Let Oomnitza be your single source of truth!
You'll get visibility of your AWS IAM users as data from AWS IAM is automatically transformed into consumable information and actionable insights.
Connect Oomnitza and AWS IAM in minutes
Get the information and insights that you need to reduce costs and the time that you spend on administration tasks such as:
- Configurable dashboards and list views of key user information
- Configurable reports to share information about users with your colleagues and management
- Configurable workflows that you can easily create to automate such tasks as:
- Getting a list of access keys and groups associated with a user.
- Getting the MFA (Multi-Factor Authentication) status and password age of a user.
- Disabling and deleting users.
- Deleting access keys associated with a user.
Navigation
Creating user workflows with the API block
Get List of Access keys for a user
About the integration
This integration provides you with a complete picture of your AWS IAM users, and helps you maintain security best practices in your organisation.
Adding the credentials
To add your AWS credentials to Oomnitza, see Adding your AWS credentials to Oomnitza.
Creating the user integration
To configure the integration for the AWS IAM, complete the following steps:
- In Oomnitza, click Configuration > Integrations.
- Click Integrations List View
.
- On the Integrations page, scroll down to the Extended section for User Integration.
- Click NEW INTEGRATION.
- In the New Asset Integration sidebar, click AWS IAM User Load.
- To integrate Oomnitza with the AWS IAM User Load, click APPLY and then click NEXT twice.
On the Connect page, complete the following steps to connect the integration:
- Enter a descriptive name for the integration such as AWS IAM User Load. This name will be displayed on the Integrations page once the setup is complete.
- From the User Selection list, select User plus SaaS User or User only.
- If you select User plus SaaS User and you have multiple instances of the same SaaS application, select the application from the SaaS Selection list. If you have a single instance of the SaaS application, skip this step.
- From the installation type list, select Cloud.
- From the Credentials list, select the credentials from the Oomnitza vault that you added for the connection. For further information, refer to Adding AWS credentials.
- From the Integration Preferences list, select Create & Update.
- Enter the name of the user of the integration.
- Enter the Path Prefix. This represents the hierarchy of the user setup within your AWS IAM. Use '/' as the Path Prefix to allow all users to be discovered.
- Click Next.
Creating custom mappings
Map the AWS IAM fields to Oomnitza fields and create custom mappings to get the user information that you need.
Complete these actions:
- Click Smart Mapping.
-
Map other fields or create custom mappings to map any other field that you want to add to Oomnitza. To create an optional custom mapping, do the following:
- Click the down arrow on the field that you want to map.
- Select Add new Oomnitza users field.
- Change the name of the field.
- Click CREATE.
- If you wish, you can create custom logic to map the AWS IAM Email field to Oomnitza:
- Click + next to Edit Connector in the upper left of the screen
- Name the field Email
- For the Field Path, enter
{{GetUserResponse.GetUserResult.User.UserName}}@mycompanydomain.com
, replacingmycompanydomain
with the domain of your company. - Click the down arrow next to the Email field that you created.
- Select Email from the Oomnitza field list to map to the corresponding field in Oomnitza.
- Assign a Sync key. For example, you can map the AWS IAM User Name field to the Oomnitza Username field and assign a Sync key.
- Click NEXT.
Note: For all user loads, it is recommended that you map role information to an employee role in Oomnitza. Users need to have an employee role defined in order to access Oomnitza. If the role information is not available from the user load, it is recommended that you select Employee from the Oomnitza Role dropdown list. You have the option to overwrite this at a later point should the role information become available.
Custom mappings
The following AWS IAM fields can be mapped to Oomnitza:
Arn
CreateDate
Password Last Used
Path
User ID
User Name
When you've completed mapping AWS IAM fields to Oomnitza fields, click NEXT.
Schedule
By default, data is streamed to Oomnitza once every day.
You can configure the schedule to meet your needs such as changing the interval or changing the time so that the data is streamed when your system isn't busy.
- Configure your schedule.
- Click FINISH.
Result
A new tile is created for the integration on the Integrations page.
What to do next
If you want to see what information is collected now, click the tile on the Integrations page and click RUN NOW.
If you want to change the integration settings, you can click a navigation link on the page, such as 4 Mappings, and edit the settings.
