Configure authentication and permissions for AWS connectors

Before adding an AWS unified connector in DigiCert® Trust Lifecycle Manager, prepare the Amazon Web Services (AWS) credentials by selecting an authentication method and configuring the required permissions.

The way you set up authentication depends on the scope of the connector:

Organization scope: Connect to multiple accounts within an AWS organization.
Account scope: Connect to a specific AWS account.

Authentication methods

Trust Lifecycle Manager supports different methods for authenticating your Amazon Web Services (AWS) organization or account in an AWS unified connector.

Supported AWS authentication methods

Use one of the following AWS authentication methods to set up the connector in Trust Lifecycle Manager. The Configuration parameters column shows the parameters you need to provide in Trust Lifecycle Manager for each authentication method.

Authentication method	Configuration parameters	Description
Self-authentication (Direct input)	Access key Secret key	Enter the AWS credentials on the connector configuration page in Trust Lifecycle Manager.
Self-authentication (Secrets manager)	Secrets manager connector Access key Secret key	Use AWS credentials stored in a privileged access management (PAM) platform via a secrets manager connector: Select the Secrets manager connector to use. If there's only one available connector, it preselects. Enter references to the PAM vaults containing the Access key and Secret key. The reference format depends on the PAM service: BeyondTrust: Use the format SystemName/AccountName (for example, `AWSTLM/AdminAccount`). CyberArk: Use the format AccountName (for example, `My-AWS-credentials` ).
Default AWS credential provider chain	—	Use the default AWS credentials on the managing DigiCert sensor, as configured in one of the following ways: Environment variables: Configure the AWS credentials as environment variables on the sensor system, as described in the official AWS documentation. Default profile: Add the AWS credentials to the default profile in the AWS config and credentials files on the sensor system, as described in the official AWS documentation.
AWS profile name	Profile name	Use the AWS credentials from a named profile in the local AWS config and credentials files on the managing sensor, as described in the official AWS documentation. For the Profile name parameter, enter the name of the AWS profile to use on the sensor system.

AWS file locations on DigiCert sensors

For the Default AWS credential provider chain and AWS profile name authentication methods, the managing DigiCert sensor looks for the AWS config and credentials files in the following default directories, depending on the sensor operating system (OS):

DigiCert sensor OS	Default directory for AWS config and credentials files
Windows	C:\Windows\System32\config\systemprofile\.aws
Linux	/root/.aws
Docker	~/.aws/:/root/.aws (Note: Add this path under "volumes" in the docker-compose.yml file.)

DigiCert sensor OS

Default directory for AWS config and credentials files

Windows

C:\Windows\System32\config\systemprofile\.aws

Linux

/root/.aws

Docker

~/.aws/:/root/.aws

(Note: Add this path under "volumes" in the docker-compose.yml file.)

Required permissions

AWS unified connectors require credentials for an AWS user with the following permissions, depending on whether the connector is configured for organization scope or account scope. For organization scope, you can use either the management account or a member account for authentication.

Organization scope (management account)

To use the management account to authenticate an AWS unified connector with organization scope:

Make sure the AWS Account Management service is enabled for the AWS organization.

Create a user in the management account for the AWS organization, using one of the following methods to apply permissions.

For the simplest setup, apply the following AWS-managed permissions and inline custom policy.

Permission	Purpose
`AWSOrganizationsReadOnlyAccess`	List all member accounts in the organization.
`AWSCertificateManagerFullAccess`	Access and manage certificates in AWS Certificate Manager (ACM).
`ElasticLoadBalancingFullAccess`	Manage certificates associated with Elastic Load Balancing (ELB) listeners.
`CloudFrontFullAccess`	Manage certificates associated with CloudFront distributions.
`IAMReadOnlyAccess`	Discover IAM server certificates.
`SecretsManagerReadWrite`	Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that: This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager. Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.

