Skip to main content
Version: 3.21

Cloud IAM

Introduction

This book will explain how to use the features of the senhasegura Cloud.

Symbols used in this cookbook

This book uses the following symbols to highlight information that should be taken into account for the best use of senhasegura :

info

Info - useful information that can make the use of the solution more dynamic

caution

Caution - actions and items that cannot be ignored

  • commands : data that must be entered in the same way as described in this book

  • URLs : paths to access web pages.
  • <KEYS> : keyboard paths that will be used to perform actions.

The module

The senhasegura Cloud module allows the management of identities and accesses to resources and services of Cloud providers.

In this module, you can manage the Identity Access Management (IAM) and access to the virtual machines of the Cloud Service Providers (CSP).

The administrator can manage these controls by defining who (identity) has access (roles) to which resources.

Access Groups

Creating an access group will help with permission settings and user approval flow.

Create Access Group

To create an access group go to the menu: Cloud ➔ Access control ➔ Access Groups

  1. In the page actions, click on the New group option

  2. In the form include the name of the group and whether it will be active or not

  3. On the Settings tab, select permissions:

    • Whether members of this group can create and edit other users in the Providers Cloud IAM. Select which user types can be created and edited by group members.

    • Whether they can exclude other users. Select which user types can be excluded by group members.

    • You can create and edit accounts

    • You can delete accounts

    • You can create credentials

    • You can delete credentials

  4. Select an Template for user creation, i.e. if this group has permission to create users it must create them following the pattern established in the chosen template. To learn more about templates, see the section Configuration Templates in this manual.

  5. Define whether this group will require approval to perform its activities. To do this, check or uncheck the boxes:

    • Requires justification: To carry out their activities, members must describe why they want to do it.

    • Requires approval: Needs the previous box to be checked, and will cause members to carry out their activities after a request has been sent and approved by another user.

      • Select how many approvals required for the user to perform their requested activity.

      • Select the number of reprovals required to cancel the request, i.e. so that the user is not allowed to perform the activity.

      • Select whether there will be approval in levels, i.e. after a lower member's approval, a higher member can approve or disapprove the request.

      • Define whether it will be mandatory to specify governance code when justifying.

      • And if always managers will be included in the group's list of approvers.

  6. On the Criteria tab, define the criteria for displaying the module information to the members of the access group.

    info

    You can enter an * (asterisk) if you want the group members to have unrestricted access.

  7. On the Users tab, enter the members of the access group.

  8. On the Approvers tab, enter the users who will approve requests from access group members.

  9. To finish click on Save.

Accounts

An account is used to establish communication between the senhasegura and the Cloud Service Provider so that users can manage their credentials and virtual machines.

info

It is recommended to use a user with administrative privileges instead of the root user.

Register account

To register an account, follow the menu Cloud ➔ Settings ➔ Accounts.

  1. Click on the actions button and select the option Add account.

  2. On the Settings tab, fill in the following fields

  3. Fill in the fields itemize and tags, if you want

  4. Check the box for the Cloud Provider to be configured and fill in the following fields:

    1. AWS:

      1. Fill in the field Access Key with the AWS Access Key ID

      2. Fill in the field Secret Access Key with the secret of the AWS access key

      3. Fill in the field Default Region with the default region of the AWS account

      4. Check the box OpsWorks - Configuration management if you want to manage AWS OpsWorks users' SSH sessions and keys

    2. Google Cloud:

      1. Select the file with the access key to the Google Cloud account
  5. To finish click on Confirm.

Create AWS Access Key

To generate an AWS access key so that you can register it with senhasegura Cloud, follow the steps below:

  1. Log into your AWS account: https://console.aws.amazon.com/

  2. Locate the service Identity and Access Management (IAM)

  3. On the left side, click on Users

  4. Click the Add user button

  5. Fill in the field User name and under Access type check the option Programmatic access and click on the button Next: Permissions

