Skip to main content
Sign in

Creating an extended integration for AWS Identity and Access Manager (IAM) users

Caroline Maguire
  • August 08, 2022 10:57
  • Updated

Let Oomnitza be your single source of truth!

You'll get visibility of your AWS IAM users as data from AWS IAM is automatically transformed into consumable information and actionable insights.

Connect Oomnitza and AWS IAM in minutes

Get the information and insights that you need to reduce costs and the time that you spend on administration tasks such as:

  • Configurable dashboards and list views of key user information
  • Configurable reports to share information about users with your colleagues and management
  • Configurable workflows that you can easily create to automate such tasks as:
    • Getting a list of access keys and groups associated with a user.
    • Getting the MFA (Multi-Factor Authentication) status and password age of a user.
    • Disabling and deleting users.
    • Deleting access keys associated with a user.

Navigation

small_blue_link.svgAdding the credentials

small_blue_link.svgCreating the user integration

small_blue_link.svgCreating custom mappings

small_blue_link.svg Creating workflows

Creating user workflows with the API block

Get List of Access keys for a user

Get List of Groups for a user

Get MFA status for a user

Get password age for a user

Disable User

Delete User

Delete Access key

About the integration

This integration provides you with a complete picture of your AWS IAM users, and helps you maintain security best practices in your organisation.

Adding the credentials

To add your AWS credentials to Oomnitza, see Adding your AWS credentials to Oomnitza.

Creating the user integration

To configure the integration for the AWS IAM, complete the following steps:

  1. In Oomnitza, click Configuration > Integrations.
  2. Click Integrations List View small_SettingsListView.svg.
  3. On the Integrations page, scroll down to the Extended section for User Integration.
  4. Click NEW INTEGRATION.
  5. In the New Asset Integration sidebar, click AWS IAM User Load.
  6. To integrate Oomnitza with the AWS IAM User Load, click APPLY and then click NEXT twice.

On the Connect page, complete the following steps to connect the integration:

  1. Enter a descriptive name for the integration such as AWS IAM User Load. This name will be displayed on the Integrations page once the setup is complete.
  2. From the User Selection list, select User plus SaaS User or User only.
  3. If you select User plus SaaS User and you have multiple instances of the same SaaS application, select the application from the SaaS Selection list. If you have a single instance of the SaaS application, skip this step.
  4. From the installation type list, select Cloud.
  5. From the Credentials list, select the credentials from the Oomnitza vault that you added for the connection. For further information, refer to Adding AWS credentials.
  6. From the Integration Preferences list, select Create & Update
  7. Enter the name of the user of the integration.
  8. Enter the Path Prefix.  This represents the hierarchy of the user setup within your AWS IAM. Use '/' as the Path Prefix to allow all users to be discovered. 
  9. Click Next.

Creating custom mappings

Map the AWS IAM fields to Oomnitza fields and create custom mappings to get the user information that you need.

Complete these actions:

  1. Click Smart Mapping.
  2. Map other fields or create custom mappings to map any other field that you want to add to Oomnitza. To create an optional custom mapping, do the following:
    1. Click the down arrow on the field that you want to map.
    2. Select Add new Oomnitza users field.
    3. Change the name of the field.
    4. Click CREATE.  
  3. If you wish, you can create custom logic to map the AWS IAM Email field to Oomnitza:
    1. Click + next to Edit Connector in the upper left of the screen
    2. Name the field Email
    3. For the Field Path, enter {{GetUserResponse.GetUserResult.User.UserName}}@mycompanydomain.com, replacing mycompanydomain with the domain of your company.
    4. Click the down arrow next to the Email field that you created.
    5. Select Email from the Oomnitza field list to map to the corresponding field in Oomnitza.
  4. Assign a Sync key. For example, you can map the AWS IAM User Name field to the Oomnitza Username field and assign a Sync key. 
  5. Click NEXT
editconnector_1.png
1 / 2: Creating a custom logic to map the AWS IAM Email field to Oomnitza.
editconnector_2.png
2 / 2: Mapping the AWS IAM Email field to the corresponding Oomnitza field.

Note: For all user loads, it is recommended that you map role information to an employee role in Oomnitza. Users need to have an employee role defined in order to access Oomnitza. If the role information is not available from the user load, it is recommended that you select Employee from the Oomnitza Role dropdown list. You have the option to overwrite this at a later point should the role information become available. 

Custom mappings

The following AWS IAM fields can be mapped to Oomnitza:

Arn
CreateDate
Password Last Used
Path
User ID
User Name

blue_link.svg Learn more about mapping

When you've completed mapping AWS IAM fields to Oomnitza fields, click NEXT.   