In addition to the above permissions, create an inline custom policy (as shown below) to access the AWS organization's member accounts from the management account via a common IAM role. For the <Common IAM role name> parameter, provide the name of a common IAM role that provides access to ACM and ELB in all the member accounts. You will provide this role name when configuring the AWS unified connector in Trust Lifecycle Manager.

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "sts:AssumeRole",
               "sts:GetSessionToken",
               "sts:GetAccessKeyInfo"
            ],
            "Resource": [
               "arn:aws:iam::*:role/<Common IAM role name>"
            ]
       }
   ]
}

Notice

By default, all member accounts in an AWS organization have a common IAM role named OrganizationAccountAccessRole. You can use this default IAM role to set up the integration, or you can create a custom IAM role and apply it to all the member accounts.

Common IAM role for member accounts

The common IAM role used for the member accounts must include one of the following permission sets:

AWS-managed permissions:
- AWSCertificateManagerFullAccess
- ElasticLoadBalancingFullAccess
- CloudFrontFullAccess
- IAMReadOnlyAccess

Custom policy with the following actions:

acm:ListCertificates
acm:DescribeCertificate
acm:GetCertificate
acm:ListTagsForCertificate
acm:ImportCertificate
acm:AddTagsToCertificate
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:SetLoadBalancerListenerSSLCertificate
elasticloadbalancing:SetLoadBalancerPoliciesOfListener
elasticloadbalancing:DescribeListenerAttributes
elasticloadbalancing:DescribeListenerCertificates
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeSSLPolicies
elasticloadbalancing:AddListenerCertificates
elasticloadbalancing:ModifyListener
elasticloadbalancing:ModifyListenerAttributes
elasticloadbalancing:RemoveListenerCertificates
elasticloadbalancing:DescribeLoadBalancerPolicyTypes
elasticloadbalancing:DescribeAccountLimits
cloudfront:ListDistributions
cloudfront:GetDistribution
cloudfront:UpdateDistribution
iam:ListServerCertificates
iam:ListServerCertificateTags
iam:ListSigningCertificates
iam:GetServerCertificate

Instead of AWS-managed permissions, you can use granular permissions in a least-privilege model. To do so, create a custom policy with the following actions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListRoots",
                "organizations:DescribeAccount",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "account:ListRegions",
                "acm:ListCertificates",
                "acm:DescribeCertificate",
                "acm:GetCertificate",
                "acm:ListTagsForCertificate",
                "acm:ImportCertificate",
                "acm:AddTagsToCertificate",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                "elasticloadbalancing:DescribeListenerAttributes",
                "elasticloadbalancing:DescribeListenerCertificates",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeSSLPolicies",
                "elasticloadbalancing:AddListenerCertificates",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyListenerAttributes",
                "elasticloadbalancing:RemoveListenerCertificates",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeAccountLimits",
                "cloudfront:ListDistributions",
		"cloudfront:GetDistribution",
		"cloudfront:UpdateDistribution",
                "iam:ListServerCertificates",
                "iam:ListServerCertificateTags",
                "iam:ListSigningCertificates",
                "iam:GetServerCertificate",
                "secretsmanager:ListSecrets",
                "secretsmanager:GetSecretValue",
                "secretsmanager:ListSecretVersionIds",
                "secretsmanager:DeleteSecret",
                "secretsmanager:CreateSecret",
                "secretsmanager:PutSecretValue",
                "sts:AssumeRole",
                "sts:GetSessionToken",
                "sts:GetAccessKeyInfo"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Common IAM role for member accounts

In addition, you need a common IAM role that provides access to ACM and ELB in all the member accounts. You will provide this role name when configuring the AWS unified connector in Trust Lifecycle Manager.

