Configure AWS Connection¶

The following guide illustrates connecting TLS Protect Cloud with Amazon Web Services (AWS).

Enable TLS Protect Cloud to provision new certificates in AWS Certificate Manager (ACM) for use with AWS services. This guide walks you through the integration process.

Overview¶

The following diagram illustrates the high-level steps for integrating TLS Protect Cloud with AWS. In the subsequent sections, we dive into each of these steps, providing you with a guided walkthrough.

Step 1: Create a Cloud Provider¶

1. Sign in to TLS Protect Cloud.
2. Click Integrations > Cloud Providers.
3. Click New.
4. Enter a Name for the new cloud provider. This name will help TLS Protect Cloud users to identify this cloud provider.
5. Select an Owning Team. If you need to create a new team see, create a new team.

6. Click Continue.

   Note

   • Owning Team - The Owning Team is responsible for the administration, management, and control of a designated cloud provider, with the authority to update, modify, and delete cloud provider resources.
   • Authorized Team - The Authorize Team is granted permission to use specific resources of a cloud provider. Although team members can perform tasks like creating a keystore, their permissions may be limited regarding broader modifications to the provider's configuration. Unlike the Owning Team, users may not have the authority to update and delete Cloud Providers.

7. Enter your 12 digit AWS Account ID obtained from AWS.

8. Enter the IAM Role you want to create in your AWS Account. Provide a role name that carries significance and can be readily linked to this specific cloud provider. For this example we will use "TlspcIntegrationRole".
9. Click Save. At this point, your new provider details will be displayed in the right pane.

10. From the right pane, select Properties, copy, and save the External ID for use later on. To learn more about the use of the External ID, check out the IAM User Guide.

    Important

    Make sure to copy and save this External ID for use later on. You will need this External ID in Step 3: Create an AWS IAM role for TLS Protect Cloud.

Step 2: Create an AWS IAM policy for TLS Protect Cloud¶

In this step, we will set up an IAM policy for your AWS TLS Protect Cloud role, granting it the required permissions for full access to all AWS integrations provided by TLS Protect Cloud. These permissions may change as new components are incorporated into an integration.

1. Create a new policy in the AWS IAM Console.
2. Select the JSON tab, and then paste the TLS Protect Cloud permission policies into the provided textbox.
3. Click Next:Tags and then click Next: Review.
4. Assign a name to the policy, such as "TlspcIntegrationPolicy" or a name of your preference, and provide a suitable description.
5. Click Create policy.

Step 3: Create an AWS IAM role for TLS Protect Cloud¶

Here we will create an IAM role for TLS Protect Cloud to utilize the permissions specified within the IAM policy you created in the previous step.

1. Create a new role in the AWS IAM Console.
2. Select the AWS account for the trusted entity type, and then select Another AWS account.
3. Enter 569433869543 as the Account ID. This is TLS Protect Cloud account ID and authorizes TLS Protect Cloud access to your AWS data.
4. Select Require external ID and enter the External ID copied in Step 1: Create a Cloud Provider. Make sure to keep 'Require MFA' disabled.

5. Click Next.

   Tip

   For additional information, refer to the AWS documentation on How to use an external ID when granting access to your AWS resources to a third party.

6. Select the policy you created in the previous step, and then click Next.

7. Assign the role a name and provide a suitable description. In our example we are using "TlspcIntegrationRole".

   Important

   Make sure this role name is the SAME role name as the one you assigned in Step 1, when creating a cloud provider in TLS Protect Cloud.

8. Click Create Role.

Step 4: Validate the connection¶

In this step we will validate the connection between TLS Protect Cloud and AWS ACM.

1. Click Integrations > Cloud Providers.

2. Find the new cloud provider we created in Step 1. Click the more options button to the right and select Test Access.

   Note

   You will notice a yellow icon next to your cloud provider that indicates it has yet to be validated. This will go away once you test access and have a successful connection.

If you still have the yellow icon next to your cloud provider, this means you were not able to successfully validate your connection. Go back and check your settings in the above steps.

Step 5: Add a Cloud Keystore¶

1. Sign in to TLS Protect Cloud.
2. Click Installations > Cloud Keystores.
3. Click New.
4. Enter a Name for the new cloud keystore.
5. Select an Owning Team. If you need to create a new team, see create a new team.

6. Select an Authorized Team.

   Note

   • Owning Team - The Owning Team is responsible for the administration, management, and control of a designated cloud provider, with the authority to update, modify, and delete cloud provider resources.
   • Authorized Team - The Authorize Team is granted permission to use specific resources of a cloud provider. Although team members can perform tasks like creating a keystore, their permissions may be limited regarding broader modifications to the provider's configuration. Unlike the Owning Team, users may not have the authority to update and delete Cloud Providers.

7. Select an AWS Account.

8. Select an ACM Region.
9. Click Save. You should now see your new cloud keystore in the Cloud Keystore list.

Step 6: Provision a certificate¶

Now you have the ability to provision certificates.

1. Click the button to the right of the new cloud keystore you just created and select Provision.

2. From the dropdown, search for the certificate you want, select it, and click Provision. This creates a new certificate (new installation on the keystore).

3. (Optional) Here, you also can re-provision, replace, or delete a certificate. These options modify an existing machine identity (existing installation).

   • Select your Cloud Keystore, and a details panel will appear on the right.
   • Click on the button to the right of your certificate.
   • Choose the appropriate action: Re-provision, Replace, or Delete, and proceed through the user interface steps until the process is complete.

   Info

   • Re-provision - This action re-provisions your current certificate.
   • Replace - Choose this option to substitute your current certificate with a different one.
   • Delete - This action removes the selected certificate from the table.

At this point you have successfully connected TLS Protect Cloud to AWS and successfully provisioned a certificate.

AWS IAM Permissions¶

Authentication to AWS resource via IAM role¶

With IAM roles, you can grant access to TLS Protect Cloud for your AWS resources without sharing your AWS security credentials. Instead, TLS Protect Cloud can access your AWS resources by assuming a role that you create in your AWS account. You can use an IAM role to establish a trusted connection between your AWS account and TLS Protect Cloud. Once this connection is established, you will define the role's permission policy, determining what actions TLS Protect Cloud takes and what resources they can access.

To correctly set up the AWS Integration, you must attach the relevant IAM policies in the following JSON to the TLS Protect Cloud AWS Integration IAM Role in your AWS account.

{
    "Version":"2012-10-17",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "acm:GetCertificate",
                "acm:DeleteCertificate",
                "acm:ImportCertificate",
                "acm:AddTagsToCertificate",
                "ec2:DescribeRegions"
            ],
            "Resource":"*"
        }
    ]
}