AWS (Instance Profile)

Last modified on December 13, 2024

This guide explains what capabilities StrongDM can provide for managing command line access to the AWS cloud. It also provides setup and configuration instructions to add AWS as a resource in StrongDM and begin using StrongDM to control access for users who wish to access your cloud via the AWS CLI. StrongDM users are authenticated with AWS and granted the level of access that you configure on the AWS side.

In addition to access control and auditing, AWS access through StrongDM can be a part of a variety of use cases and access control methodologies:

  • Least Privilege: For AWS clouds, least privilege can be accomplished by setting up multiple instances of the console as StrongDM resources. Each resource would connect to AWS using a different set of credentials with different permissions granted to it.
  • Just-in-Time Access: StrongDM users are able to use any access workflows you set up to request access to AWS, allowing you the choice between granting Just-in-Time (JIT) access with requests, or providing standing access to particular users or roles within your StrongDM organization. For more details, see the Access Workflows section.
  • Context-Based Policy: StrongDM policies that restrict or enable users’ ability to connect to AWS cloud resources based on their context can be used to limit availability of your AWS CLI to users in particular geographic locations or with good device trust scores. Policies can also be used to provide an MFA challenge prior to connection, and help solve for many more use cases. For more details, see the Policies section.

Limitations

  • Note that sdm aws cli ssm start-session is not currently supported when using the AWS CLI via StrongDM due to an AWS technical limitation. If you wish to use ssm sessions, you can set up the AWS Console resource type and use the web interface to initiate a session with ssm.
  • The AWS driver does nothing to limit privilege escalation. It is the responsibility of the resource creator not to provide credentials that can be used to create more credentials.

AWS Cloud Properties

The AWS (Instance Profile) resource type supports environment-loaded credentials, which can be one of the following:

  • AWS access keys in standard AWS environment variables on the node(s) (gateways or relays)
  • AWS access keys configured as a standard AWS profile on the node(s)
  • An EC2 instance profile or ECS profile linked to the host or container running the node(s)

Prerequisites

  • In StrongDM, you must have the Admin permission level.
  • To manage access to your AWS cloud environment via StrongDM, you must have an AWS key pair (Access Key ID and AWS Secret Access Key) prepared. The scope of this key determines which AWS CLI commands your users can execute through StrongDM, so consider that when generating the key. Once you have your AWS key, you can set up a cloud resource in the StrongDM Admin UI.
  • Your nodes must be running at least version 31.10 to support usage of the AWS CLI to administer your AWS cloud.

Configuration

Admin UI setup

If you prefer to set up your AWS resource in StrongDM using the CLI, skip this step and read CLI setup. If you want to set up AWS cloud in the StrongDM Admin UI, go to Resources > Clouds in the Admin UI and click the Add cloud button.

Set the following properties:

PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Cloud TypeRequiredSelect AWS (Instance Profile)
Secret StoreOptionalCredential store location; defaults to Strong Vault; learn more about Secret Store options
Enable Environment VariablesOptionalWhen selected, lets you use environment variables to authenticate connection even if EC2 roles are configured
Assume Role ARNOptionalAmazon Resource Name (ARN) role to assume after login (for example, arn:aws:iam::000000000000:role/RoleName)
RegionRequiredAWS region to connect to (for example, us-west-2)
Assume Role External IDOptionalExternal ID role to assume after login (for example 12345)
Resource TagsOptionalEnter tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Click Create to save the configuration settings.

Secret Store options

By default, resource credentials are stored in the Strong Vault. However, these credentials also can be saved in a third-party secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Network > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

CLI setup

If you prefer to set up your resource using the CLI instead of the Admin UI, open your terminal. While logged in to StrongDM, use the following command:

sdm admin clouds add awsinstanceprofile

You can view all help text and options by appending --help or -h to the same command:

NAME:
   sdm admin clouds add awsinstanceprofile - create AWS (Instance Profile) cloud