Notice

The common IAM role used for the member accounts must include one of the following permission sets:

AWS-managed permissions:
- AWSCertificateManagerFullAccess
- ElasticLoadBalancingFullAccess
- CloudFrontFullAccess
- IAMReadOnlyAccess

Custom policy with the following actions:

acm:ListCertificates
acm:DescribeCertificate
acm:GetCertificate
acm:ListTagsForCertificate
acm:ImportCertificate
acm:AddTagsToCertificate
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:SetLoadBalancerListenerSSLCertificate
elasticloadbalancing:SetLoadBalancerPoliciesOfListener
elasticloadbalancing:DescribeListenerAttributes
elasticloadbalancing:DescribeListenerCertificates
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeSSLPolicies
elasticloadbalancing:AddListenerCertificates
elasticloadbalancing:ModifyListener
elasticloadbalancing:ModifyListenerAttributes
elasticloadbalancing:RemoveListenerCertificates
elasticloadbalancing:DescribeLoadBalancerPolicyTypes
elasticloadbalancing:DescribeAccountLimits
cloudfront:ListDistributions
cloudfront:GetDistribution
cloudfront:UpdateDistribution
iam:ListServerCertificates
iam:ListServerCertificateTags
iam:ListSigningCertificates
iam:GetServerCertificate

Organization scope (member account)

To use a member (non-management) account to authenticate an AWS unified connector with organization scope:

Make sure the AWS Account Management service is enabled for the AWS organization.
Follow the steps below to create a user in the member account and set up the required roles in the management account and child accounts.

Step 1: Create user in the member account

Create a user in the member account to use for authentication, using one of the following methods to apply permissions.

For the simplest setup, apply the following AWS-managed permissions and inline custom policy.

Permissions

Permission	Purpose
`AWSOrganizationsReadOnlyAccess`	Validate access to the AWS Organizations service.
`AWSCertificateManagerFullAccess`	Access and manage certificates in AWS Certificate Manager (ACM).
`ElasticLoadBalancingFullAccess`	Manage certificates associated with Elastic Load Balancing (ELB) listeners.
`CloudFrontFullAccess`	Manage certificates associated with CloudFront distributions.
`IAMReadOnlyAccess`	Discover IAM server certificates.
`SecretsManagerReadWrite`	Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that: This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager. Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.

Inline custom policy

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "sts:AssumeRole",
               "sts:GetSessionToken",
               "sts:GetAccessKeyInfo"
            ],
            "Resource": "arn:aws:iam::*:role/*"
       }
   ]
}

Instead of AWS-managed permissions, you can use granular permissions in a least-privilege model. To do so, create a custom policy with the following actions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListRoots",
                "organizations:DescribeAccount",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "account:ListRegions",
                "acm:ListCertificates",
                "acm:DescribeCertificate",
                "acm:GetCertificate",
                "acm:ListTagsForCertificate",
                "acm:ImportCertificate",
                "acm:AddTagsToCertificate",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                "elasticloadbalancing:DescribeListenerAttributes",
                "elasticloadbalancing:DescribeListenerCertificates",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeSSLPolicies",
                "elasticloadbalancing:AddListenerCertificates",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyListenerAttributes",
                "elasticloadbalancing:RemoveListenerCertificates",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeAccountLimits",
                "cloudfront:ListDistributions",
		"cloudfront:GetDistribution",
		"cloudfront:UpdateDistribution",
                "iam:ListServerCertificates",
                "iam:ListServerCertificateTags",
                "iam:ListSigningCertificates",
                "iam:GetServerCertificate",
                "secretsmanager:ListSecrets",
                "secretsmanager:GetSecretValue",
                "secretsmanager:ListSecretVersionIds",
                "secretsmanager:DeleteSecret",
                "secretsmanager:CreateSecret",
                "secretsmanager:PutSecretValue",
                "sts:AssumeRole",
                "sts:GetSessionToken",
                "sts:GetAccessKeyInfo"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Step 2: Create custom role in the management account

Create a custom role (for example, CrossAccountAccess) in the management account, with the following properties:

Trusts the user account created in step 1.
Includes the AWSOrganizationReadOnly permission.
(Optional) To discover certificates in the management account, also includes the AWSCertificateManagerFullAccess permission.

