1. Kion Success Center
  2. Settings
  3. AWS Settings

AWS Access

Follow

Last updated

AWS Access

Settings > System Settings > AWS Settings > AWS Access

The AWS access settings allow you to control various aspects of users' access to the AWS console.

Web Access

Web access allows users to federate into the AWS console via a Cloud Access Role. Web access is always enabled, but you can use the following settings to customize users' access.

  • Session Duration. Specify how long you want the AWS console session to last before the user is forced to log in again via cloud access role. By default, the session duration is set to 60 minutes.

IAM Role Prefix

Set a custom prefix for AWS IAM roles. IAM role prefixes are useful for establishing a global naming convention for AWS IAM role names. The prefix set here is auto-populated in the IAM Role field when creating cloud access roles and cannot be edited within that form. Setting or changing the prefix will not change existing roles.

  • Prefix. Enter your desired prefix. Kion automatically adds a - after the prefix.

Short-Term Access Keys

Enable generation of short-term access keys for cloud access roles to access AWS accounts. Once enabled, temporary credentials can be generated from any AWS account's Cloud Access dropdown menu within Kion.

  • Allow Generation. Enables short-term access key generation.
  • Session Duration. Specify how long you want the AWS console session to last before the user is forced to log in again via cloud access role.

To learn how to add an AWS short-term access key, see Add an AWS Short-Term Access Key.

Long Term Access Keys

Enable administrators and users with Manage Long-term Access Keys permissions to generate long-term access keys for cloud access roles they manage.

  • Allow Generation. Enables long-term access key generation.
  • Lifespan. Sets the access key lifespan. When a long-term access key expires, Kion automatically deletes it and sends a notification to the user who created the key.
  • Enable Notifications for Expiring Access Keys. Specify how many days in advance you would like to receive notifications about upcoming long-term access key expirations.

For more information about managing long-term access keys, see Add an AWS Long-Term Access Key.

Source Identity Attribute

Enable this option for increased AWS IAM role access visibility in AWS CloudTrail. Kion will set the user name from the configured IDMS (internal or third-party) as the source identity parameter, making it easier to associate assumed roles with specific users when viewing CloudTrail logs.

If you have a cross-partition environment, you must also modify the partition user role to have the sts:SetSourceIdentity permission.

Advanced Settings

  • Enable Custom Access URL for Web Access. Sets a custom URL to use when sending users to the AWS console.
    When enabled, you have the option to enter a custom URL. Use the placeholders {ACCOUNT_NAME}, {ACCOUNT_NUMBER}, and {ROLE_NAME} if you would like the account name, account number, or the role name to be substituted in the URL.
  • Enable Custom Access URL for Short-Term Access Keys. Sets a custom URL when sending users to the AWS console using short-term access keys.
    When enabled, you have the option to enter a custom URL. Use the placeholders {ACCOUNT_NAME}, {ACCOUNT_NUMBER}, and {ROLE_NAME} if you would like the account name, account number, or the role name to be substituted in the URL.
  • Enable Custom Trust Policy. Defines a custom trust policy that is applied to IAM roles if federation is handled by another system. We provide a sample policy in the UI to get you started. For more information about third-party federation, see Add a User Cloud Access Role.
  • Enable Use of Existing Roles. Enables the use of IAM roles from third-party identity providers (like Ping, Okta, and OneLogin) to federate into AWS accounts.
    In addition to enabling this feature, you must add the URL you use to sign in to your third-party provider. This URL depends on which third-party provider you use, but will likely resemble: https://your_company.identity_provider.com. When a user federates into an account using a third-party enabled cloud access role, they will be redirected to the identity provider URL you provided. For information about configuring cloud access roles to use this feature, see Add a User Cloud Access Role.