AWS Cloud
Last modified on November 12, 2024
Overview
This guide describes how to configure AWS as a cloud resource in StrongDM.
This resource type is nearly the same as the AWS (Instance Profile) cloud resource type, except that it supports static keys for authentication. Please see Configure AWS (Instance Profile) if you wish to use other default authentication methods to manage access to your AWS cloud environment via StrongDM.
Note that this is the method by which to set up your AWS cloud and manage it with AWS CLI. If you intend to connect to a specific AWS-hosted resource, such as Athena or an EC2 instance, those resources need to be set up separately in the appropriate areas of the Admin UI.
Prerequisites
To manage access to your AWS cloud environment via StrongDM, you must have an AWS Access Key ID and AWS Secret Access Key prepared. The scope of this key determines which AWS CLI commands your users can execute through StrongDM, so consider that when generating the key. Once you have your AWS key, you can set up a cloud resource in the StrongDM Admin UI.
Users need to have StrongDM Desktop (and/or the StrongDM CLI) and AWS CLI installed to access the cloud resource.
Your gateways or relays must be running at least version 31.10 to support usage of the AWS CLI to administer your AWS cloud.
sdm aws cli ssm start-session is not currently supported when using the AWS CLI via StrongDM due to an AWS technical limitation. If you wish to use ssm sessions, you can set up the AWS Console resource type and use the web interface to initiate a session with ssm.Admin UI Setup
To set up your AWS cloud in StrongDM, go to Admin UI > Infrastructure > Clouds and click Add cloud.
The minimum fields that need to be populated for the AWS cloud type are:
- Access Key ID
- Secret Access Key
- Healthcheck Region (the AWS region so that the healthcheck can check whether it is currently up or down)
The following field is optional:
- Assume Role ARN (if you want the user to assume a specific role after connecting)
Logs
In the Admin UI under Logs > Clouds, you can find a record of what your users did while accessing the cloud resource. Note that any secrets displayed in the cloud logs are placeholder values. No actual keys or secrets are ever exposed in plaintext in the Admin UI.
User Setup
- In order to access the AWS cloud resource via StrongDM, users first need to do the following:
- Install the StrongDM Desktop application (desktop app).
- Install the latest version of the StrongDM CLI. If the CLI is already installed, you can run
sdm updatein the CLI to update it. Alternatively, in the desktop app, you can go to the Account menu and select Update and restart. That option is only shown when an update is available. - Install the AWS CLI. We support both v1 and v2 but encourage the use of v2.
- Set up or update the AWS-CLI configuration file to include a region, as explained in the AWS documentation.
- Make sure to exit and restart your desktop app before connecting for the first time.
- In the desktop app, select the AWS cloud resource to which you want to connect.
Usage
After user setup is complete, you may open a terminal and use the AWS CLI through StrongDM, using the base syntax of sdm aws cli where you normally would start a command with aws.
The general syntax is sdm aws cli <COMMAND>.
To test that everything is working, try:
sdm aws cli s3 ls
sdm aws cli ec2 describe-instances
Commands are always the same as they are with the AWS CLI, just with the sdm aws cli prefix instead.
Connection to Multiple AWS Cloud Resources
If your organization has multiple AWS cloud resources, and you are connected to them at the same time, you may specify a --name value in commands in order to specify which you intend to execute the command on. For example, sdm aws --name <YOUR_RESOURCE_NAME> cli. The flag must come before the cli portion of the command in order to preserve the ability to use the command as normal with a single AWS cloud resource connected.