Skip to main content

Configure authentication and permissions for AWS connectors

Before adding an AWS unified connector in DigiCert​​®​​ Trust Lifecycle Manager, prepare the Amazon Web Services (AWS) credentials by selecting an authentication method and configuring the required permissions.

The way you set up authentication depends on the scope of the connector:

  • Organization scope: Connect to multiple accounts within an AWS organization.

  • Account scope: Connect to a specific AWS account.

Authentication methods

Trust Lifecycle Manager supports different methods for authenticating your Amazon Web Services (AWS) organization or account in an AWS unified connector.

Use one of the following AWS authentication methods to set up the connector in Trust Lifecycle Manager. The Configuration parameters column shows the parameters you need to provide in Trust Lifecycle Manager for each authentication method.

Authentication method

Configuration parameters

Description

Self-authentication (Direct input)

  • Access key

  • Secret key

Enter the AWS credentials on the connector configuration page in Trust Lifecycle Manager.

Self-authentication (Secrets manager)

  • Secrets manager connector

  • Access key

  • Secret key

Use AWS credentials stored in a privileged access management (PAM) platform via a secrets manager connector:

  1. Select the Secrets manager connector to use. If there's only one available connector, it preselects.

  2. Enter references to the PAM vaults containing the Access key and Secret key. The reference format depends on the PAM service:

    • BeyondTrust: Use the format SystemName/AccountName (for example, AWSTLM/AdminAccount).

    • CyberArk: Use the format AccountName (for example, My-AWS-credentials ).

    • Delinea: Use the format SecretID/FieldSlug (for example, 1234/My-AWS-credentials). If no FieldSlug is specified, 'password' is used by default.

Default AWS credential provider chain

Use the default AWS credentials on the managing DigiCert sensor, as configured in one of the following ways:

  • Environment variables: Configure the AWS credentials as environment variables on the sensor system, as described in the official AWS documentation.

  • Default profile: Add the AWS credentials to the default profile in the AWS config and credentials files on the sensor system, as described in the official AWS documentation.

AWS profile name

  • Profile name

Use the AWS credentials from a named profile in the local AWS config and credentials files on the managing sensor, as described in the official AWS documentation. For the Profile name parameter, enter the name of the AWS profile to use on the sensor system.

For the Default AWS credential provider chain and AWS profile name authentication methods, the managing DigiCert sensor looks for the AWS config and credentials files in the following default directories, depending on the sensor operating system (OS):

Required permissions

AWS unified connectors require credentials for an AWS user with the following permissions, depending on whether the connector is configured for organization scope or account scope. For organization scope, you can use either the management account or a member account for authentication.

Let op

This following instructions focus on AWS-managed permissions, the recommended approach for ease of setup and maintenance. For information about using granular AWS permissions instead, see Granular permissions for AWS connectors.

To use the management account to authenticate an AWS unified connector with organization scope:

  1. Make sure the AWS Account Management service is enabled for the AWS organization.

  2. Create a user in the management account for the AWS organization, with the following AWS-managed permissions:

    Permission

    Purpose

    AWSOrganizationsReadOnlyAccess

    List all member accounts in the organization.

    AWSCertificateManagerFullAccess

    Access and manage certificates in AWS Certificate Manager (ACM).

    ElasticLoadBalancingFullAccess

    Manage certificates associated with Elastic Load Balancing (ELB) listeners.

    CloudFrontFullAccess

    Manage certificates associated with CloudFront distributions.

    IAMReadOnlyAccess

    Discover IAM server certificates.

    SecretsManagerReadWrite

    Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that:

    • This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager.

    • Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.

  3. Apply the following inline custom policy to the management account user, to enable access to the AWS organization's member accounts via a common IAM role:

    {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "VisualEditor0",
               "Effect": "Allow",
               "Action": [
                   "sts:AssumeRole",
                   "sts:GetSessionToken",
                   "sts:GetAccessKeyInfo"
                ],
                "Resource": [
                   "arn:aws:iam::*:role/<Common IAM role name>"
                ]
           }
       ]
    }

    For the <Common IAM role name> parameter, provide the name of a common IAM role to use for setting up access to the member accounts. You will provide this role name when configuring the AWS unified connector in Trust Lifecycle Manager.

    Opmerking

    By default, all member accounts in an AWS organization have a common IAM role named OrganizationAccountAccessRole. You can use this default IAM role to set up the integration, or you can create a custom IAM role and apply it to all the member accounts.

  4. Make sure the common IAM role referenced in the previous step is applied to all the member accounts to manage, and includes the following AWS-managed permissions:

    • AWSCertificateManagerFullAccess

    • ElasticLoadBalancingFullAccess

    • CloudFrontFullAccess

    • IAMReadOnlyAccess

To use a member (non-management) account to authenticate an AWS unified connector with organization scope:

  1. Make sure the AWS Account Management service is enabled for the AWS organization.

  2. Create a user in the member account to use for authentication, with the following AWS-managed permissions:

    Permission

    Purpose

    AWSOrganizationsReadOnlyAccess

    Validate access to the AWS Organizations service.

    AWSCertificateManagerFullAccess

    Access and manage certificates in AWS Certificate Manager (ACM).

    ElasticLoadBalancingFullAccess

    Manage certificates associated with Elastic Load Balancing (ELB) listeners.

    CloudFrontFullAccess

    Manage certificates associated with CloudFront distributions.

    IAMReadOnlyAccess

    Discover IAM server certificates.

    SecretsManagerReadWrite

    Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that:

    • This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager.

    • Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.

  3. Apply the following inline custom policy to the member account user, for accessing the AWS organization's other member accounts:

    {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "VisualEditor0",
               "Effect": "Allow",
               "Action": [
                   "sts:AssumeRole",
                   "sts:GetSessionToken",
                   "sts:GetAccessKeyInfo"
                ],
                "Resource": "arn:aws:iam::*:role/*"
           }
       ]
    }
  4. Create a custom role (for example, CrossAccountAccess) in the management account, with the following properties:

    • Trusts the user account created in step 2.

    • Includes the AWSOrganizationsReadOnlyAccess permission.

    • (Optional) To discover certificates in the management account itself, also includes the AWSCertificateManagerFullAccess permission.

  5. Create a custom role in all the child accounts to manage through the connector, with the following properties:

    • Same name as the custom role created in the management account in step 4.

    • Trusts the member account user created in step 2.

    • Includes the following AWS-managed permissions:

To authenticate an AWS unified connector with account scope, create an IAM user in the AWS account with the following AWS-managed permissions:

Permission

Purpose

AWSCertificateManagerFullAccess

Access and manage certificates in AWS Certificate Manager (ACM).

ElasticLoadBalancingFullAccess

Manage certificates associated with Elastic Load Balancing (ELB) listeners.

CloudFrontFullAccess

Manage certificates associated with CloudFront distributions.

IAMReadOnlyAccess

Discover IAM server certificates.

SecretsManagerReadWrite

Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that:

  • This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager.

  • Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.

What's next

After setting up the AWS credentials to use for authentication, you're ready to add an AWS unified connector in Trust Lifecycle Manager.