  6. Select the Attach existing policies directly option and add the AdministratorAccess policy

  7. Click on the button Next: Tags

  8. Insert the tags (optional) and click on the button Next: Review

  9. Finally, click on the button Create user.

  10. Copy the values of the Access key ID and Secret access key

Create Google Cloud Access Key

To generate a Google Cloud access key so that you can register it with the senhasegura Cloud, please sign in to your Google Cloud account1

  1. Create a Service account

    1. Select an existing project or create a new one

    2. From the navigation menu, choose the IAM & Admin, Service Accounts option

    3. Click the CREATE SERVICE ACCOUNT button

    4. Fill in the Service account name fields and click the CREATE button

    5. Click the DONE button

  2. Generate Access Key

    1. In the Service Accounts menu, click on the service account we have just created

    2. Click the ADD KEY button and select the Create new key option

    3. Select the JSON option and click the CREATE button

    4. Finally, save the key in a safe place

  3. Habilitar APIs

    1. In the APIs & Services ➔ Library menu

    2. Find the APIs listed below and click the ENABLE button

      • Cloud Resource Manager API

      • Cloud Asset API

      • Identity and Access Management (IAM) API

  4. Create a custom Role

    1. In the project selection, select the Organization and click on the Roles service in the side menu

    2. Click the CREATE ROLE button and fill in the fields

      1. Title with the name of the role you want to create

      2. Click the ADD PERMISSIONS button and add the following permissions:

        • iam.roles.list

        • iam.serviceAccountKeys.create

        • iam.serviceAccountKeys.delete

        • iam.serviceAccountKeys.get

        • iam.serviceAccountKeys.list

        • iam.serviceAccounts.create

        • iam.serviceAccounts.delete

        • iam.serviceAccounts.get

        • iam.serviceAccounts.list

        • resourcemanager.organizations.get

        • resourcemanager.organizations.getIamPolicy

        • resourcemanager.organizations.setIamPolicy

        • resourcemanager.projects.get

        • resourcemanager.projects.getIamPolicy

        • resourcemanager.projects.list

        • resourcemanager.projects.setIamPolicy

      3. Finally, click the CREATE button

  5. Add service account at Organization

    1. Click on the IAM service in the side menu

    2. Click the ADD button at the top of the page

    3. Enter in the field New members the address of the service account you just created

    4. No field Select a role, select a previously created role

    5. Click the SAVE button

Create Azure Access Key

To generate an Azure access key so that you can register it with the senhasegura Cloud, please sign in to your Azure account.

  1. Create a service account

    1. Log into your Azure account: 2

    2. Locate the service Azure Active Directory

    3. In the menu located on the left side, click on Application register

    4. Click in new register

    5. Fill the Name, Support account type and URI redirect fields.

    6. Click the Register button

  2. In Azure, select:

    1. In the menu located on the left side, click in API permissions

    2. Select the Microsoft Graph

    3. The requested permissions are

      • Directory Role:

        • Global Administrator

        • Tenant root group role

        • Owner

      • API permissions:

        • Delegated:

          • Directory.AccessAsUser.All
        • Application:

          • Application.ReadWrite.All

          • AppRoleAssignment.ReadWrite.All

          • Directory.Read.All

          • Directory.ReadWrite.All

          • Organization.ReadWrite.All

          • RoleManagement.ReadWrite.Directory

          • User.ManageIdentities.All

          • User.ReadWrite.All

Cloud IAM

Cloud Identity and Access Management (IAM) is a tool that helps users control access to resources and services in a Cloud Service Provider.

Here you can provision personal users and service accounts at Cloud providers in a centralized and controlled way.

Configuration Templates

Templates can be used to define how senhasegura users have provisioned users and service accounts to Cloud providers without breaking the rules of the organization.

Create configuration template

To do this go to the menu: Cloud ➔ Cloud IAM ➔ Templates.

