README
¶
baton-aws 
baton-aws is a connector for AWS built using the Baton SDK. It communicates with the AWS API to sync data about which groups and users have access to accounts, groups, and roles within an AWS org.
Check out Baton to learn more the project in general.
Getting Started
brew
brew install conductorone/baton/baton conductorone/baton/baton-aws
baton-aws
baton resources
docker
docker run --rm -v $(pwd):/out -e BATON_GLOBAL_SECRET_ACCESS_KEY=awsSecretAccessKey -e BATON_GLOBAL_ACCESS_KEY_ID=awsAccessKey ghcr.io/conductorone/baton-aws:latest -f "/out/sync.c1z"
docker run --rm -v $(pwd):/out ghcr.io/conductorone/baton:latest -f "/out/sync.c1z" resources
source
go install github.com/conductorone/baton/cmd/baton@main
go install github.com/conductorone/baton-aws/cmd/baton-aws@main
BATON_GLOBAL_SECRET_ACCESS_KEY=awsSecretAccessKey BATON_GLOBAL_ACCESS_KEY_ID=awsAccessKey
baton resources
Data Model
baton-aws will pull down information about the following AWS resources:
- Accounts
- Groups
- Users
- Roles
Set the --global-aws-sso-enabled and --global-aws-orgs-enabled flags to pull information about the following AWS IAM Identity Center resources:
- SSO Groups
- SSO Users
By default, baton-aws uses the AWS credentials from your AWS config. You can explicitly define the region, access key, and secret key by setting the following flags: --global-secret-access-key, --global-access-key-id, --global-region.
Contributing, Support and Issues
We started Baton because we were tired of taking screenshots and manually building spreadsheets. We welcome contributions, and ideas, no matter how small -- our goal is to make identity and permissions sprawl less painful for everyone. If you have questions, problems, or ideas: Please open a Github Issue!
See CONTRIBUTING.md for more details.
baton-aws Command Line Usage
baton-aws
Usage:
baton-aws [flags]
baton-aws [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
help Help about any command
Flags:
--external-id string The external id for the aws account. ($BATON_EXTERNAL_ID)
-f, --file string The path to the c1z file to sync with ($C1_FILE) (default "sync.c1z")
--global-secret-access-key string The global-secret-access-key for the aws account. ($BATON_GLOBAL_SECRET_ACCESS_KEY)
--global-access-key-id string The global-access-key-id for the aws account. ($BATON_GLOBAL_ACCESS_KEY_ID)
--global-region string The region for the aws account. ($BATON_GLOBAL_REGION)
--use-assume-role bool Enable support for assume role. ($BATON_GLOBAL_USE_ASSUME_ROLE)
--external-id string The external id for the aws account. ($BATON_EXTERNAL_ID)
--role-arn string The role arn for the aws account. ($BATON_ROLE_ARN)
--global-binding-external-id string The global external id for the aws account. ($BATON_GLOBAL_BINDING_EXTERNAL_ID)
--global-role-arn string The role arn for the binding aws account. ($BATON_GLOBAL_ROLE_ARN)
--global-aws-sso-region string The region for the sso identities. ($BATON_GLOBAL_AWS_SSO_REGION)
--global-aws-sso-enabled bool Enable support for AWS IAM Identity Center. ($BATON_GLOBAL_AWS_SSO_ENABLED)
--global-aws-orgs-enabled bool Enable support for AWS Organizations. ($BATON_GLOBAL_AWS_ORGS_ENABLED)
-h, --help help for baton-aws
--log-format string The output format for logs: json, console ($C1_LOG_FORMAT) (default "json")
--log-level string The log level: debug, info, warn, error ($C1_LOG_LEVEL) (default "info")
--role-arn string The role arn for the aws account. ($BATON_ROLE_ARN)
-v, --version version for baton-aws
Use "baton-aws [command] --help" for more information about a command.
Configuring Permissions for AWS IAM Roles
If you'd like to run baton-aws you may use these policies for your IAM roles. The first is for syncing all objects, the second for syncing and provisioning all objects.