Tip
To view the information that is collected about your mobile assets, click Assets.
Creating workflows
Creating user workflows with the API block
To reduce your workload and automate complex and repetitive tasks, you can create workflows with the API block by following the steps in Creating asset workflows with the API block. To locate the available presets, enter aws iam in the Select Preset search field. Select your preset of choice and for every preset enter the following information in the Configure section:
- Your AWS Credentials that you created in Adding AWS credentials.
The AWS IAM API block workflow comes with the following presets:
Get List of Access keys for a user
Get List of Groups for a user
Get MFA status for a user
Get password age for a user
Disable User
Delete User
Delete Access key
Get List of Access keys for a user
This preset lists the access keys associated with a specified AWS IAM user and the age of the oldest access key. This will enable you to identify and deactivate any unnecessary IAM access keys as a security best practice.
To configure the preset, complete the following actions:
- Select the preset from the API block and the credentials you created in Adding AWS credentials.
- Click the Advanced Mode button located in the upper right of the window.
- Select the Params tab.
- Select the curly brackets to the right of the window to reference an Oomnitza field for your username. You can find a complete list of fields in Assets > Customization.
- Select the Response tab.
- You may want to enter one of the following statements in the Response field:
-
{% set temp = response['ListAccessKeysResponse']['ListAccessKeysResult']['AccessKeyMetadata']['member']%}{%if (temp is defined) and temp%}{%if temp['AccessKeyId']%}{%set temp = [temp]%}{%endif%}{{ temp | rejectattr('Status', 'eq', 'Inactive') | map(attribute='AccessKeyId') | join(', ') }}{%else%}NONE{%endif%}
This statement gets a list of access keys that are currently active for a given user. Note:NONE
is capitalized. -
{% set temp = response['ListAccessKeysResponse']['ListAccessKeysResult']['AccessKeyMetadata']['member']%}{%if (temp is defined) and temp%}{%if temp['AccessKeyId']%}{%set temp = [temp]%}{%endif%}{% set dates = temp | rejectattr('Status', 'eq', 'Inactive') | map(attribute='CreateDate') | list %}{%if (dates is defined) and dates%}{{dates[0]}}{%endif%}{%endif%}
This statement gets the date the oldest access key was created.
-
- Select an Oomnitza field to store the API response. It is recommended that you map the entire response to a long text attribute initially. This will enable you to test your statement for accuracy.
For further information, refer to AWS API Documentation: List Access Keys.
Get List of Groups for a user
This preset lists the IAM groups associated with a specified AWS IAM user. To configure the preset, complete the following actions:
- Select the preset from the API block and the credentials you created in Adding AWS credentials.
- Click the Advanced Mode button located in the upper right of the window.
- Select the Params tab.
- Select the curly brackets to the right of the window to reference an Oomnitza field for your username. You can find a complete list of fields in Assets > Customization.
- Select the Response tab.
- You may want to enter one of the following statements in the Response field:
-
{% set temp = response['ListGroupsForUserResponse']['ListGroupsForUserResult']['Groups']['member']%}{%if (temp is defined) and temp%}{%if temp['GroupName']%}{%set temp = [temp]%}{%endif%}{{ temp | map(attribute='GroupName') | join(', ') }}{% else %}NONE{% endif %}
This statement gets the list of user groups associated with the user.
-
- Select an Oomnitza field to store the API response. It is recommend that you map the entire response to a long text attribute initially. This will enable you to test your statement for accuracy.
For further information, refer to AWS API Documentation: List Groups for User.
Get MFA status for a user
This preset lists the MFA (Multi-Factor Authentication) devices for an IAM user. This preset can help you monitor MFA in your organization. Once the users are imported successfully, you can trigger workflows that allow you to notify users to switch it on or even disable users who have not enabled it. To configure the preset, complete the following actions:
- Select the preset from the API block and the credentials you created in Adding AWS credentials.
- Click the Advanced Mode button located in the upper right of the window.
- Select the Params tab.
- Select the curly brackets to the right of the window to reference an Oomnitza field for your username. You can find a complete list of fields in Assets > Customization.
- Select the Response tab.