  1. In the report click the action button and choose the option Add Template

  2. Enter the name of the template and select whether it will be active for use

  3. In the field Mask define how the service account names should be created. You can enter a prefix and/or suffix and also, in braces, how many letters and numbers the service account name should have, for example: senhasegura-aaa-000. In this example the prefix is "senhasegura-", i.e. all service accounts created must begin this way. Within the keys it was defined that it must contain three letters, a hyphen and three numbers, the amount of characters within the keys is defined in the template, but at the time of provisioning the users can choose which letters and numbers will be used, always following the template limit. In this example the user can include any formation of three letters and three numbers.

  4. By selecting a department in the Department field you will define that when using this template the users that can be provisioned must be associated with this selected department.

    info

    This field is not required, but it restricts the list of users available for the personal user provisioning process. So if you do not want certain users to provision to those outside a specific department it is advisable to fill out this field.

  5. To finish click on Confirm.

Users

Users are considered to be those with personal console access to the cloud providers' accounts.

caution

Users and service accounts synchronism won't remove roles and permissions added directly to the Cloud. In this case, the permissions will be synced up, bringing the new ones to senhasegura . If the permissions were inactivated or removed inside senhasegura, they would be released in Cloud.

Create user

To create a user, go to the menu Cloud ➔ Cloud IAM ➔ Users.

  1. Click the actions button and select the Add user option.

  2. In the form select the senhasegura user that will have access to the accounts.

    caution

    If you are within an access group that has a template defined the user list may only be displaying users from the department selected in the template.

  3. In the Settings tab, select which provider you want to create the user at and fill in the rest of the fields:

    • User responsible: indicates which user of the senhasegura is responsible for the user at the cloud provider.

      caution

      This information, also defines which senhasegura user can log into an instance in the Virtual Machines module using this Cloud user.

    • TTL (seconds): defines the lifetime of the user and its credentials. This time is decreasing and starts to be valid from its creation and at the end the user will be automatically deleted from the provider.

    • Description: Detailed user description

    • Tags: Tags used to make it easier to search filters and to segregate the user in access groups

  4. Select the tab corresponding to the Cloud Provider to be configured and fill out the following fields:

    • AWS:

      • Accounts: Select which accounts this user should be created under

      • Policies: Select the policies (permission group) that this user should have on the account. AWS limits up to 10 policies per user

      • Opsworks - Manage SSH Keys: Check this box if you want the user to be added to the AWS OpsWorks service and have senhasegura manage their SSH key

    • Google Cloud:

      • Organization roles: Select which roles (permission groups), accounts and organizations the user should be added to

      • Project roles: Select which roles (permission groups), accounts and projects the user should be added to

    • Azure:

      • Creation type: Select which user type is meant to be created. The options are: Create a user or invite a user

      • Roles: Select which roles (permission groups) the user must be added to

      • Groups: Select which groups the user must be added to.

  5. To finish, click on Confirm.

Service Accounts

Service accounts are considered those of programmatic access, i.e. access of applications and machines to cloud providers' accounts.

Create Service Account

To create a service account, go to the menu: Cloud ➔ Cloud IAM ➔ Service accounts.

  • Click on the actions button and select the option Add service account.

  • In the form enter the name of the service account that will have access to the providers' accounts.

    caution

    If you are a member of an access group that has a template defined, when inserting the user he must follow the rule established in the template.

  • In the Settings tab, select which provider you want to create the user at and fill in the rest of the fields:

    • User responsible: indicates which senhasegura user is responsible for the service account at the cloud provider.

    • TTL (seconds): defines the lifetime of the service account and its credentials. This time is decreasing and starts to be valid from its creation and upon expiration the service account will be automatically deleted at the provider.