These policies have comments prefixed with // that need to be removed before use.
Syncing all supported objects
{
"Statement": [
{
"Action": [
"iam:ListUsers",
"iam:ListGroups",
"iam:ListRoles",
"iam:GetGroup"
],
"Effect": "Allow",
"Resource": "*",
// The minimum permissions required for the connector to sync. This will get IAM Users, Groups, and Roles
"Sid": "MinimumRequiredPermissionsSyncIAMUsersGroupsRoles"
},
{
"Action": [
"iam:ListAccountAliases"
],
"Effect": "Allow",
"Resource": "*",
// Use account aliases instead of the account names when possible
"Sid": "UseMoreDescriptiveAccountAliases"
},
{
"Action": [
"identitystore:ListUsers",
"identitystore:ListGroups",
"identitystore:ListGroupMemberships",
"organizations:ListAccounts",
"sso:DescribePermissionSet",
"sso:ListAccountAssignments",
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:ListPermissionSetsProvisionedToAccount"
],
"Effect": "Allow",
"Resource": "*",
// Sync identity center users, groups, and permision sets, as well as the organization accounts
"Sid": "SSOUserGroupAccountAndPermissionSetSyncing"
}
],
"Version": "2012-10-17"
}
Syncing and Provisioning all supported objects
{
"Statement": [
{
"Action": [
"iam:ListUsers",
"iam:ListGroups",
"iam:ListRoles",
"iam:GetGroup"
],
"Effect": "Allow",
"Resource": "*",
// The minimum permissions required for the connector to sync. This will get IAM Users, Groups, and Roles
"Sid": "MinimumRequiredPermissionsSyncIAMUsersGroupsRoles"
},
{
"Action": [
"iam:ListAccountAliases"
],
"Effect": "Allow",
"Resource": "*",
// Use account aliases instead of the account names when possible
"Sid": "UseMoreDescriptiveAccountAliases"
},
{
"Action": [
"identitystore:ListUsers",
"identitystore:ListGroups",
"identitystore:ListGroupMemberships",
"organizations:ListAccounts",
"sso:DescribePermissionSet",
"sso:ListAccountAssignments",
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:ListPermissionSetsProvisionedToAccount"
],
"Effect": "Allow",
"Resource": "*",
// Sync identity center users, groups, and permision sets, as well as the organization accounts
"Sid": "SSOUserGroupAccountAndPermissionSetSyncing"
},
{
"Action": [
"iam:AddUserToGroup",
"iam:RemoveUserFromGroup"
],
"Effect": "Allow",
"Resource": "*",
// Enable provisioning of IAM users to Groups
"Sid": "IAMUserToGroupProvisioning"
},
{
"Action": [
"identitystore:CreateGroupMembership",
"identitystore:DeleteGroupMembership"
],
"Effect": "Allow",
"Resource": "*",
// Enable provisioning of Identity Store users to Groups
"Sid": "SSOUserToGroupProvisioning"
},
{
"Action": [
"sso:CreateAccountAssignment",
"sso:DeleteAccountAssignment",
"sso:DescribeAccountAssignmentCreationStatus",
"sso:DescribeAccountAssignmentDeletionStatus"
],
"Effect": "Allow",
"Resource": "*",
// Enable provisioning of SSO Users directly to permission sets in accounts
"Sid": "SSOUserToAccountPermissionSetProvisioning"
}
],
"Version": "2012-10-17"
}
Important Policy Footnote
In some occasions, the configuration of the policies or accounts may require additional permissions. These are not called directly by baton-aws, but are used by AWS to ensure some further safety, for example in situations where you are changing the root org. If you've used the above policy and are still experiencing issues provisioning, try integrating the below into your policy.
{
"Sid": "IAMListPoliciesPermissions",
"Effect": "Allow",
"Action": [
"iam:ListPolicies"
],
"Resource": "*"
},
{
"Sid": "AccessToSSOProvisionedRoles",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:PutRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetSAMLProvider"
],
"Resource": "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE"
}
Directories