USAGE:
   sdm admin clouds add awsinstanceprofile [command options] <name>

OPTIONS:
   --bind-interface value          bind interface (default: "127.0.0.1")
   --egress-filter value           apply filter to select egress nodes e.g. 'field:name tag:key=value ...'
   --enable-environment-variables  Prefer environment variables to authenticate connection even if EC2 roles are configured.
   --port-override value           port profile override (default: -1)
   --proxy-cluster-id value        proxy cluster id
   --region value                  The AWS region to connect to. (required)
   --role-arn value                The role to assume after logging in. (secret)
   --role-external-id value        (secret)
   --secret-store-id value         secret store id
   --subdomain value               This will be used as your local DNS address. (e.g. app-prod1 would turn into app-prod1.<your-org-name>.sdm.network)
   --tags value                    tags e.g. 'key=value,...'
   --template, -t                  display a JSON template
   --timeout value                 set time limit for command

Logs

For logs of access to an AWS cloud resource, in the Cloud logs section of the Admin UI (Logs > Cloud), you can find all of the activities of users connected through StrongDM. Note that StrongDM makes an attempt to drop the Authorization header of logs for display in the Admin UI. Note that any secrets displayed in the cloud logs are placeholder values. No actual keys or secrets are ever exposed in plaintext in the Admin UI.

For AWS Web Console resources, access is logged, but further activities on the Web Console are not logged by StrongDM. Consult your AWS logs for further information on user activity.

CLI Usage

When the resource is created and configured, you are ready for users to connect to the resource. In order for your organization’s users to access the AWS cloud resource via StrongDM, users need to install the following:

  • The StrongDM Desktop application
  • The latest version of the StrongDM CLI. If the CLI is already installed, you can run sdm update in the CLI to update it. Alternatively, if any updates are available, you can open the GUI and click the Upgrade button.
  • The AWS CLI. We support both v1 and v2 but encourage the use of v2.

After installation, users must set up or update the AWS CLI configuration file to include a region, as explained in the AWS documentation. Once that is done, exit and restart the StrongDM desktop app, and then select the AWS cloud resource to connect to.

Click to connect to the resource in the desktop app, or run sdm connect <RESOURCE> in the CLI. Once connected, users can use aws through StrongDM at their terminal, with the base syntax of sdm aws instead of the usual aws.

You can use sdm aws --help to view example usage and command options:

NAME:
   sdm aws - aws commands

USAGE:
   sdm aws command [command options] [arguments...]

COMMANDS:
   cli        Execute an AWS CLI Command.
   env        Print environment variables required to access an AWS resource.
   run        Execute an external command with environment variables configured for AWS.
   terraform  Execute terraform commands with a SDM AWS proxy.

OPTIONS:
   --name value     The name of the AWS resource to access. By default if there is only one connected AWS resource, that resource is used. [$SDM_AWS_NAME]
   --help, -h  show help

aws cli

The aws cli command is followed by an AWS CLI command that you wish to run against your connected AWS resource. For more information about gcloud CLI commands, see the AWS CLI documentation.

aws env

The aws env command outputs the environment variables that are required in order to access an AWS resource. This output is a similar format of the output of the standard env command, but only contains the relevant environment variables for connecting to AWS.

aws run

The aws run command is followed by a command that you wish to run against the connected resource, which is sent along with the necessary environment variables. An example of a use for aws run would be if you have a pre-existing script for managing AWS resources that uses aws commands. Shell scripts using the non-StrongDM aws CLI can be run with sdm aws run (for example, sdm aws run shell-script-using-aws-cli.sh), which has the same effect as changing the shell script to use sdm aws cli in place of aws.

–name

If your organization has multiple AWS cloud resources, and you are connected to more than one at once, you may specify a --name value in commands in order to specify which you intend to execute the command on. For example, sdm aws --name <RESOURCE_NAME> cli. The flag must come before the cli portion of the command in order to preserve the ability to use the command as normal with a single AWS cloud resource connected.

Error Cases

Should you attempt to use a cloud resource when you are not connected to it, StrongDM’s CLI commands warn you. You can get around this warning in some contexts (for example, by setting environment variables in your terminal). In these cases, you may encounter SSL errors, and nothing happens when you run commands.