Schedule

By default, data is streamed to Oomnitza once every day.

You can configure the schedule to meet your needs such as changing the interval or changing the time so that the data is streamed when your system isn't busy.

  1. Configure your schedule.
  2. Click FINISH.

Result

A new tile is created for the integration on the Integrations page. 

What to do next

If you want to see what information is collected now, click the tile on the Integrations page and click RUN NOW.

If you want to change the integration settings, you can click a navigation link on the page, such as 4 Mappings, and edit the settings.

edit-integration.svg 

Tip
To view the information that is collected about your mobile assets, click Assets

Creating workflows

Creating user workflows with the API block

To reduce your workload and automate complex and repetitive tasks, you can create workflows with the API block by following the steps in Creating asset workflows with the API block. To locate the available presets, enter aws iam in the Select Preset search field. Select your preset of choice and for every preset enter the following information in the Configure section:

The AWS IAM API block workflow comes with the following presets:

Get List of Access keys for a user
Get List of Groups for a user
Get MFA status for a user
Get password age for a user
Disable User
Delete User
Delete Access key

Get List of Access keys for a user

This preset lists the access keys associated with a specified AWS IAM user and the age of the oldest access key. This will enable you to identify and deactivate any unnecessary IAM access keys as a security best practice.

To configure the preset, complete the following actions:

  1. Select the preset from the API block and the credentials you created in Adding AWS credentials.
  2. Click the Advanced Mode button located in the upper right of the window.
  3. Select the Params tab.
  4. Select the curly brackets to the right of the window to reference an Oomnitza field for your username. You can find a complete list of fields in Assets > Customization. 
  5. Select the Response tab.
  6. You may want to enter one of the following statements in the Response field: 
    • {% set temp = response['ListAccessKeysResponse']['ListAccessKeysResult']['AccessKeyMetadata']['member']%}{%if (temp is defined) and temp%}{%if temp['AccessKeyId']%}{%set temp = [temp]%}{%endif%}{{ temp | rejectattr('Status', 'eq', 'Inactive') | map(attribute='AccessKeyId') | join(', ') }}{%else%}NONE{%endif%}
      This statement gets a list of access keys that are currently active for a given user. Note: NONE is capitalized.
    • {% set temp = response['ListAccessKeysResponse']['ListAccessKeysResult']['AccessKeyMetadata']['member']%}{%if (temp is defined) and temp%}{%if temp['AccessKeyId']%}{%set temp = [temp]%}{%endif%}{% set dates = temp | rejectattr('Status', 'eq', 'Inactive') | map(attribute='CreateDate') | list %}{%if (dates is defined) and dates%}{{dates[0]}}{%endif%}{%endif%}
      This statement gets the date the oldest access key was created.
  7. Select an Oomnitza field to store the API response. It is recommended that you map the entire response to a long text attribute initially. This will enable you to test your statement for accuracy.

For further information, refer to AWS API Documentation: List Access Keys

Get List of Groups for a user

This preset lists the IAM groups associated with a specified AWS IAM user. To configure the preset, complete the following actions:

  1. Select the preset from the API block and the credentials you created in Adding AWS credentials.
  2. Click the Advanced Mode button located in the upper right of the window.
  3. Select the Params tab.
  4. Select the curly brackets to the right of the window to reference an Oomnitza field for your username. You can find a complete list of fields in Assets > Customization. 
  5. Select the Response tab.
  6. You may want to enter one of the following statements in the Response field: 
    • {% set temp = response['ListGroupsForUserResponse']['ListGroupsForUserResult']['Groups']['member']%}{%if (temp is defined) and temp%}{%if temp['GroupName']%}{%set temp = [temp]%}{%endif%}{{ temp | map(attribute='GroupName') | join(', ') }}{% else %}NONE{% endif %}
      This statement gets the list of user groups associated with the user.
  7. Select an Oomnitza field to store the API response. It is recommend that you map the entire response to a long text attribute initially. This will enable you to test your statement for accuracy.

