How to get read-only visibility into the AWS Control Tower console
September 12, 2022: This blog post has been updated to reflect the new name of AWS Single Sign-On (SSO) – AWS IAM Identity Center. Read more about the name change here.
When you audit an environment governed by AWS Control Tower, having visibility into the AWS Control Tower console allows you to collect important configuration information, but currently there isn’t a read-only role installed by AWS Control Tower. In this post, I will show you how to create a custom permission set by using both a managed AWS policy and a custom permissions policy. This custom permission set will allow you to get the visibility you need, while still enforcing the principle of least privilege. You will have access to the read-only information you need, without asking your administrator to provide the attestation.
AWS Control Tower sets up AWS IAM Identity Center with a native default directory. AWS Control Tower comes with a set of preconfigured permission sets available out-of-the-box. A permission set is a collection of administrator-defined policies that AWS IAM Identity Center uses to determine a user’s effective permissions to access a specific AWS account. Permission sets can contain an AWS inline policy and you can also attach AWS managed policies. When you assign a permission set to a user or group in an account, AWS IAM Identity Center creates an IAM role in the AWS account, configures the inline and AWS managed policies, and creates the trust policies that allow the assigned users to assume the role through AWS IAM Identity Center.
To learn more about inline and AWS managed policies, see Managed Policies and Inline Policies and the IAM User Guide on AWS managed policies for job functions.
To create a custom permission set for AWS Control Tower
- Log into your AWS Control Tower environment as an administrator.
- Choose the AWS IAM Identity Center service, then choose AWS accounts.
- On the AWS Accounts pane, choose the Permission sets tab, then choose Create permission set, as shown in the following figure.
- Select Create a custom permission set and enter a name in the Name field (in this example, I named mine Audit-enhanced), then enter text in the Description field, as shown in figure 2.
- Choose a value for Session duration (in this example I set the duration to 1 hour). Optionally, you can set a relay state (in this example, I left it blank), and select both Attach AWS managed policies and Create a custom permissions policy, as shown in the following figure.
- In the Attach AWS Managed policies dashboard, in the search bar, enter audit and select the SecurityAudit managed policy, as shown in figure 4.
- Copy the following JSON policy to your clipboard.
This policy grants the following read-level permissions: Get, List, Describe API actions. This is the additional set of permissions necessary to enhance the SecurityAudit role, so that you can gain visibility into the AWS Control Tower console.
- Scroll down to the Create a custom permissions policy dashboard, paste the policy you previously copied into the field, as shown in figure 5, then choose Create.
Now, when you go to the Permission sets tab, you should see your newly created custom permission set.
To assign the newly created permission set access to your AWS Control Tower master account
- On the AWS organization tab, select the box for your AWS Control Tower master account (in this example, the account newControlTower), then choose Assign users, as shown in figure 6.
- On the Users tab, select your user (in this example, CT Tester) as shown in figure 7, and choose Next: Permission sets.
- Select the box next to the custom permission set you created earlier (in this example, Audit-enhanced), and choose Finish, as shown in figure 8.
You should see a Complete page, and the newControlTower account will show Status as Complete, as shown in figure 9.
You now have a permission set that enhances your SecurityAuditor role and gives you read-only visibility into your AWS Control Tower environment.
In this post, we’ve detailed how to enhance an “audit-like” role to incorporate additional permissions by using a custom permission set in AWS IAM Identity Center, while enforcing the principle of least privilege to gain read-only capabilities into the AWS Control Tower console.
For more information on the technologies mentioned in this post, see the following links:
If you have feedback about this post, submit comments in the Comments section below.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.