AWS

AWS Cloud, is a public-cloud service designed for enabling and hosting your workloads.

On this page you’ll find the Aembit configuration required to work with the AWS Cloud services as a Server Workload using AWS Cloud APIs.

Prerequisites

Before proceeding with the configuration, ensure you have the following:

• An active AWS Cloud account

Server Workload configuration

1. Create a new Server Workload.

   • Name - Choose a user-friendly name.

2. Configure the Service endpoint:

   • Host - *.amazonaws.com
   • Application Protocol - HTTP
   • Port - 443 with TLS
   • Forward to Port - 443 with TLS
   • Authentication method - HTTP Authentication
   • Authentication scheme - AWS Signature v4

   Scope

   Using *.amazonaws.com enables this Server Workload to be re-used across multiple AWS services without having to determine the service or region specific hostname. If you would prefer a granularly scoped Server Workload, you can specify a specific hostname here, for example kms.us-east-1.amazonaws.com.

Credential Provider configuration

1. Create a Credential Provider with the following configuration.

   • Name - Choose a user-friendly name.
   • Credential Type - AWS Security Token Service Federation
   • OIDC Issuer URL - Copy this value for use in step #3.
   • AWS IAM Role Arn - Provide the Role Arn provided in the AWS Console after completing step #3.
   • Aembit Idp Token Audience - Copy this value for use in step #3.
   • Lifetime - The default value is 900 seconds (15 minutes, which is the AWS minimum). You can configure this value up to the AWS maximum of 43,200 seconds (12 hours).

2. Within the AWS Console, go to IAM > Identity providers and select Add provider.

3. On the Configure provider screen, complete the steps and fill out the values specified:

   • Provider type - Select OpenID Connect.
   • Provider URL - Paste in the OIDC Issuer URL from the Credential Provider fields.
   • Click Get thumbprint to configure the AWS Identity Provider trust relationship.
   • Audience - Paste in the Aembit IdP Token Audience from the Credential Provider fields.
   • Click Add provider.

4. Within the AWS Console, go to IAM > Identity providers and select the Identity Provider you just created.

5. Click Assign role and choose Use an existing role.

6. Click Save to save your changes on the Credential Provider.

Client Workload configuration

Aembit now handles the credentials required to access the Server Workload, eliminating the need for you to manage them directly. You can now remove any previously used credentials from the Client Workload.

If you access the Server Workload through an SDK or library, it’s possible that the SDK/library may still require credentials to be present for initialization purposes. In this scenario, you can provide placeholder credentials. Aembit replaces these placeholder credentials with the correct ones during the access request.

Access Policy

• Create an Access Policy for a Client Workload to access the AWS Cloud Server Workload. Assign the newly created Credential Provider to this Access Policy.

Required features

• Configure the TLS Decrypt feature to work with the AWS Cloud Server Workload.