AWS
The Satori platform supports integration with various AWS services for example, data asset discovery, authorization analysis and audit log ingestion. The following section descibes how to integrate Satori with various AWS services.
Satori DAC Role Integration
Satori DACs come with a pre-configured DAC role principal, formatted as <cluster_name>-role
, for exampleprod-aws-us-east-1-acme-role
. The integration is based on the DAC role being able to assume a service role which has the required permissions for the selected functionality.
Creating a DAC Role for a SaaS Deployment
For SaaS based deployment, a DAC role is pre-provisioned on Satori's AWS account.
Creating a DAC Role for a SaaS Customer Hosted Deployment
For Customer hosted deployments, see the Customer Hosted deployment section below.
Creating a Service Role
Create a role principal in your AWS account, in the following format: <cluster_name>-service-role
, for eample, prod-aws-us-east-1-acme-service-role
.
Note: Multiple service roles are required for integrating with multiple accounts.
1 - Create and Attach a Trust Relationship Policy
To allow the DAC role to assume the service role a trust relationship must be created and attached to the service role.
The policy must include the externalID condition to provide security against the confused deputy problem, the external ID parameter is located in the account settings.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "b831684764627c7e8212892591b6b3aab1803xxx",
"aws:PrincipalArn": [
"arn:aws:iam::111111111111:role/prod-aws-us-east-1-acme-role"
]
}
}
}
]
}
2 - Create and Attach a Permission Policy
To allow the service role access to the relevant AWS services a permission policy must be attached to the service role, permission policies are feature specific. The policy details are located in the management console, as part of the feature configuration process.
S3 posture management policy example:
{
"Version": "2012-10-17"
"Statement": [
{
"Sid": "SatoriScanning"
"Action": [
"iam:List*",
"iam:Get*",
"s3:List*",
"s3:Get*",
"s3:Describe*",
],
"Effect": "Allow",
"Resource": "*",
}
],
}
Customer Hosted Deployment
For a customer hosted deployment the DAC role must be configured and attached to the EKS cluster, perform the following steps to create a cluster role.
-
Create a DAC Role
-
Create and Attach a Trust Relationship Policy. (The trust relationship policy enables the DAC workloads to assume the DAC role, the OpenID Connect provider URL address can retrieved from the EKS settings.)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SatoriDacRoleTrustPolicy",
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::222222222222:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"oidc.eks.us-east-1.amazonaws.com/id/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:sub": "system:serviceaccount:satori-runtime:*"
}
}
}
]
}
Create and Attach a Permission Policy
A permission policy is required for the DAC role to be able to assume the service role
{
"Version": "2012-10-17"
"Sid": "SatoriDacRolePermissionPolicy",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:role/stage-aws-us-east-1-service-role"
]
}
],
}