AWS Management Plane and S3 Integration

Last Updated:

 

December 20, 2024

Oleria provides adaptive and autonomous access security that sets your business free. As part of that promise, we integrate your AWS into the Oleria platform. This document provides step-by-step guidance on integrating your Okta instance with your Oleria workspace.

Pre-requisites

  • AWS Admin role

Steps to Integrate AWS with Oleria Workspace

Step 1: Log in to your AWS instance. This creates a session.

Step 2: In the same browser, open a new tab and log in to Oleria workspace. Select Integrations → select AWS Management Plane, and S3. A side page opens and shows a link to the instructions.  Click Continue

Step 2: Select Launch AWS Cloud Formation

Step 3: It will redirect you to your AWS instance. You will see a CloudFormation stack. The stack name Oleria-Plugin-SaaS-Connector is preselected. Acknowledge and click create stack.

Step 4: You will see the Cloud Stack creation completes

Note: The account that is used for Oleria integration should have the following privileges

  • cloudformation:CreateStack
  • cloudformation:CreateUploadBucket
  • cloudformation:DescribeStacks
  • cloudformation:DescribeStackEvents
  • cloudformation:GetStackPolicy
  • cloudformation:GetTemplateSummary
  • cloudformation:ListStacks
  • cloudformation:ListStackResources
  • iam:AttachRolePolicy
  • iam:CreatePolicy
  • iam:CreateRole
  • iam:ListRoles
  • iam:GetRole
  • iam:DeleteRolePolicy
  • iam:PutRolePolicy
  • s3:GetObject
  • s3:CreateBucket
  • s3:PutObject
  • sns:ListTopics

Step 5: Select the Resources tab and navigate to the oleriaConnectorRole.

Step 6: Copy the oleriaConnectorRole ARN

Step 7. This step is required if the S3 bucket is encrypted with a KMS key. Update the KMS key policy to allow access to the Oleria connector role. 

7.1. Search CloudTrail →  select Management Events

Note: If they have multiple trails they need to select the first trail and check for encrypted KMS key. If S3 is encrypted, you will see KMS key link 

7.2. Select the AWS KMS key link

Update the KMS key policy as shown below.

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "AllowOleriaConnectorAccess",

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::accountID:role/oleriaConnectorRole"

},

"Action": [

"kms:Decrypt",

"kms:DescribeKey"

],

"Resource": "*"

}

]

}

Replace accountID with your AWS account ID.

This policy allows the Oleria connector role to use `kms:Decrypt` and `kms:DescribeKey` for KMS-encrypted S3 access.

Step 8:  Note your AWS region

Step 9: Return to your Oleria Workspace, select the region copied in step 8. In this example, it is us-east-2. Provide Role ARN copied in step 6.  Select the checkbox and click Authenticate.

Step 10: Find a newly integrated AWS Management Plane + S3 in your Oleria workspace connected integrations

How can a comprehensive identity
security solution empower your team?