Configure AWS Management Console

Last modified on February 21, 2024

Overview

This guide describes how to configure your AWS Management Console as a cloud resource in the StrongDM Admin UI. To manage access to your AWS Management Console via StrongDM, we support the following authentication modes:

  • A static AWS access key, which comprises an Access Key ID and a Secret Access Key
  • Environment-loaded credentials, which can be one of the following:
    • AWS access keys in standard AWS environment variables on the gateway
    • AWS access keys configured as a standard AWS profile on the gateway
    • An EC2 instance profile or ECS profile linked to the host or container running the gateway
    • An IAM role assumption, which can be used with Remote Identities

If you use Remote Identities, the identity selected for any given user does not relate to AWS IAM identities or authorization for that user account. The StrongDM user still only has rights belonging to the AWS Role defined in the resource, or via credentials on the gateway. The authentication setting for the resource only changes what name is used to log requests in AWS CloudTrail and the display name of the logged-in user in the AWS Management Console.

Limitations

  • Due to the limitations of this resource type, StrongDM does not log user interactions after authentication occurs. StrongDM logs activities such as setup or modification of the resource within StrongDM, or authentication of a user to the resource, but StrongDM does not log the queries performed by the user on the resource itself. We recommend the use of CloudTrail for logging further interactions with the resource once a user is authenticated.
  • Similarly, some organization-level behaviors are also different for this resource type:
    • Inactivity timeouts set for the organization are not enforced.
    • Current connections to resources are not severed instantly when access is revoked.
    • Note that you can set an expiration field to enforce session timeouts. See Session Expiry Seconds in the AWS Management Console properties.

Prerequisites

Generate TLS certificates

You must have TLS certificates set up with StrongDM before adding an AWS Management Console resource. If you have not already done so, go to the Infrastructure > Websites page in the Admin UI, and generate TLS certificates.

Security considerations

Before adding your AWS Management Console as a cloud resource, note the following.

  • For your AWS configurations, allow the least amount of privilege possible.
  • Keep your authentication type the same when possible. If your organization does not use static keys, do not configure StrongDM to use them.
  • Logging:
    • StrongDM doesn’t log anything beyond authentication against the resource. If you need more complete log coverage than CloudTrail provides on the AWS side, you can use Remote Identities and your own CloudTrail logs in AWS. With these, you can create an accurate picture of access.
    • Enable and log AWS Access Analyzer and CloudTrail Management events for the account to configure. When in use, the logging shifts from StrongDM logs to AWS logs. Having unified schemas and transactions ready for this is helpful for your security team.
  • If AWS single sign-on (SSO) is being used organization wide, the feature should be configured from the account that provides SSO to your organization.
  • Be vigilant of over-applied sts:assume in trust relations. For example, if using the trusted entity type of AWS account during role creation, the only condition to assume this role is that you must be assuming the role from the account given. The best practice is to observe least privilege when working with IAM roles.
  • Use the AWS managed policy called ReadOnlyAccess when there is possible doubt in the configuration.
  • If you are unsure about the configuration, diagram what the plan is and review it with a coworker.

Additional logging considerations

Before you proceed with configuration, note the following logging information.

  • If you use Remote Identities within StrongDM, your CloudTrail logs are augmented. The logs show the Remote Identity instead of the user email address.
  • If Remote Identities is not enabled, StrongDM includes the user’s email in the “assume role” request, which displays in CloudTrail.

Add the Resource

To add your AWS Management Console as a StrongDM cloud resource, use the following steps.

  1. Log in to the Admin UI.

  2. Go to Infrastructure > Clouds.

  3. Click Add cloud.

  4. Select either AWS Management Console or AWS Management Console (Static key pair) as the Cloud Type. Note that there are two types and they have different properties.

  5. Set the remaining AWS Management Console configuration properties or AWS Management Console (Static key pair) configuration properties.

  6. Click Create to create and save the resource.

    Add AWS Management Console
    Add AWS Management Console

Configuration notes

How you configure your resource properties depends on how you connect your AWS Management Console.

  • For a static key connection, select the static key pair cloud option and fill in the required fields.
  • To use an EC2 instance profile or ECS profile, select the AWS Management Console cloud type, and leave the Enable Environment Variables box unchecked.
  • For IAM roles with or without Remote Identities as a connection, select the AWS Management Console cloud type, and leave the Enable Environment Variables box unchecked. Use the Enable Environment Variables option when you have an AWS user profile configured on the gateway box for the local account running the gateway process (that is, an EC2 IAM role).
  • To use an AWS profile configured on the Gateway, select the AWS Management Console cloud type, and leave the Enable Environment Variables box unchecked.
  • To use environment variables, select the AWS Management Console cloud type and check the Enable Environment Variables box.

Credentials-reading order

During authentication with your AWS resource, the system looks for credentials in the following places in this order:

  1. Environment variables (if the Enable Environment Variables box is checked)
  2. EC2 role or ECS profile
  3. Shared credentials file

As soon as the relay or gateway finds credentials, it stops searching and uses them. Due to this behavior, we recommend that all similar AWS resources with these authentication options use the same method when added to StrongDM.

For example, if you are using environment variables for AWS Management Console and using EC2 role authentication for an EKS cluster, when users attempt to connect to the EKS cluster through the gateway or relay, the environment variables are found and used in an attempt to authenticate with the EKS cluster, which then fails. We recommend using the same type for all such resources to avoid this problem at the gateway or relay level. Alternatively, you can segment your network by creating subnets with their own relays and sets of resources, so that the relays can be configured to work correctly with just those resources.

Resource properties

Configuration properties are visible when you add a cloud resource or when you click to view its settings. The following tables describe the settings available for AWS Management Console and AWS Management Console (Static key pair) cloud resource types.

AWS Management Console properties

PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Cloud TypeRequiredSelect AWS Management Console if you are using environment-loaded credentials for authentication
Secret StoreOptionalCredential store location; defaults to Strong Vault; learn more about Secret Store options
Enable Environment VariablesOptionalWhen selected, lets you use environment variables to authenticate connection even if EC2 roles are configured
RegionRequiredAWS region to connect to (for example, us-west-2)
Assume Role ARNRequiredAmazon Resource Name (ARN) role to assume after login (for example, arn:aws:iam::000000000000:role/RoleName); required in order to ensure that multiple relays or gateways do not authenticate using different credentials into the AWS Management Console
Assume Role External IDOptionalExternal ID role to assume after login (for example 12345)
Session Expiry SecondsOptionalLength of time, in seconds, of AWS Management Console sessions before needing to reauthenticate (for example, 3600); must be greater than 900 and less than 43200
HTTP SubdomainRequiredWhat is used as your local DNS address (for example, app-prod1 turns into http://app-prod1.<your-org-name>.sdm.network/)
AuthenticationRequiredSelect Leased Credential, which uses leased credentials to access the cloud, or Remote Identities, which uses the Remote Identities of StrongDM users to access the cloud
Healthcheck UsernameRequiredIf Authentication is set to Remote Identities, enter the username that should be used to verify StrongDM’s connection to it; the username must already exist in your AWS Management Console
Resource TagsOptionalEnter tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

AWS Management Console (Static key pair) properties

PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Cloud TypeRequiredSelect AWS Management Console (Static key pair) if you are using an AWS static key pair for authentication
Secret StoreOptionalCredential store location; defaults to Strong Vault; learn more about Secret Store options
Acess Key IDRequiredString generated by AWS that comprises half of an access key (for example, AKIAIOSFODNN7EXAMPLE)
Secret Access KeyRequiredString generated by AWS that comprises the other half of an access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY)
RegionRequiredAWS region to connect to (for example, us-west-2)
Assume Role ARNRequiredAmazon Resource Name (ARN) role to assume after login (for example, arn:aws:iam::000000000000:role/RoleName); required in order to ensure that multiple relays or gateways do not authenticate using different credentials into the AWS Management Console
Assume Role External IDOptionalExternal ID role to assume after login (for example 12345)
Session Expiry SecondsOptionalLength of time, in seconds, the AWS Management Console sessions live before needing to reauthenticate (for example, 3600); must be greater than 900 and less than 43200
HTTP SubdomainRequiredUsed as your local DNS address (for example app-prod1 turns into http://app-prod1.<your-org-name>.sdm.network/); note that each subdomain must be unique and not used by any other resource
AuthenticationRequiredSelect Leased Credential, which uses Leased Credentials to access the cloud, or Remote Identities, which uses the Remote Identities of StrongDM users to access the cloud
Healthcheck UsernameRequiredIf Authentication is set to Remote Identities, enter the username that should be used to verify StrongDM’s connection to it; note that the username must already exist in your AWS Management Console
Resource TagsOptionalEnter datasource tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Secret Store Options

By default, resource credentials are stored in the Strong Vault. However, these credentials also can be saved in a third-party secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Network > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.