Plugin Authentication Methods

IAM Role Anywhere Authentication

Prerequisites

The AWS Certificate Manager service is required to be enabled to authenticate the plugin using the AWS IAM Roles Anywhere Authentication Method.

Note: Make sure you create the Private Certificate Authority, Trust Anchor and Profile in the same region in which your AWS S3 Source Bucket resides.

Create a Policy

This Policy contains the required permissions for creating Private CA Certificate (including Permissions for creating Trust Anchor and Profile) and using the IAM Roles Anywhere.

1. Go to Policy Generator and select IAM Policy as policy type, enter Add Statement details, and generate a policy.
   • Select Type of Policy: IAM Policy
   • Effect: Allow
   • AWS Service: AWS Private Certificate Authority
   • Actions:
     • CreateCertificateAuthority
     • DescribeCertificateAuthority
     • GetCertificate
     • GetCertificateAuthorityCertificate
     • GetCertificateAuthorityCsr
     • ImportCertificateAuthorityCertificate
     • IssueCertificate
     • ListCertificateAuthorities
   • ARN: *
2. Click Add Statement.

   

3. Scroll back up to add another statement.
   • Select Type of Policy: IAM Policy
   • Effect: Allow
   • AWS Service: AWS Identity and Access Management (IAM)
   • Actions:
     • AttachRolePolicy
     • CreateAccessKey
     • CreateRole
     • DeleteRole
     • PassRole
   • ARN: *
4. Click Add Statement.

   

5. Scroll back up to add another statement.
   • Select Type of Policy: IAM Policy
   • Effect: Allow
   • AWS Service: AWS Certificate Manager
   • Actions:
     • DescribeCertificate
     • ExportCertificate
     • GetCertificate
     • ListCertificates
     • ListTagsForCertificate
     • RequestCertificate
   • ARN: *
6. Click Add Statement.

   

7. Scroll back up to add another statement.
   • Select Type of Policy: IAM Policy
   • Effect: Allow
   • AWS Service: AWS Identity and Access Management Roles Anywhere
   • Actions:
     • CreateProfile
     • CreateTrustAnchor
     • GetProfile
     • GetTrustAnchor
     • ListProfiles
     • ListTrustAnchors
   • ARN: *
8. Click Add Statement.

   

9. Click Generate Policy.

   

10. Copy the Policy as it will be used in the next step for creating the policy required for creating the Private CA certificates.
11. Go to AWS Console and select IAM from All Services. Click Policies in the left panel, and then click Create Policy.

    

12. Copy the policy to the JSON tab, click Next:Tags, and then click Next:Review.

    

13. Enter a name (like netskope-ce-rolesAnywhere-policy) and click Save Changes.

    

Create a Private Certificate Authority

1. Log in to AWS Console.
2. Search for Certificate Manager.

   

3. Click AWS Private CA.
4. Click Create a private CA.

   

5. For Mode Options, select General-purpose.
6. For CA type options, select Root.

   

7. Enter Organization (O).

   

8. For Key algorithm options, select RSA 2048.

   

   

9. Add tags if any (optional).
10. Check the checkbox in the CA permissions options section.
11. Check the checkbox in the Pricing section.
12. Click Create to create the CA certificate.

    

    

13. From Actions, select Install.

    

14. Click Confirm and Install.

    

    

Create a Trust Anchor

1. Search for the IAM service, go to Roles under Access management scroll down to Roles Anywhere and select Manage.

   

2. Click Create a Trust anchor

   

3. Enter a Trust anchor name, like netskope-ce-trust-anchor.

   

4. Select AWS Certificate Manager Private CA (created in the previous steps) as a Certificate authority (CA) source
5. Add tags if required.
6. Click Create a trust anchor.

   

   

7. Click on created Trust Anchor and copy the Trust Anchor ARN.

   

Create an IAM Role

1. Go to IAM services in the AWS Console.
2. Click Role in the Access Management submenu.
3. Click Create Role.

   

4. In the Trusted entity type, select Custom Trust Policy.

   

5. Go to Policy Generator.
6. Replace the Custom trust Policy with the below Trust Policy. This policy contains the permissions for using the roles anywhere service:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "Service": [
                       "rolesanywhere.amazonaws.com"
                   ]
               },
               "Action": [
                   "sts:AssumeRole",
                   "sts:TagSession",
                   "sts:SetSourceIdentity"
               ]
           }
       ]
   }

   

7. Click Next.
8. In the Permissions policies, select the policy created in Create a Bucket Policy.

   

9. Click Next.
10. Provide a Role name (like netskope-ce-roleAnywhere) and Description for the role.
11. Click Create role.

    

12. Make a note of the Role ARN as this will be required in the Plugin configuration parameter Role ARN for the authentication method AWS IAM Roles Anywhere.

    

Create a Profile

1. Select Roles under Access management.
2. Scroll down to Roles Anywhere and click Manage.

   

3. Expand the Setup steps.
4. Click Step 2: Configure roles.
5. Click Configure a profile.

   

6. Enter a Profile name, like netskope-ce-profile.
7. Select the role created in Create IAM Role netskope-ce-roleAnywhere.

   

8. Remove the Inline Policy.
9. Click Create profile.

   

   

   

10. Select the created Profile and copy the Profile ARN.

    

Request a Private Certificate

1. Go to AWS Certificate Manager > Request certificate.
2. Select Request a private certificate.

   

3. Click Next.
4. Select the Certificate authority created in the previous step.

   

5. Provide a domain name in the Fully qualified domain name field, like netskope-ce.com.
6. Select RSA 2048 as the Key algorithm.

   

7. Add tags if required.
8. Acknowledge the Certificate renewal permissions.
9. Click Request.

   

10. Go to List certificates from the navigation pane of AWS Certificate Manager.
11. Select the certificate created previously.

    

12. Click Export.

    

13. Enter the passphrase. Make a note of the passphrase as it will be required for the Configuration of the AWS Security Lake Plugin using the AWS IAM Roles Anywhere Authentication method.
14. Click Generate PEM Encoding.

    

15. Download all the Certificates as it won’t be visible again. For new certificates you will need to Export them again.

For More Info go to AWS IAM Role Anywhere

AWS Authentication

Create a Role

1. Go to IAM services in the AWS Console.
2. Click Create role.

   

3. Select the AWS Service.
4. Under Use case, select EC2.
5. Click Next.

   

6. Select the permission policy created in Create a Bucket Policy.
7. Click Next.

   

8. Enter a Role Name (like netskope-ce-instance-role) and Description.
9. Click Create Role.

   

   

Assign a Role to an EC2 Instance

1. Log in to your EC2 instance console.
2. Click Instances under Instances.

   

   

3. Go to Action > Security > Modify IAM Role.

   

4. Select the Role that you created above in Create a Role. (netskope-ce-instance-role).
5. Click Add IAM Role or Modify IAM Role.

   

Assign a Role to a Farget Instance

1. Open your CFN script.
2. Get the ExistingECSTaskRole Parameter value if present.

   

3. Go to IAM > Roles.
4. Search for the ExistingECSTaskRole Parameter value, if any. Otherwise, search for NetskopeCloudExchangeTaskRole- and select the role.

   

5. Attach Policy created in Create Bucket Policy to this role:
   1. Click Add permissions and Attach policies.

      

   2. Search and select the policy created in the Create Bucket Policy section. (netskope-ce-s3-policy).
   3. Click Add permissions.

      

Assign a Role to a K8s Instance

1. Open your Role created for ServiceAccount while creating K8s instance.
2. Attach the policy created in Create a Bucket Policy.