Cloud IAM
Introduction
This book will explain how to use the features of the senhasegura Cloud.
Symbols used in this cookbook
This book uses the following symbols to highlight information that should be taken into account for the best use of senhasegura :
Info - useful information that can make the use of the solution more dynamic
Caution - actions and items that cannot be ignored
commands
: data that must be entered in the same way as described in this book- URLs : paths to access web pages.
<KEYS>
: keyboard paths that will be used to perform actions.
The module
The senhasegura Cloud module allows the management of identities and accesses to resources and services of Cloud providers.
In this module, you can manage the Identity Access Management (IAM) and access to the virtual machines of the Cloud Service Providers (CSP).
The administrator can manage these controls by defining who (identity) has access (roles) to which resources.
Access Groups
Creating an access group will help with permission settings and user approval flow.
Create Access Group
To create an access group go to the menu: Cloud ➔ Access control ➔ Access Groups
In the page actions, click on the New group option
In the form include the name of the group and whether it will be active or not
On the Settings tab, select permissions:
Whether members of this group can create and edit other users in the Providers Cloud IAM. Select which user types can be created and edited by group members.
Whether they can exclude other users. Select which user types can be excluded by group members.
You can create and edit accounts
You can delete accounts
You can create credentials
You can delete credentials
Select an Template for user creation, i.e. if this group has permission to create users it must create them following the pattern established in the chosen template. To learn more about templates, see the section Configuration Templates in this manual.
Define whether this group will require approval to perform its activities. To do this, check or uncheck the boxes:
Requires justification: To carry out their activities, members must describe why they want to do it.
Requires approval: Needs the previous box to be checked, and will cause members to carry out their activities after a request has been sent and approved by another user.
Select how many approvals required for the user to perform their requested activity.
Select the number of reprovals required to cancel the request, i.e. so that the user is not allowed to perform the activity.
Select whether there will be approval in levels, i.e. after a lower member's approval, a higher member can approve or disapprove the request.
Define whether it will be mandatory to specify governance code when justifying.
And if always managers will be included in the group's list of approvers.
On the Criteria tab, define the criteria for displaying the module information to the members of the access group.
infoYou can enter an
*
(asterisk) if you want the group members to have unrestricted access.On the Users tab, enter the members of the access group.
On the Approvers tab, enter the users who will approve requests from access group members.
To finish click on Save.
Accounts
An account is used to establish communication between the senhasegura and the Cloud Service Provider so that users can manage their credentials and virtual machines.
It is recommended to use a user with administrative privileges instead of the root user.
Register account
To register an account, follow the menu Cloud ➔ Settings ➔ Accounts.
Click on the actions button and select the option Add account.
On the Settings tab, fill in the following fields
Fill in the fields itemize and tags, if you want
Check the box for the Cloud Provider to be configured and fill in the following fields:
AWS:
Fill in the field Access Key with the AWS Access Key ID
Fill in the field Secret Access Key with the secret of the AWS access key
Fill in the field Default Region with the default region of the AWS account
Check the box OpsWorks - Configuration management if you want to manage AWS OpsWorks users' SSH sessions and keys
Google Cloud:
- Select the file with the access key to the Google Cloud account
To finish click on Confirm.
Create AWS Access Key
To generate an AWS access key so that you can register it with senhasegura Cloud, follow the steps below:
Log into your AWS account: https://console.aws.amazon.com/
Locate the service Identity and Access Management (IAM)
On the left side, click on Users
Click the Add user button
Fill in the field User name and under Access type check the option Programmatic access and click on the button Next: Permissions
Select the Attach existing policies directly option and add the AdministratorAccess policy
Click on the button Next: Tags
Insert the tags (optional) and click on the button Next: Review
Finally, click on the button Create user.
Copy the values of the Access key ID and Secret access key
Create Google Cloud Access Key
To generate a Google Cloud access key so that you can register it with the senhasegura Cloud, please sign in to your Google Cloud account1
Create a Service account
Select an existing project or create a new one
From the navigation menu, choose the IAM & Admin, Service Accounts option
Click the CREATE SERVICE ACCOUNT button
Fill in the Service account name fields and click the CREATE button
Click the DONE button
Generate Access Key
In the Service Accounts menu, click on the service account we have just created
Click the ADD KEY button and select the Create new key option
Select the JSON option and click the CREATE button
Finally, save the key in a safe place
Habilitar APIs
In the APIs & Services ➔ Library menu
Find the APIs listed below and click the ENABLE button
Cloud Resource Manager API
Cloud Asset API
Identity and Access Management (IAM) API
Create a custom Role
In the project selection, select the Organization and click on the Roles service in the side menu
Click the CREATE ROLE button and fill in the fields
Title with the name of the role you want to create
Click the ADD PERMISSIONS button and add the following permissions:
iam.roles.list
iam.serviceAccountKeys.create
iam.serviceAccountKeys.delete
iam.serviceAccountKeys.get
iam.serviceAccountKeys.list
iam.serviceAccounts.create
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
Finally, click the CREATE button
Add service account at Organization
Click on the IAM service in the side menu
Click the ADD button at the top of the page
Enter in the field New members the address of the service account you just created
No field Select a role, select a previously created role
Click the SAVE button
Create Azure Access Key
To generate an Azure access key so that you can register it with the senhasegura Cloud, please sign in to your Azure account.
Create a service account
Log into your Azure account: 2
Locate the service Azure Active Directory
In the menu located on the left side, click on Application register
Click in new register
Fill the Name, Support account type and URI redirect fields.
Click the Register button
In Azure, select:
In the menu located on the left side, click in API permissions
Select the Microsoft Graph
The requested permissions are
Directory Role:
Global Administrator
Tenant root group role
Owner
API permissions:
Delegated:
- Directory.AccessAsUser.All
Application:
Application.ReadWrite.All
AppRoleAssignment.ReadWrite.All
Directory.Read.All
Directory.ReadWrite.All
Organization.ReadWrite.All
RoleManagement.ReadWrite.Directory
User.ManageIdentities.All
User.ReadWrite.All
Cloud IAM
Cloud Identity and Access Management (IAM) is a tool that helps users control access to resources and services in a Cloud Service Provider.
Here you can provision personal users and service accounts at Cloud providers in a centralized and controlled way.
Configuration Templates
Templates can be used to define how senhasegura users have provisioned users and service accounts to Cloud providers without breaking the rules of the organization.
Create configuration template
To do this go to the menu: Cloud ➔ Cloud IAM ➔ Templates.
In the report click the action button and choose the option Add Template
Enter the name of the template and select whether it will be active for use
In the field Mask define how the service account names should be created. You can enter a prefix and/or suffix and also, in braces, how many letters and numbers the service account name should have, for example:
senhasegura-aaa-000
. In this example the prefix is "senhasegura-", i.e. all service accounts created must begin this way. Within the keys it was defined that it must contain three letters, a hyphen and three numbers, the amount of characters within the keys is defined in the template, but at the time of provisioning the users can choose which letters and numbers will be used, always following the template limit. In this example the user can include any formation of three letters and three numbers.By selecting a department in the Department field you will define that when using this template the users that can be provisioned must be associated with this selected department.
infoThis field is not required, but it restricts the list of users available for the personal user provisioning process. So if you do not want certain users to provision to those outside a specific department it is advisable to fill out this field.
To finish click on Confirm.
Users
Users are considered to be those with personal console access to the cloud providers' accounts.
Users and service accounts synchronism won't remove roles and permissions added directly to the Cloud. In this case, the permissions will be synced up, bringing the new ones to senhasegura . If the permissions were inactivated or removed inside senhasegura, they would be released in Cloud.
Create user
To create a user, go to the menu Cloud ➔ Cloud IAM ➔ Users.
Click the actions button and select the Add user option.
In the form select the senhasegura user that will have access to the accounts.
cautionIf you are within an access group that has a template defined the user list may only be displaying users from the department selected in the template.
In the Settings tab, select which provider you want to create the user at and fill in the rest of the fields:
User responsible: indicates which user of the senhasegura is responsible for the user at the cloud provider.
cautionThis information, also defines which senhasegura user can log into an instance in the Virtual Machines module using this Cloud user.
TTL (seconds): defines the lifetime of the user and its credentials. This time is decreasing and starts to be valid from its creation and at the end the user will be automatically deleted from the provider.
Description: Detailed user description
Tags: Tags used to make it easier to search filters and to segregate the user in access groups
Select the tab corresponding to the Cloud Provider to be configured and fill out the following fields:
AWS:
Accounts: Select which accounts this user should be created under
Policies: Select the policies (permission group) that this user should have on the account. AWS limits up to 10 policies per user
Opsworks - Manage SSH Keys: Check this box if you want the user to be added to the AWS OpsWorks service and have senhasegura manage their SSH key
Google Cloud:
Organization roles: Select which roles (permission groups), accounts and organizations the user should be added to
Project roles: Select which roles (permission groups), accounts and projects the user should be added to
Azure:
Creation type: Select which user type is meant to be created. The options are: Create a user or invite a user
Roles: Select which roles (permission groups) the user must be added to
Groups: Select which groups the user must be added to.
To finish, click on Confirm.
Service Accounts
Service accounts are considered those of programmatic access, i.e. access of applications and machines to cloud providers' accounts.
Create Service Account
To create a service account, go to the menu: Cloud ➔ Cloud IAM ➔ Service accounts.
Click on the actions button and select the option Add service account.
In the form enter the name of the service account that will have access to the providers' accounts.
cautionIf you are a member of an access group that has a template defined, when inserting the user he must follow the rule established in the template.
In the Settings tab, select which provider you want to create the user at and fill in the rest of the fields:
User responsible: indicates which senhasegura user is responsible for the service account at the cloud provider.
TTL (seconds): defines the lifetime of the service account and its credentials. This time is decreasing and starts to be valid from its creation and upon expiration the service account will be automatically deleted at the provider.
Description: detailed description of the service account
Tags: tags used to facilitate filter searches and segregate the service account into access groups
Select the tab corresponding to the Cloud Provider to be configured and fill out the following fields:
AWS:
Accounts: Select which accounts this service account should be created under
Policies: Select the policies (permission group) that this service account should have on the account. AWS limits up to 10 policies per service account
Opsworks - Manage SSH Keys: Check this box if you would like the service account to be added to the AWS OpsWorks service and the SSH key for it to be managed by the
Google Cloud:
Organization roles: Select which roles (permission groups), accounts and organizations the service account should be added to
Project roles: Select which roles (permission groups), accounts and projects the service account should be added to
Azure:
Supported Account Types: Specify who can use the service account
URI redirect: An URI redirect is the location where the Microsoft identity platform redirects a user and sends security tokens after the authentication
API Permissions:Select which permissions the service account must have
To finish, click on Confirm.
Credentials
Credentials are the access keys that give access to the account services at the Cloud provider.
Create credential
To create a credential, go to the menu: Cloud ➔ Cloud IAM ➔ Credentials.
Click on the actions button and select the option Add credential.
In the form fill in the following fields:
Provider: Select the provider where the credential should be created
Account: Select the account
User/Service account: Select the user or service account for which the credential will be created
TTL (seconds): Defines the lifetime of the credential. This time is decreasing and starts to be valid from its creation and at the end the credential will be automatically deleted in the provider.
Environment: Environment in which the credential will be generated
System: System in which the credential will be generated
Description: Detailed description of the credential
Tags: Tags used to facilitate the search in the filters and segregate the credential in the access groups
To finish, click on Confirm.
View credential
To view a credential, follow the menu menu Cloud ➔ Cloud ➔ Cloud IAM ➔ Credentials.
In the report, go to the row of the credential you want to view and in the action column, click on the option Details
To see the secret of the credential click on the Show/Hidden password option
cautionOnly credentials generated by senhasegura will have their password stored. Those generated directly by the provider can only be viewed once.
Dynamic Provisioning Profiles
senhasegura allows you to create profiles with predefined information to provision service accounts and credentials via API calls.
In this case applications that request the creation of credentials and service accounts will obey the rules that have been determined in the template, such as the given validity (TTL).
Create Dynamic Provisioning Profile
To add a profile, Access the profiles report via the path: Cloud ➔ Cloud IAM ➔ Dynamic Provisioning ➔ Profiles.
In the actions on the page, click on the Add profile option;
On the displayed page, select which account you want to create the profile;
In the form, fill in the Identifier field, which must be unique. The system will not accept an identifier with an existing name;
Check the box of providers you want to create the profile. It is possible to select more than one provider;
For the AWS provider, fill in the following fields:
Select up to 10 policies. AWS itself defines this limit;
Set the default TTL (time to live) to delete service accounts automatically;
For Google Cloud provider, fill in the following fields:
Select in which project the service account should be created;
Select which roles this service account should be assigned at the Organization level;
Select which roles this service account should receive at the Project level;
Set the default TTL (time to live) to delete service accounts automatically;
Finally, click on Confirm to finish;
Enable Dynamic Provisioning Profile
Go to DSM ➔ Applications ➔ Applications
In the report look for the application you want to enable provisioning for and click the corresponding action button and choose the Change option.
On the Automatic provisioning tab, enable automatic provisioning of secrets
In the Cloud dynamic provisioning profile field select the profile that should be used. You can select more than 1 profile.
To finish click on Save.
Virtual Machines
Integration with providers allows you to manage access to virtual machines. Using services such as AWS OpsWorks from Amazon Web Services (AWS), you can manage users' SSH keys and launch recorded sessions to virtual machines.
AWS OpsWorks
AWS OpsWorks is the AWS configuration management service that lets you create automations to configure servers and manage Amazon EC2 service instances.
Users
The users report displays all users managed by the senhasegura Cloud IAM that are active on the AWS OpsWorks service.
These users have SSH keys managed by senhasegura to be able to access the Stacks' instances they have access to.
Rotate user's SSH key
You can rotate users' SSH keys in two ways:
Automatically, through a password policy, which can be defined in the PAM module of the senhasegura .Please refer to the Privileged Information Manual to understand how to create a password policy.
Manually, via the AWS OpsWorks user report from the Cloud module. To manually request the rotation of the user's SSH key in the AWS OpsWorks service, follow the Cloud ➔ Virtual Machines ➔ AWS ➔ OpsWorks ➔ Users
In the report look for the user you want to rotate the SSH key and click the corresponding action button and choose the Rotate SSH key option.
cautionThe synchronization time of the new key with the Stacks' instances depends on AWS OpsWorks and not on senhasegura and until it is synchronized with the instances the user may not be able to access them.
View the user's SSH key
To view the user's current SSH key in the AWS OpsWorks service, follow the menu: Cloud ➔ Virtual Machines ➔ AWS ➔ OpsWorks ➔ Users.
In the report look for the user you want to view the SSH key and click the corresponding action button and choose the option View SSH key.
The senhasegura user, responsible for the AWS OpsWorks user, will be notified when another senhasegura user uses or views the key.
View User Stacks
To view which Stacks a user has access to and what permissions they have on them in the AWS OpsWorks service, follow the Cloud ➔ Virtual Machines ➔ AWS ➔ OpsWorks ➔ Users.
In the report search for the user you want to view Stacks and permissions and click the corresponding action button and choose the Details option.
Stacks
OpsWorks Stacks allows you to set automatic scaling of servers according to predefined schedules or in response to changes in traffic levels. In addition, it uses lifecycle hooks to orchestrate changes as the environment scales.
With them you can deploy and configure Amazon EC2 instances on each layer or connect other resources such as Amazon RDS databases.
To view the Stacks, follow the Cloud ➔ Virtual Machines ➔ AWS ➔ OpsWorks ➔ Stacks.
Instances
Instances are virtual machines of the Amazon EC2 service that are part of AWS OpsWorks Stacks.
When inside a Stack, they have the same configuration. In addition, users' SSH keys are replicated across all instances of the Stack that they have access to.
To view the instances, follow the menu Cloud ➔ Virtual Machines ➔ AWS ➔ OpsWorks ➔ Instances.
Remote Access
senhasegura ensures that users can run SSH sessions on Stacks instances in a monitored mode.
The accesses are performed using the SSH key of the user chosen in the report, and this access is recorded on video and can have its commands audited, depending on the rule set.
The session videos can be viewed through the PAM module: PAM ➔ Access Control ➔ Remote Sessions See the Proxy Manual for more details.
Access Instance
To perform an instance access, follow the menu Cloud ➔ Virtual Machines ➔ AWS ➔ OpsWorks ➔ Remote access.
In the report, search for the user and instance you want to start the session with and click the Start session icon
Only user instances that the user is responsible for or according to the rules of the access group he belongs to will be displayed.
Dashboard
The senhasegura cloud module has a dashboard section for viewing data such as: Accounts per provider, Access keys per provider, Users per account, and others.
To access all the graphs and boards in this module go through the menu: Cloud ➔ Dashboards ➔ Cloud IAM. In this section you will find:
Providers registered in the system
Accounts registered in this module
Access keys registered in this module
Users in more than one cloud in the system
Users who are in more than one secret of the DSM module
Keys in more than one secret of the DSM module
Percentage of accounts per provider
Percentage of users per provider
Percentage of access keys per provider
Percentage of users per account
Percentage of access keys per account
Number of users and access keys created per day