    • Description: detailed description of the service account

    • Tags: tags used to facilitate filter searches and segregate the service account into access groups

  • Select the tab corresponding to the Cloud Provider to be configured and fill out the following fields:

    • AWS:

      • Accounts: Select which accounts this service account should be created under

      • Policies: Select the policies (permission group) that this service account should have on the account. AWS limits up to 10 policies per service account

      • Opsworks - Manage SSH Keys: Check this box if you would like the service account to be added to the AWS OpsWorks service and the SSH key for it to be managed by the

    • Google Cloud:

      • Organization roles: Select which roles (permission groups), accounts and organizations the service account should be added to

      • Project roles: Select which roles (permission groups), accounts and projects the service account should be added to

    • Azure:

      • Supported Account Types: Specify who can use the service account

      • URI redirect: An URI redirect is the location where the Microsoft identity platform redirects a user and sends security tokens after the authentication

      • API Permissions:Select which permissions the service account must have

  • To finish, click on Confirm.

Credentials

Credentials are the access keys that give access to the account services at the Cloud provider.

Create credential

To create a credential, go to the menu: Cloud ➔ Cloud IAM ➔ Credentials.

  1. Click on the actions button and select the option Add credential.

  2. In the form fill in the following fields:

    • Provider: Select the provider where the credential should be created

    • Account: Select the account

    • User/Service account: Select the user or service account for which the credential will be created

    • TTL (seconds): Defines the lifetime of the credential. This time is decreasing and starts to be valid from its creation and at the end the credential will be automatically deleted in the provider.

    • Environment: Environment in which the credential will be generated

    • System: System in which the credential will be generated

    • Description: Detailed description of the credential

    • Tags: Tags used to facilitate the search in the filters and segregate the credential in the access groups

  3. To finish, click on Confirm.

View credential

To view a credential, follow the menu menu Cloud ➔ Cloud ➔ Cloud IAM ➔ Credentials.

  1. In the report, go to the row of the credential you want to view and in the action column, click on the option Details

  2. To see the secret of the credential click on the Show/Hidden password option

    caution

    Only credentials generated by senhasegura will have their password stored. Those generated directly by the provider can only be viewed once.

Dynamic Provisioning Profiles

senhasegura allows you to create profiles with predefined information to provision service accounts and credentials via API calls.

In this case applications that request the creation of credentials and service accounts will obey the rules that have been determined in the template, such as the given validity (TTL).

Create Dynamic Provisioning Profile

To add a profile, Access the profiles report via the path: Cloud ➔ Cloud IAM ➔ Dynamic Provisioning ➔ Profiles.

  1. In the actions on the page, click on the Add profile option;

  2. On the displayed page, select which account you want to create the profile;

  3. In the form, fill in the Identifier field, which must be unique. The system will not accept an identifier with an existing name;

  4. Check the box of providers you want to create the profile. It is possible to select more than one provider;

  5. For the AWS provider, fill in the following fields:

  6. Select up to 10 policies. AWS itself defines this limit;

  7. Set the default TTL (time to live) to delete service accounts automatically;

  8. For Google Cloud provider, fill in the following fields:

  9. Select in which project the service account should be created;

  10. Select which roles this service account should be assigned at the Organization level;

  11. Select which roles this service account should receive at the Project level;

  12. Set the default TTL (time to live) to delete service accounts automatically;

  13. Finally, click on Confirm to finish;

Enable Dynamic Provisioning Profile

  1. Go to DSM ➔ Applications ➔ Applications

  2. In the report look for the application you want to enable provisioning for and click the corresponding action button and choose the Change option.

  3. On the Automatic provisioning tab, enable automatic provisioning of secrets

  4. In the Cloud dynamic provisioning profile field select the profile that should be used. You can select more than 1 profile.

  5. To finish click on Save.

Virtual Machines

Integration with providers allows you to manage access to virtual machines. Using services such as AWS OpsWorks from Amazon Web Services (AWS), you can manage users' SSH keys and launch recorded sessions to virtual machines.

AWS OpsWorks

AWS OpsWorks is the AWS configuration management service that lets you create automations to configure servers and manage Amazon EC2 service instances.

