Skip to content

Configure AWS connection

The following guide illustrates connecting TLS Protect Cloud with Amazon Web Services (AWS).

Enable TLS Protect Cloud to provision new certificates in AWS Certificate Manager (ACM) for use with AWS services. This guide walks you through the integration process.

Before you begin

You're going to need a few things to complete this procedure.

  • You will need an AWS account.
  • Your AWS account ID.
  • You will need at least one active VSatellite to provision certificates to AWS.
  • Venafi permissions for AWS IAM - You must specify these permissions when defining the role's permission policy. This policy defines what actions Venafi takes and what resources they can access. You can find this policy in the JSON file provided below.

Note

Overview

The following diagram illustrates the high-level steps for integrating TLS Protect Cloud with AWS. In the subsequent sections, we dive into each of these steps, providing you with a guided walkthrough.

Diagram showing how TLS Protect Cloud integrates with AWS

Diagram showing how TLS Protect Cloud integrates with AWS

Step 1: Create a Cloud Provider

  1. Sign in to Venafi Control Plane.
  2. Click Integrations > Cloud Providers.
  3. Click New.
  4. Enter a Name for the new cloud provider. This name will help TLS Protect Cloud users to identify this cloud provider.
  5. Select an Owning Team. If you need to create a new team see, create a new team.
  6. Click Continue.

    Note

    • Owning Team - The Owning Team is responsible for the administration, management, and control of a designated cloud provider, with the authority to update, modify, and delete cloud provider resources.
    • Authorized Team - The Authorize Team is granted permission to use specific resources of a cloud provider. Although team members can perform tasks like creating a keystore, their permissions may be limited regarding broader modifications to the provider's configuration. Unlike the Owning Team, users may not have the authority to update and delete Cloud Providers.
  7. Enter your 12 digit AWS Account ID obtained from AWS.

  8. Enter the IAM Role you want to create in your AWS Account. Provide a role name that carries significance and can be readily linked to this specific cloud provider. For this example we will use "TlspcIntegrationRole".
  9. Click Save. At this point, your new provider details will be displayed in the right pane.
  10. From the right pane, select Properties, copy, and save the External ID for use later on. To learn more about the use of the External ID, check out the IAM User Guide.

    Important

    Make sure to copy and save this External ID for use later on. You will need this External ID in Step 3: Create an AWS IAM role for TLS Protect Cloud.

Step 2: Create an AWS IAM policy for TLS Protect Cloud

In this step, we will set up an IAM policy for your AWS TLS Protect Cloud role, granting it the required permissions for full access to all AWS integrations provided by TLS Protect Cloud. These permissions may change as new components are incorporated into an integration.

  1. Create a new policy in the AWS IAM Console.
  2. Select the JSON tab, and then paste the TLS Protect Cloud permission policies into the provided textbox.
  3. Click Next:Tags and then click Next: Review.
  4. Assign a name to the policy, such as "TlspcIntegrationPolicy" or a name of your preference, and provide a suitable description.
  5. Click Create policy.

Step 3: Create an AWS IAM role for TLS Protect Cloud

Here we will create an IAM role for TLS Protect Cloud to utilize the permissions specified within the IAM policy you created in the previous step.

  1. Create a new role in the AWS IAM Console.
  2. Select the AWS account for the trusted entity type, and then select Another AWS account.
  3. Enter 569433869543 as the Account ID. This is TLS Protect Cloud account ID and authorizes TLS Protect Cloud access to your AWS data.
  4. Select Require external ID and enter the External ID copied in Step 1: Create a Cloud Provider. Make sure to keep 'Require MFA' disabled.
  5. Click Next.

    Tip

    For additional information, refer to the AWS documentation on How to use an external ID when granting access to your AWS resources to a third party.

  6. Select the policy you created in the previous step, and then click Next.

  7. Assign the role a name and provide a suitable description. In our example we are using "TlspcIntegrationRole".

    Important

    Make sure this role name is the SAME role name as the one you assigned in Step 1, when creating a cloud provider in TLS Protect Cloud.

  8. Click Create Role.

Step 4: Validate the connection

In this step we will validate the connection between TLS Protect Cloud and AWS ACM.

  1. Click Integrations > Cloud Providers.
  2. Find the new cloud provider we created in Step 1. Click the more options more-options button to the right and select Test Access.

    Note

    You will notice a yellow icon warning-indicator next to your cloud provider that indicates it has yet to be validated. This will go away once you test access and have a successful connection.

If you still have the yellow icon warning-indicator next to your cloud provider, this means you were not able to successfully validate your connection. Go back and check your settings in the above steps.

Step 5: Add a Cloud Keystore

  1. Sign in to Venafi Control Plane.
  2. Click Installations > Cloud Keystores.
  3. Click New.
  4. Enter a Name for the new cloud keystore.
  5. Select an Owning Team. If you need to create a new team, see create a new team.
  6. Select an Authorized Team.

    Note

    • Owning Team - The Owning Team is responsible for the administration, management, and control of a designated cloud provider, with the authority to update, modify, and delete cloud provider resources.
    • Authorized Team - The Authorize Team is granted permission to use specific resources of a cloud provider. Although team members can perform tasks like creating a keystore, their permissions may be limited regarding broader modifications to the provider's configuration. Unlike the Owning Team, users may not have the authority to update and delete Cloud Providers.
  7. Select an AWS Account.

  8. Select an ACM Region.
  9. Click Save. You should now see your new cloud keystore in the Cloud Keystore list.

Step 6: Provision a certificate

Now you have the ability to provision certificates.

  1. Click the more-options button to the right of the new cloud keystore you just created and select Provision.

    Tip

    Here you also have the option to delete certificates if needed.

  2. From the dropdown, search for the certificate you want, select it, and click Provision. This creates a new certificate (new installation on the keystore).

  3. (Optional) Here, you also can re-provision, replace, or delete a certificate. These options modify an existing machine installation.

    • Select your Cloud Keystore, and a details panel will appear on the right.
    • Click on the ellipsis button to the right of your certificate.
    • Choose the appropriate action: Re-provision, Replace, or Delete, and proceed through the user interface steps until the process is complete.

    Info

    • Re-provision - This action re-provisions your current certificate.
    • Replace - Choose this option to substitute your current certificate with a different one.
    • Delete - This action removes the selected certificate from the table.

    Note

    If using Google Cloud Platform, go to your Google service account, under Certificate Manager, and select Certificates. Click the Refresh button. You should now see your certificate in the list with an active status.

At this point you have successfully connected TLS Protect Cloud to your cloud provider and successfully provisioned a certificate.

AWS IAM Permissions

Authentication to AWS resource via IAM role

With IAM roles, you can grant access to TLS Protect Cloud for your AWS resources without sharing your AWS security credentials. Instead, TLS Protect Cloud can access your AWS resources by assuming a role that you create in your AWS account. You can use an IAM role to establish a trusted connection between your AWS account and TLS Protect Cloud. Once this connection is established, you will define the role's permission policy, determining what actions TLS Protect Cloud takes and what resources they can access.

To correctly set up the AWS Integration, you must attach the relevant IAM policies in the following JSON to the TLS Protect Cloud AWS Integration IAM Role in your AWS account.

{
    "Version":"2012-10-17",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "acm:GetCertificate",
                "acm:DeleteCertificate",
                "acm:ImportCertificate",
                "acm:AddTagsToCertificate",
                "ec2:DescribeRegions"
            ],
            "Resource":"*"
        }
    ]
}