Configure authentication and permissions for AWS connectors
Before adding an AWS unified connector in DigiCert® Trust Lifecycle Manager, prepare the Amazon Web Services (AWS) credentials by selecting an authentication method and configuring the required permissions.
The way you set up authentication depends on the scope of the connector:
Organization scope: Connect to multiple accounts within an AWS organization.
Account scope: Connect to a specific AWS account.
Authentication methods
Trust Lifecycle Manager supports different methods for authenticating your Amazon Web Services (AWS) organization or account in an AWS unified connector.
Use one of the following AWS authentication methods to set up the connector in Trust Lifecycle Manager. The Configuration parameters column shows the parameters you need to provide in Trust Lifecycle Manager for each authentication method.
Authentication method | Configuration parameters | Description |
|---|---|---|
Self-authentication (Direct input) |
| Enter the AWS credentials on the connector configuration page in Trust Lifecycle Manager. |
Self-authentication (Secrets manager) |
| Use AWS credentials stored in a privileged access management (PAM) platform via a secrets manager connector:
|
Default AWS credential provider chain | — | Use the default AWS credentials on the managing DigiCert sensor, as configured in one of the following ways:
|
AWS profile name |
| Use the AWS credentials from a named profile in the local AWS config and credentials files on the managing sensor, as described in the official AWS documentation. For the Profile name parameter, enter the name of the AWS profile to use on the sensor system. |
For the Default AWS credential provider chain and AWS profile name authentication methods, the managing DigiCert sensor looks for the AWS config and credentials files in the following default directories, depending on the sensor operating system (OS):
Required permissions
AWS unified connectors require credentials for an AWS user with the following permissions, depending on whether the connector is configured for organization scope or account scope. For organization scope, you can use either the management account or a member account for authentication.
Avviso
This following instructions focus on AWS-managed permissions, the recommended approach for ease of setup and maintenance. For information about using granular AWS permissions instead, see Granular permissions for AWS connectors.
To use the management account to authenticate an AWS unified connector with organization scope:
Make sure the AWS Account Management service is enabled for the AWS organization.
Create a user in the management account for the AWS organization, with the following AWS-managed permissions:
Permission
Purpose
AWSOrganizationsReadOnlyAccessList all member accounts in the organization.
AWSCertificateManagerFullAccessAccess and manage certificates in AWS Certificate Manager (ACM).
ElasticLoadBalancingFullAccessManage certificates associated with Elastic Load Balancing (ELB) listeners.
CloudFrontFullAccessManage certificates associated with CloudFront distributions.
IAMReadOnlyAccessDiscover IAM server certificates.
SecretsManagerReadWriteTemporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that:
This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager.
Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.
Apply the following inline custom policy to the management account user, to enable access to the AWS organization's member accounts via a common IAM role:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:GetSessionToken", "sts:GetAccessKeyInfo" ], "Resource": [ "arn:aws:iam::*:role/<Common IAM role name>" ] } ] }For the <Common IAM role name> parameter, provide the name of a common IAM role to use for setting up access to the member accounts. You will provide this role name when configuring the AWS unified connector in Trust Lifecycle Manager.
Nota
By default, all member accounts in an AWS organization have a common IAM role named OrganizationAccountAccessRole. You can use this default IAM role to set up the integration, or you can create a custom IAM role and apply it to all the member accounts.
Make sure the common IAM role referenced in the previous step is applied to all the member accounts to manage, and includes the following AWS-managed permissions:
AWSCertificateManagerFullAccessElasticLoadBalancingFullAccessCloudFrontFullAccessIAMReadOnlyAccess
To use a member (non-management) account to authenticate an AWS unified connector with organization scope:
Make sure the AWS Account Management service is enabled for the AWS organization.
Create a user in the member account to use for authentication, with the following AWS-managed permissions:
Permission
Purpose
AWSOrganizationsReadOnlyAccessValidate access to the AWS Organizations service.
AWSCertificateManagerFullAccessAccess and manage certificates in AWS Certificate Manager (ACM).
ElasticLoadBalancingFullAccessManage certificates associated with Elastic Load Balancing (ELB) listeners.
CloudFrontFullAccessManage certificates associated with CloudFront distributions.
IAMReadOnlyAccessDiscover IAM server certificates.
SecretsManagerReadWriteTemporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that:
This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager.
Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.
Apply the following inline custom policy to the member account user, for accessing the AWS organization's other member accounts:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:GetSessionToken", "sts:GetAccessKeyInfo" ], "Resource": "arn:aws:iam::*:role/*" } ] }Create a custom role (for example,
CrossAccountAccess) in the management account, with the following properties:Trusts the user account created in step 2.
Includes the
AWSOrganizationsReadOnlyAccesspermission.(Optional) To discover certificates in the management account itself, also includes the
AWSCertificateManagerFullAccesspermission.
Create a custom role in all the child accounts to manage through the connector, with the following properties:
Same name as the custom role created in the management account in step 4.
Trusts the member account user created in step 2.
Includes the following AWS-managed permissions:
To authenticate an AWS unified connector with account scope, create an IAM user in the AWS account with the following AWS-managed permissions:
Permission | Purpose |
|---|---|
| Access and manage certificates in AWS Certificate Manager (ACM). |
| Manage certificates associated with Elastic Load Balancing (ELB) listeners. |
| Manage certificates associated with CloudFront distributions. |
| Discover IAM server certificates. |
| Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that:
|
What's next
After setting up the AWS credentials to use for authentication, you're ready to add an AWS unified connector in Trust Lifecycle Manager.