...
Instructions on how to create the AWS ARN and the external ID are available in the following article at Cloud Integration: On-board AWS. external ID follow.
Setting up an AWS environment for onboarding
Creating the AWS policy
Sign in to the AWS Management Console by clicking here
The link will take you to create policy page
Select the JSON tab in the policy editor and paste the following policy (overwriting the existing items):
Code Block |
---|
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"apigateway:GET"
]
}
]
}
|
Select Review policy, and enter the name below:
DataTheorem-APIGateway-SecurityAudit
Select Create policy
Creating the AWS role
Navigate to Create Role page on AWS by clicking here
The link will pre-fill Data Theorem's account ID
You need to fill the External ID field by generating a random password. We suggest one of the following:
Generate from terminal:
openssl rand -base64 32
Keep the External ID somewhere temporarily as you will need it later.
Ensure the field Account ID and External ID are filled
Select Next: Permissions
Enter
SecurityAudit
in the search box and then select its checkboxErase the search box, and enter
DataTheorem-APIGateway-SecurityAudit
. Select its checkboxSelect Next: Review and enter the following for the name:
DataTheorem-Service
Ensure it has the two SecurityAudit and DataTheorem-APIGateway-SecurityAudit policies enabled
Select Create role
Select on the newly created role
DataTheorem-Service
Copy the Role ARN value on the top of the page and keep it somewhere temporarily as you will need it later
Onboarding an AWS environment via API
...
Code Block | ||
---|---|---|
| ||
$ curl -X POST -H "Content-Type: application/json" -H "Authorization: APIKey YOUR_API_KEY" \
https://api.securetheorem.com/apis/api_security/results/v1beta1/cloud_authenticators \
-d '{"cloud_authenticator_type": 3, \
"aws_credential": {"role_arn": "REPLACE WITH YOUR ROLE ARN", \
"external_id": "REPLACE WITH YOUR EXTERNAL ID"}}' |
...
Code Block |
---|
""" Example script showing how to onboard ana AWScloud environmentauthenticator. """ import logging from dt_api_security_results.client import ApiSecurityResultsClient, from dt_api_security_results.messages import \ CloudAuthenticatorCreateRequest from dt_api_security_results.models.cloud_authenticators import AwsAuthenticatorAwsCredential, \ CloudAuthenticatorTypesEnum # TODO: Replace these values API_KEY = "MDAwMDAwMDAwMDAwMDAwMA=="API_KEY = "REPLACE WITH YOUR API KEY" ROLE_ARN = "arn:aws:iam::12345678:role/DataTheoremAccessREPLACE WITH YOUR ROLE ARN" EXTERNAL_ID = "z96hmxdd96fm37sfeyavnbmu4pz510qxREPLACE WITH YOUR EXTERNAL ID" logging.basicConfig( level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s" ) if __name__ == "__main__": client = ApiSecurityResultsClient(api_key=API_KEY, base_url="https://dev-horizon.appspot.com/customer/beta")) request = CloudAuthenticatorCreateRequest( cloud_authenticator_type=CloudAuthenticatorTypesEnum.AMAZON_WEB_SERVICES, aws_credential=AwsAuthenticatorAwsCredential(role_arn=ROLE_ARN, external_id=EXTERNAL_ID,), ) try: response = client.cloud_authenticator_create(authenticator_request=request) except Exception: logging.exception("An error occurred.") else: logging.info( f"Successfully addedonboarded cloud authenticator: {response.json()}" ) logging.info("All done.") |