies |
If set to true, inline policies on groups will not be read to import into Raito Cloud as access controls. | False | false |
aws-access-skip-managed-policies |
If set to true, managed policies will not be read to import into Raito Cloud as access controls. | False | false |
aws-access-skip-aws-managed-policies |
If set to true, AWS managed policies are excluded. | False | false |
aws-access-managed-policy-excludes |
Optional comma-separated list of managed policy names to exclude. Regular expressions can be used (e.g. ‘Amazon.+,AWS.+’ will exclude all managed policies starting with Amazon or AWS). | False | |
aws-access-skip-s3-access-points |
If set to true, S3 access points will not be read to import into Raito Cloud as access controls. | False | false |
aws-access-role-excludes |
Optional comma-separated list of role names to exclude. Regular expressions can be used (e.g. ‘Amazon.+,AWS.+’ will exclude all roles starting with Amazon or AWS). | False |