Configure AWS connection¶
The following guide illustrates connecting TLS Protect Cloud with Amazon Web Services (AWS).
Enable TLS Protect Cloud to provision new certificates in AWS Certificate Manager (ACM) for use with AWS services. This guide walks you through the integration process.
Before you begin¶
You're going to need a few things to complete this procedure.
- You will need an AWS account.
- Your AWS account ID.
- You will need at least one active VSatellite to provision certificates to AWS.
- Venafi permissions for AWS IAM - You must specify these permissions when defining the role's permission policy. This policy defines what actions Venafi takes and what resources they can access. You can find this policy in the JSON file provided below.
Note
- Review the supported AWS ACM cryptographic algorithms.
- Only TLS Protect Cloud-generated and user-imported certificates with private keys can be provisioned. To learn more see Importing a private key via API (PKCS #8) and Importing a private key via API (PKCS #12).
- Only one certificate can be provisioned at a time.
- Only regions that are enabled on Amazon will be available for provisioning.
Overview¶
The following diagram illustrates the high-level steps for integrating TLS Protect Cloud with AWS. In the subsequent sections, we dive into each of these steps, providing you with a guided walkthrough.
Step 1: Create a Cloud Provider¶
- Sign in to Venafi Control Plane.
- Click Integrations > Cloud Providers.
- Click New.
- Enter a Name for the new cloud provider. This name will help TLS Protect Cloud users to identify this cloud provider.
- Select an Owning Team. If you need to create a new team see, create a new team.
-
Click Continue.
Note
- Owning Team - The Owning Team is responsible for the administration, management, and control of a designated cloud provider, with the authority to update, modify, and delete cloud provider resources.
- Authorized Team - The Authorize Team is granted permission to use specific resources of a cloud provider. Although team members can perform tasks like creating a keystore, their permissions may be limited regarding broader modifications to the provider's configuration. Unlike the Owning Team, users may not have the authority to update and delete Cloud Providers.
-
Enter your 12 digit AWS Account ID obtained from AWS.
- Enter the IAM Role you want to create in your AWS Account. Provide a role name that carries significance and can be readily linked to this specific cloud provider. For this example we will use "TlspcIntegrationRole".
- Click Save. At this point, your new provider details will be displayed in the right pane.
-
From the right pane, select Properties, copy, and save the External ID for use later on. To learn more about the use of the External ID, check out the IAM User Guide.
Important
Make sure to copy and save this External ID for use later on. You will need this External ID in Step 3: Create an AWS IAM role for TLS Protect Cloud.
Step 2: Create an AWS IAM policy for TLS Protect Cloud¶
In this step, we will set up an IAM policy for your AWS TLS Protect Cloud role, granting it the required permissions for full access to all AWS integrations provided by TLS Protect Cloud. These permissions may change as new components are incorporated into an integration.
- Create a new policy in the AWS IAM Console.
- Select the JSON tab, and then paste the TLS Protect Cloud permission policies into the provided textbox.
- Click Next:Tags and then click Next: Review.
- Assign a name to the policy, such as "TlspcIntegrationPolicy" or a name of your preference, and provide a suitable description.
- Click Create policy.
Step 3: Create an AWS IAM role for TLS Protect Cloud¶
Here we will create an IAM role for TLS Protect Cloud to utilize the permissions specified within the IAM policy you created in the previous step.
- Create a new role in the AWS IAM Console.
- Select the AWS account for the trusted entity type, and then select Another AWS account.
- Enter
569433869543
as the Account ID. This is TLS Protect Cloud account ID and authorizes TLS Protect Cloud access to your AWS data. - Select Require external ID and enter the External ID copied in Step 1: Create a Cloud Provider. Make sure to keep 'Require MFA' disabled.
-
Click Next.
Tip
For additional information, refer to the AWS documentation on How to use an external ID when granting access to your AWS resources to a third party.
-
Select the policy you created in the previous step, and then click Next.
-
Assign the role a name and provide a suitable description. In our example we are using "TlspcIntegrationRole".
