AWS Access

Follow

AWS Access

The AWS access settings allow you to control users' access to the AWS console. To adjust these settings:

  1. In the left navigation menu, click Settings > System Settings.
  2. Click AWS Settings under Cloud Providers, then click AWS Access.

Web Access

The web access section allow you to specify how long you want the AWS console session to last before the user is forced to log in again via cloud access role. By default, the session duration is set to 60 minutes.

IAM Role Prefix

The IAM role prefix section lets you set a custom prefix for AWS IAM roles. This sets a global naming convention for all AWS IAM role names, which will auto-populate in the IAM Role field on CARs for all users to enforce consistency in role names. Setting or changing the prefix will not change existing roles you have already created.

Enter your desired prefix in the Prefix field. Kion will automatically add a - after the prefix, so there's no need to include it here.

Once you set your prefix, the IAM Role field on the CAR creation form will show it as a field that cannot be edited.

Short-Term Access Keys

Once this setting is enabled, you can generate short-term access keys for cloud access roles to access AWS accounts.

To learn how to add an AWS short-term access key, see Add an AWS Short-Term Access Key.

Long Term Access Keys

When access key generation is enabled, you can optionally set the access key lifespan. The application will automatically delete any access keys generated from the project pages and will send a notification to the user who created the keys.

When the access key lifespan field is turned on, you can also enable notifications for expiring access keys.

Advanced Settings

  • Enable Custom Access URL For Web Access. Use a custom URL when sending users to the AWS console. When enabled, you'll have the option to enter a custom URL. Please use the placeholders {ACCOUNT_NAME}, {ACCOUNT_NUMBER}, and {ROLE_NAME} if you would like the account name or the role name to be substituted in the URL.
  • Enable Custom Access URL For Short-Term Access Keys. Use a custom URL when sending users to the AWS console using short-term access keys. When enabled, you'll have the option to enter a custom URL. Please use the placeholders {ACCOUNT_NAME}, {ACCOUNT_NUMBER}, and {ROLE_NAME} if you would like the account name or the role name to be substituted in the URL.
  • Enable Custom Trust Policy. Apply a custom trust policy IAM roles if the federation is handled by another system. We provide a sample policy in the UI to get you started.
  • Enable Use of Existing Roles. Use IAM roles from third-party identity providers (like Ping, Okta, and OneLogin) to federate into AWS accounts. In addition to enabling this feature, you must add the URL you use to sign in to your third-party provider. This URL depends on which third-party provider you use, but will likely resemble: https://your_company.identity_provider.com. When a user federates into an account using a third-party enabled cloud access role, they will be redirected to the identity provider URL you provided. For information about configuring cloud access roles to use this feature, see Add a Cloud Access Role.

 

Was this article helpful?
0 out of 0 found this helpful