Users

The users report displays all users managed by the senhasegura Cloud IAM that are active on the AWS OpsWorks service.

These users have SSH keys managed by senhasegura to be able to access the Stacks' instances they have access to.

Rotate user's SSH key

You can rotate users' SSH keys in two ways:

  1. Automatically, through a password policy, which can be defined in the PAM module of the senhasegura .Please refer to the Privileged Information Manual to understand how to create a password policy.

  2. Manually, via the AWS OpsWorks user report from the Cloud module. To manually request the rotation of the user's SSH key in the AWS OpsWorks service, follow the Cloud ➔ Virtual Machines ➔ AWS ➔ OpsWorks ➔ Users

  3. In the report look for the user you want to rotate the SSH key and click the corresponding action button and choose the Rotate SSH key option.

    caution

    The synchronization time of the new key with the Stacks' instances depends on AWS OpsWorks and not on senhasegura and until it is synchronized with the instances the user may not be able to access them.

View the user's SSH key

To view the user's current SSH key in the AWS OpsWorks service, follow the menu: Cloud ➔ Virtual Machines ➔ AWS ➔ OpsWorks ➔ Users.

In the report look for the user you want to view the SSH key and click the corresponding action button and choose the option View SSH key.

info

The senhasegura user, responsible for the AWS OpsWorks user, will be notified when another senhasegura user uses or views the key.

View User Stacks

To view which Stacks a user has access to and what permissions they have on them in the AWS OpsWorks service, follow the Cloud ➔ Virtual Machines ➔ AWS ➔ OpsWorks ➔ Users.

In the report search for the user you want to view Stacks and permissions and click the corresponding action button and choose the Details option.

Stacks

OpsWorks Stacks allows you to set automatic scaling of servers according to predefined schedules or in response to changes in traffic levels. In addition, it uses lifecycle hooks to orchestrate changes as the environment scales.

With them you can deploy and configure Amazon EC2 instances on each layer or connect other resources such as Amazon RDS databases.

To view the Stacks, follow the Cloud ➔ Virtual Machines ➔ AWS ➔ OpsWorks ➔ Stacks.

Instances

Instances are virtual machines of the Amazon EC2 service that are part of AWS OpsWorks Stacks.

When inside a Stack, they have the same configuration. In addition, users' SSH keys are replicated across all instances of the Stack that they have access to.

To view the instances, follow the menu Cloud ➔ Virtual Machines ➔ AWS ➔ OpsWorks ➔ Instances.

Remote Access

senhasegura ensures that users can run SSH sessions on Stacks instances in a monitored mode.

The accesses are performed using the SSH key of the user chosen in the report, and this access is recorded on video and can have its commands audited, depending on the rule set.

info

The session videos can be viewed through the PAM module: PAM ➔ Access Control ➔ Remote Sessions See the Proxy Manual for more details.

Access Instance

To perform an instance access, follow the menu Cloud ➔ Virtual Machines ➔ AWS ➔ OpsWorks ➔ Remote access.

In the report, search for the user and instance you want to start the session with and click the Start session icon

caution

Only user instances that the user is responsible for or according to the rules of the access group he belongs to will be displayed.

Dashboard

The senhasegura cloud module has a dashboard section for viewing data such as: Accounts per provider, Access keys per provider, Users per account, and others.

To access all the graphs and boards in this module go through the menu: Cloud ➔ Dashboards ➔ Cloud IAM. In this section you will find:

  • Providers registered in the system

  • Accounts registered in this module

  • Access keys registered in this module

  • Users in more than one cloud in the system

  • Users who are in more than one secret of the DSM module

  • Keys in more than one secret of the DSM module

  • Percentage of accounts per provider

  • Percentage of users per provider

  • Percentage of access keys per provider

  • Percentage of users per account

  • Percentage of access keys per account

  • Number of users and access keys created per day