Important
Make sure this role name is the SAME role name as the one you assigned in Step 1, when creating a cloud provider in TLS Protect Cloud.
-
Click Create Role.
Step 4: Validate the connection¶
In this step we will validate the connection between TLS Protect Cloud and AWS ACM.
- Click Integrations > Cloud Providers.
-
Find the new cloud provider we created in Step 1. Click the more options button to the right and select Test Access.
If you still have the yellow icon next to your cloud provider, this means you were not able to successfully validate your connection. Go back and check your settings in the above steps.
Step 5: Add a Cloud Keystore¶
- Sign in to Venafi Control Plane.
- Click Installations > Cloud Keystores.
- Click New and select AWS.
- Enter a Name for the new cloud keystore.
- Select an Owning Team. If you need to create a new team, see create a new team.
-
Select an Authorized Team.
Note
- Owning Team - The Owning Team is responsible for the administration, management, and control of a designated cloud provider, with the authority to update, modify, and delete cloud provider resources.
- Authorized Team - The Authorize Team is granted permission to use specific resources of a cloud provider. Although team members can perform tasks like creating a keystore, their permissions may be limited regarding broader modifications to the provider's configuration. Unlike the Owning Team, users may not have the authority to update and delete Cloud Providers.
-
Select an AWS Cloud Provider.
- Select an ACM Region.
- (Optional) To begin discovery once the keystore is created, an option to discover certificates on your keystore, select the toggle switches to turn on "Start discovery immediately" and "Include expired certificates". After creating the keystore, refer to Set up AWS Discovery Schedule to create your schedule.
- Click Save. You should now see your new cloud keystore in the Cloud Keystore list.
Step 6: Provision a certificate¶
Now you have the ability to provision certificates.
-
Click the button to the right of the new cloud keystore you just created and select Provision.
Tip
Here you also have the option to delete certificates if needed.
-
From the dropdown, search for the certificate you want, select it, and click Provision. This creates a new certificate (new installation on the keystore).
-
(Optional) Here, you also can re-provision, replace, or delete a certificate. These options modify an existing machine installation.
- Select your Cloud Keystore, and a details panel will appear on the right.
- Click on the button to the right of your certificate.
- Choose the appropriate action: Re-provision, Replace, or Delete, and proceed through the user interface steps until the process is complete.
Info
- Re-provision - This action re-provisions your current certificate.
- Replace - Choose this option to substitute your current certificate with a different one.
- Delete - This action removes the selected certificate from the table.
Note
If using Google Cloud Platform, go to your Google service account, under Certificate Manager, and select Certificates. Click the Refresh button. You should now see your certificate in the list with an active status.
At this point you have successfully connected TLS Protect Cloud to your cloud provider and successfully provisioned a certificate.
Set up AWS Discovery Schedule¶
- In the TLS Protect Cloud toolbar, click Installations and select Cloud Keystores from the drop-down menu.
- Select the Cloud Keystore name that you want to perform a discovery on.
- From the pane that opens on the right of the screen, select Discovery configuration. Select the toggle switches to turn on "Enable scheduled discovery" and "Include expired certificates".
- Under Repeat every, select your desired Daily, Weekly, or Advanced schedule. Then, choose your desired time.
- Click Save.
AWS IAM Permissions¶
Authentication to AWS resource via IAM role¶
With IAM roles, you can grant access to TLS Protect Cloud for your AWS resources without sharing your AWS security credentials. Instead, TLS Protect Cloud can access your AWS resources by assuming a role that you create in your AWS account. You can use an IAM role to establish a trusted connection between your AWS account and TLS Protect Cloud. Once this connection is established, you will define the role's permission policy, determining what actions TLS Protect Cloud takes and what resources they can access.
To correctly set up the AWS Integration, you must attach the relevant IAM policies in the following JSON to the TLS Protect Cloud AWS Integration IAM Role in your AWS account.
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"acm:GetCertificate",
"acm:DeleteCertificate",
"acm:ImportCertificate",
"acm:ListCertificates",
"acm:AddTagsToCertificate",
"ec2:DescribeRegions"
],
"Resource":"*"
}
]
}