Skip to main content
Sign in

Creating an extended integration for AWS IAM users

Caroline Maguire
  • November 13, 2024 14:08
  • Updated

Let Oomnitza be your single source of truth!

You'll get visibility of your AWS IAM users as data from AWS IAM is automatically transformed into consumable information and actionable insights.

Connect Oomnitza and AWS IAM in minutes

Get the information and insights that you need to reduce costs and the time that you spend on administration tasks such as:

  • Configurable dashboards and list views of key user information
  • Configurable reports to share information about users with your colleagues and management
  • Configurable workflows that you can easily create to automate such tasks as:
    • Managing groups, including creating and deleting groups.
    • Getting, creating, and deleting AWS IAM roles.
    • Onboarding and offboarding users
    • Managing policies, including user policies, managed policies, group policies, and role policies
    • Fetching user information, including the MFA (Multi-Factor Authentication) status and password age of a user, as well as the access keys and groups associated with a user.

Before you start

This integration provides you with a complete picture of your AWS IAM users and helps you maintain security best practices in your organization. For information on the API used in this integration, refer to AWS API Documentation: ListUsers

Before you can create the integration with Oomnitza, you need to have added your credentials to Oomnitza. For further information, refer to Adding your AWS credentials to Oomnitza.

When creating the user integration you need to do the following:

  • Supply a Path Prefix.  This represents the hierarchy of the user setup within your AWS IAM. Use '/' as the Path Prefix to allow all users to be discovered. 
  • Select the IAM Roles checkbox to iterate over all AWS accounts with IAM roles. Please note that the data received from all iterated roles will be added as one sync session in Oomnitza. Before you select this option, you need to first enable cross-account access in your AWS accounts. For further information see Create an IAM user to easily access all your accounts by using the AWS console.

Creating the user integration

To configure the integration for the AWS IAM, complete the following steps:

  1. In Oomnitza, click Configuration > Integrations > Overview.
  2. Click Block view block_view.PNG.
  3. On the Integrations page, scroll down to the Extended section for user integrations.
  4. Click NEW INTEGRATION.
  5. In the sidebar, search for the integration.
  6. Click ADD.

Integration details overview

More information is provided about the following fields to help you complete the integration:

  • User only. Add user records.
  • User plus SaaS user. Add user and SaaS user records. 

The benefit of adding SaaS user records is that you can run a workflow to validate the status and activity of SaaS users and retrieve information such as the role of the SaaS user. The information that can be retrieved depends on whether SaaS user workflows are available for the integration. 

Installation types

  • Cloud. Store credentials in the Oomnitza cloud.
  • Local. Store credentials locally. If you want to sync Oomnitza with vendor applications that require AWS or OAUTH authentication, select cloud as the type of installation. Local installations don't support AWS and OAuth authentication. 

Integration preferences

  • Create & Update. Add and update records.
  • Create only. Add records.
  • Update only. Update records.

Editing the integration details

  1. Click Edit edit_black_pencil_icon.svg.
  2. Make your changes.

Editing the credential details

If you selected Cloud as the installation type, choose one of the following options:

  • Select the credentials that were created for the integration.
  • Edit the credentials that were created for the integration.
  • Create new credentials

Scheduling the integration

By default, data is synced once every day. Change the interval or the time so that the data is streamed when your system isn't busy.

  1. Click Edit edit_black_pencil_icon.svg.
  2. Make and save your changes.

Mapping fields to Oomnitza

To map the fields to Oomnitza, click Edit edit_black_pencil_icon.svg.

 cog_red_dot_small_icon.svg Selecting Edit integration to add rules for syncing data. small_blue_link.svg Filtering integration results.  
 

You can add new fields to your integration by selecting Add new field  add_grey_rectangel_icon.svg on the mapping page. 
small_blue_link.svg Creating custom API fields. 

Creating custom mappings

Map the AWS IAM fields to Oomnitza fields and create custom mappings to get the user information that you need.

Complete these actions:

  1. Click Smart Mapping to automatically detect the appropriate mapping fields. You can map the fields by:
    • Dragging the source field to the target field on the Oomnitza side 
    • Selecting the dropdown arrow on the source field and choosing an appropriate target field from the list.
  2. Map other fields or create custom mappings to map any other field that you want to add to Oomnitza. To create an optional custom mapping, do the following:
    1. Click the down arrow on the field that you want to map.
    2. Select Add new Oomnitza users field.
    3. Change the name of the field.
    4. Click CREATE.  
  3. Ensure that the User Name is mapped to the Username field on the Oomnitza side (required for integration).
  4. Ensure that the Email is mapped to the Email field on the Oomnitza side (required for integration). You can create custom logic to map the Email field:
    1. Click + next to Edit Integration in the upper left of the screen
    2. Name the field Email
    3. For the Field Path, enter {{UserName + "@mycompanydomain.com"}}, replacing mycompanydomain with the domain of your company.
    4. Click Save.
    5. Click the down arrow next to the Email field that you created.
    6. Select Email from the list to map to the corresponding Oomnitza Email field.
  5. Select the Role field on the Oomnitza mapping side.
  6. Choose a suitable role from the list (a defined role is necessary for the integration)
  7. Assign a sync key to a unique field, such as the Email or Username
  8. Click UPDATE.
editconnector_1.png
1 / 2: Creating a custom logic to map the AWS IAM Email field to Oomnitza.
editconnector_2.png
2 / 2: Mapping the AWS IAM Email field to the corresponding Oomnitza field.

Tracking information for user loads 

When the integration is run, you can track the name of the credentials that were used and the source of the data. To do this, you map the following fields to Oomnitza:   

  • Connect: Credentials
  • Connect: IAM Roles
  • Connect: Path Prefix

 Custom mappings

The following AWS IAM fields can be mapped to Oomnitza:

Arn
Connector Sync Time
CreateDate
Owner Account ID
Password Last Used
Path
User ID
User Name

Launching the integration

Your integration is in Draft mode until the required mandatory fields are added. When added, click Launch to activate your integration. 

small_blue_link.svg If you selected Cloud as the installation type when creating the integration, see Running an extended integration

small_blue_link.svg If you selected Local as the installation type when creating the integration, see Running an extended integration locally.

Viewing data ingested by Oomnitza

Viewing ingested asset data

For asset integrations, click Hardware. If the asset integration also ingests software data, click Software.

Viewing ingested user data

For user integrations, click People. If you chose the option to ingest User and SaaS user data, click Software > SaaS, click the SaaS app, and then click the Users tab. 

Related Links

Unleash the power of Oomnitza

To get valuable actionable insights that help you manage your assets, learn how to:

      • Configure dashboards for your users and software
      • Configure custom reports about your users and software
      • Create workflows to automate tasks

See small_blue_link.svg Getting started for more information.

Related articles

Comments

0 comments

Please sign in to leave a comment.