- You may want to enter one of the following statements in the Response field:
-
{% set temp = response['ListMFADevicesResponse']['ListMFADevicesResult']['MFADevices']['member']%}{%if (temp is defined) and temp%}Enabled since {{temp['EnableDate']}}{% else %}Not enabled{% endif %}
-
- Select an Oomnitza field to store the API response. It is recommend that you map the entire response to a long text attribute initially. This will enable you to test your statement for accuracy.
For further information, refer to AWS API Documentation: List MFA devices.
Get password age for a user
This preset gets the last login date a user's password was created. This preset can help you calculate the age of the password to determine if that password is within your company's password age policy. The preset uses the same credentials and fields as already mentioned above. To configure the preset, complete the following actions:
- Select the preset from the API block and the credentials you created in Adding AWS credentials.
- Click the Advanced Mode button located in the upper right of the window.
- Select the Params tab.
- Select the curly brackets to the right of the window to reference an Oomnitza field for your username. You can find a complete list of fields in Assets > Customization.
- Select the Response tab.
- You may want to enter one of the following statements in the Response field:
-
{% set temp = response['GetLoginProfileResponse']['GetLoginProfileResult']['LoginProfile']['CreateDate']%}{%if (temp is defined) and temp%}{{temp}}{% endif %}
This statement gets the date the password for the specified user was created. You will receive a HTTP Status Code: 404 if it references a resource entity or user profile that does not exist. In this case it is recommended that you clear the password created date and disable email notifications in you workflow to prevent your inbox from filling up.
-
- Select an Oomnitza field to store the API response. It is recommend that you map the entire response to a long text attribute initially. This will enable you to test your statement for accuracy.
For further information, refer to AWS API Documentation: Login Profile.
Disable User
This preset allows you to delete the password for a specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console. This action does not prevent a user from accessing AWS through the command line interface or the API. To prevent all user access, you must also either make any access keys inactive or delete them. For more information about making keys inactive or deleting them, see Delete Access key. To configure the preset, complete the following actions:
- Select the preset from the API block and the credentials you created in Adding AWS credentials.
- Click the Advanced Mode button located in the upper right of the window.
- Select the Params tab.
- Select the curly brackets to the right of the window to reference an Oomnitza field for your username. You can find a complete list of fields in Assets > Customization.
- Select the Response tab.
- Select an Oomnitza field to store the API response.
For further information, refer to AWS API Documentation: Delete Login Profile.
Delete User
This preset allows you to delete a user from AWS IAM. Once a user is deleted, it cannot be restored. You must ensure that you delete all items attached to the user manually, or the deletion fails. For further information, refer to AWS API Documentation: Delete User. This preset can be configured in the same manner as the Disable User preset.
Delete Access key
This preset allows you to delete an access key pair associated with the specified IAM user. Before you delete the access key, it is recommended that you check that it is not used in any active integrations as these will start to fail once the access key has been deleted. Since a user can have multiple access keys, you may have to run this preset more than once to delete all access keys for a single user. To configure the preset, complete the following actions:
- Select the preset from the API block and the credentials you created in Adding AWS credentials.
- Click the Advanced Mode button located in the upper right of the window.
- Select the Params tab.
- Select the curly brackets to the right of the window to reference an Oomnitza field for your username and accesskeyid. Depending on how you store access keys in Oomnitza, you may be able to use {{AccessKeyId}} or {{AccessKeyId[0]}} to reference an existing access key. You can find a complete list of fields in Assets > Customization.
- Select the Response tab.
- Select an Oomnitza field to store the API response.
For further information, refer to AWS API Documentation: Delete Access Key.
Additional user operations
You can find more ways to manage user data by referring to the AWS API Documentation. We will continue to add the most valuable ones as presets, but you can always start with any of the existing presets and then go to Advanced Mode to easily change it to any of the supported AWS actions.
For further information on workflows see: Understanding workflows
Workflow block overview
Configuring AWS IAM Presets
Unleash the power of Oomnitza
To get valuable actionable insights that help you manage your assets, learn how to:
- Configure dashboards for your users and software
- Configure custom reports about your users and software
- Create workflows to automate tasks
See Getting started for more information.
Comments
0 comments
Please sign in to leave a comment.