For further information, refer to AWS API Documentation: List Groups for User

Get MFA status for a user

This preset lists the MFA (Multi-Factor Authentication) devices for an IAM user. This preset can help you monitor MFA in your organization. Once the users are imported successfully, you can trigger workflows that allow you to notify users to switch it on or even disable users who have not enabled it. To configure the preset, complete the following actions:

  1. Select the preset from the API block and the credentials you created in Adding AWS credentials.
  2. Click the Advanced Mode button located in the upper right of the window.
  3. Select the Params tab.
  4. Select the curly brackets to the right of the window to reference an Oomnitza field for your username. You can find a complete list of fields in Assets > Customization. 
  5. Select the Response tab.
  6. You may want to enter one of the following statements in the Response field: 
    • {% set temp = response['ListMFADevicesResponse']['ListMFADevicesResult']['MFADevices']['member']%}{%if (temp is defined) and temp%}Enabled since {{temp['EnableDate']}}{% else %}Not enabled{% endif %}
  7. Select an Oomnitza field to store the API response. It is recommend that you map the entire response to a long text attribute initially. This will enable you to test your statement for accuracy.

For further information, refer to AWS API Documentation: List MFA devices

Get password age for a user

This preset gets the last login date a user's password was created. This preset can help you calculate the age of the password to determine if that password is within your company's password age policy. The preset uses the same credentials and fields as already mentioned above. To configure the preset, complete the following actions:

  1. Select the preset from the API block and the credentials you created in Adding AWS credentials.
  2. Click the Advanced Mode button located in the upper right of the window.
  3. Select the Params tab.
  4. Select the curly brackets to the right of the window to reference an Oomnitza field for your username. You can find a complete list of fields in Assets > Customization. 
  5. Select the Response tab.
  6. You may want to enter one of the following statements in the Response field: 
    • {% set temp = response['GetLoginProfileResponse']['GetLoginProfileResult']['LoginProfile']['CreateDate']%}{%if (temp is defined) and temp%}{{temp}}{% endif %}
      This statement gets the date the password for the specified user was created. You will receive a HTTP Status Code: 404 if it references a resource entity or user profile that does not exist. In this case it is recommended that you clear the password created date and disable email notifications in you workflow to prevent your inbox from filling up.
  7. Select an Oomnitza field to store the API response. It is recommend that you map the entire response to a long text attribute initially. This will enable you to test your statement for accuracy.

For further information, refer to AWS API Documentation: Login Profile.

Disable User

This preset allows you to delete the password for a specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console. This action does not prevent a user from accessing AWS through the command line interface or the API. To prevent all user access, you must also either make any access keys inactive or delete them. For more information about making keys inactive or deleting them, see Delete Access key. To configure the preset, complete the following actions:

  1. Select the preset from the API block and the credentials you created in Adding AWS credentials.
  2. Click the Advanced Mode button located in the upper right of the window.
  3. Select the Params tab.
  4. Select the curly brackets to the right of the window to reference an Oomnitza field for your username. You can find a complete list of fields in Assets > Customization. 
  5. Select the Response tab.
  6. Select an Oomnitza field to store the API response.

For further information, refer to AWS API Documentation: Delete Login Profile.

Delete User

This preset allows you to delete a user from AWS IAM. Once a user is deleted, it cannot be restored. You must ensure that you delete all items attached to the user manually, or the deletion fails. For further information, refer to AWS API Documentation: Delete User. This preset can be configured in the same manner as the Disable User preset.

Delete Access key

This preset allows you to delete an access key pair associated with the specified IAM user. Before you delete the access key, it is recommended that you check that it is not used in any active integrations as these will start to fail once the access key has been deleted. Since a user can have multiple access keys, you may have to run this preset more than once to delete all access keys for a single user. To configure the preset, complete the following actions:

  1. Select the preset from the API block and the credentials you created in Adding AWS credentials.
  2. Click the Advanced Mode button located in the upper right of the window.
  3. Select the Params tab.
  4. Select the curly brackets to the right of the window to reference an Oomnitza field for your username and accesskeyid. Depending on how you store access keys in Oomnitza, you may be able to use {{AccessKeyId}} or {{AccessKeyId[0]}} to reference an existing access key. You can find a complete list of fields in Assets > Customization. 
  5. Select the Response tab.
  6. Select an Oomnitza field to store the API response.

For further information, refer to AWS API Documentation: Delete Access Key.

Additional user operations

You can find more ways to manage user data by referring to the AWS API Documentation. We will continue to add the most valuable ones as presets, but you can always start with any of the existing presets and then go to Advanced Mode to easily change it to any of the supported AWS actions.

For further information on workflows see:
small_blue_link.svg Understanding workflows
small_blue_link.svg Workflow block overview
small_blue_link.svg Configuring AWS IAM Presets

Unleash the power of Oomnitza

To get valuable actionable insights that help you manage your assets, learn how to:

  • Configure dashboards for your users and software
  • Configure custom reports about your users and software
  • Create workflows to automate tasks

See small_blue_link.svg Getting started for more information.

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk