AWS Role-Based Authentication

Page Contents

Overview

IMPORTANT

The number in the AWS External ID text box (shown in the screenshot below) is used for AWS role and policy creation, and it is newly generated with each visit to the AWS setup page. If you navigate away from the page, or if your ZenGRC instance times out prior to completion, the external ID would be refreshed on your next visit to the page. You would then need to redo steps using the new ID.

Creating an Identity Access Management Role in AWS

The first step in the connection is to create a configured Identity Access Management (IAM) role. To set up this role, log into your organization's AWS site, and complete the following steps:

Open the IAM Console.
Click Create Role.
Under "Type of Trusted Entity," select the Another AWS account box.
In Account ID, enter the following ZenGRC AWS ID: 197323206373. This grants ZenGRC read-only access to your AWS data.
Select Require external ID.
Selecting Require external ID generates another text box called External ID, which requires information from your ZenGRC instance.
Copy the AWS External ID in your ZenGRC instance and paste it into the External ID text box in AWS.

TIP

The AWS External ID in your ZenGRC instance refreshes with a time out or when you navigate away from the page. Be aware that a new ID would require you to redo all steps in order to put the new ID in the External ID text box, as shown below.
Click Next: Permissions.
Click Create Policy. This opens a new window. Steps and code needed for the policy can be found in the next documentation sections.

Creating a Policy

Policy creation is a continuation of the steps documented above for adding an IAM role. You'll need to copy the code on the Code for Your Amazon Web Services Policy page and use it to populate the policy.

To create a policy, compete the following steps:

Select the JSON tab.
Paste the code from Code for Your Amazon Web Services Policy.
Click Review Policy.
Name the policy with an apt description, such as "ZenGRCAWSIntegrationPolicy."
Click Create Policy. A successful submission refreshes the Policy page with a message at page top.
Close this window to again display the “Create role” page.
Refresh the list of policies and select the check box beside the policy you just created.

TIP

Use the search functionality to reduce the number of policies that display.
Click Next: Tags.
The Tags page is an optional step that you can bypass by clicking Next: Review.
Create a role called "ZenGRCAWSIntegrationReadRole" with an optional description. The role must be named "ZenGRCAWSIntegrationReadRole" (without quotes) in order for the connection to work.
Click Create Role.

Accessing AWS and Finishing the Connection

After creating an IAM role in your AWS account, open your ZenGRC instance and access the AWS connector.

NOTE

To access connectors, please see Introduction to ZenConnect.

To establish the connection between AWS and your ZenGRC instance, complete the following steps:

Enter your AWS account number in the AWS Account ID text box.
In the AWS Role ARN text box, enter the ARN of the role you just created, e.g. arn:aws:iam::123456789012:role/ZenGRCAWSIntegrationReadRole
Click Save.
A notification displays letting you know if the credentials are successful. Test the connection at any time by clicking Test.

Adding AWS Data to a Request

Once the connection is set up, adding AWS data to a request is conducted in the same manner as all the ZenGRC fetchers. For more information, please see Working with Fetchers, Controls, and Requests.

Other Helpful Content

•  Access and User Assistance
•  System of Record List Views
•  Actions on the Details Page
•  Creating New Objects
•  Favorites
•  Quick Tips for End Users (Printable)
•  Searching the Left-Hand Navigation