Step 3: Create custom role in all child accounts

Create a custom role in all the child accounts to manage through the connector, with the following properties:

Same name as the custom role created in the management account in step 2.
Trusts the user account created in step 1.

Includes one of the following permission sets:

AWS-managed permissions:
- AWSCertificateManagerFullAccess
- ElasticLoadBalancingFullAccess
- CloudFrontFullAccess
- IAMReadOnlyAccess

Custom policy with the following actions:

acm:ListCertificates
acm:DescribeCertificate
acm:GetCertificate
acm:ListTagsForCertificate
acm:ImportCertificate
acm:AddTagsToCertificate
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:SetLoadBalancerListenerSSLCertificate
elasticloadbalancing:SetLoadBalancerPoliciesOfListener
elasticloadbalancing:DescribeListenerAttributes
elasticloadbalancing:DescribeListenerCertificates
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeSSLPolicies
elasticloadbalancing:AddListenerCertificates
elasticloadbalancing:ModifyListener
elasticloadbalancing:ModifyListenerAttributes
elasticloadbalancing:RemoveListenerCertificates
elasticloadbalancing:DescribeLoadBalancerPolicyTypes
elasticloadbalancing:DescribeAccountLimits
cloudfront:ListDistributions
cloudfront:GetDistribution
cloudfront:UpdateDistribution
iam:ListServerCertificates
iam:ListServerCertificateTags
iam:ListSigningCertificates
iam:GetServerCertificate

Account scope

To authenticate an AWS unified connector with account scope, create an IAM user in the AWS account and use one of the following methods to apply permissions.

For the simplest setup, apply the following AWS-managed permissions.

Permission	Purpose
`AWSCertificateManagerFullAccess`	Access and manage certificates in AWS Certificate Manager (ACM).
`ElasticLoadBalancingFullAccess`	Manage certificates associated with Elastic Load Balancing (ELB) listeners.
`CloudFrontFullAccess`	Manage certificates associated with CloudFront distributions.
`IAMReadOnlyAccess`	Discover IAM server certificates.
`SecretsManagerReadWrite`	Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that: This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager. Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.

Instead of AWS-managed permissions, you can use granular permissions in a least-privilege model. To do so, create a custom policy with the following actions.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Action": [
                                "acm:ListCertificates",
				"acm:DescribeCertificate",
				"acm:GetCertificate",
				"acm:ListTagsForCertificate",
				"acm:ImportCertificate",
				"acm:AddTagsToCertificate",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:ModifyLoadBalancerAttributes",
				"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
				"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
				"elasticloadbalancing:DescribeListenerAttributes",
				"elasticloadbalancing:DescribeListenerCertificates",
				"elasticloadbalancing:DescribeListeners",
				"elasticloadbalancing:DescribeLoadBalancerAttributes",
				"elasticloadbalancing:DescribeSSLPolicies",
				"elasticloadbalancing:AddListenerCertificates",
				"elasticloadbalancing:ModifyListener",
				"elasticloadbalancing:ModifyListenerAttributes",
				"elasticloadbalancing:RemoveListenerCertificates",
				"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                                "elasticloadbalancing:DescribeAccountLimits",
                                "cloudfront:ListDistributions",
				"cloudfront:GetDistribution",
				"cloudfront:UpdateDistribution",
				"iam:ListServerCertificates",
				"iam:ListServerCertificateTags",
				"iam:ListSigningCertificates",
				"iam:GetServerCertificate",	
				"secretsmanager:ListSecrets",
				"secretsmanager:GetSecretValue",
				"secretsmanager:ListSecretVersionIds",
				"secretsmanager:DeleteSecret",
				"secretsmanager:CreateSecret",
				"secretsmanager:PutSecretValue"
			],
			"Resource": [
				"*"
			]
		}
	]
}

What's next

After setting up the AWS credentials to use for authentication, you're ready to add an AWS unified connector in Trust Lifecycle Manager.

In this section: