AWS Role Based

Connect your AWS infrastructure to Ciphrix using IAM roles with OIDC federation for secure, credential-free access.

Capabilities

The AWS Role Based integration provides the following capabilities:

✅ Compliance Checks

Automatically verify security configurations and compliance controls across your AWS infrastructure including:

🔄 Import Asset (Coming Soon)

Automatically import and track AWS resources as assets in your Ciphrix inventory.

How to Connect AWS Role Based

Prerequisites

Before connecting AWS, ensure you have:

• AWS account with administrative access
• Permissions to create IAM roles and OIDC providers
• Access to AWS Management Console
• Access to deploy CloudFormation templates

Connection Instructions

Step 1: Create Connection in Ciphrix

You have two options to initiate the AWS Role Based connection in Ciphrix:

Option A: From Integration Library (Recommended)

1. Navigate to Integration Library

   • Log in to ciphrix.app
   • Go to Integrations in the sidebar
   • Go to the Integration Library tab
   • Click on the Cloud Infrastructure category

2. Connect AWS Role Based

   • Click the Connect button on the AWS Role Based integration tile

3. Copy Connection ID

   • A form will appear with a Connection ID
   • Copy this Connection ID - you will need it in the next step
   • Keep this form open, you'll return to it later

Option B: From Create Connection

1. Navigate to Create Connection

   • Log in to ciphrix.app
   • Go to Integrations in the sidebar
   • Click Create Connection

2. Select AWS Role Based

   • From the connection provider dropdown, select Amazon Web Services - Role Based

3. Copy Connection ID

   • A form will appear with a Connection ID
   • Copy this Connection ID - you will need it in the next step
   • Keep this form open, you'll return to it later

Step 2: Deploy CloudFormation Template in AWS

1. Download CloudFormation Template

   • Download the Ciphrix OIDC CloudFormation template: Download Template
   • Save this file to your computer
   • Or use the direct deployment link provided in the Ciphrix form

2. Log in to AWS Console

   • Go to https://console.aws.amazon.com
   • Sign in with your AWS account credentials

3. Navigate to CloudFormation

   • In the AWS Console, search for "CloudFormation" in the search bar
   • Click on CloudFormation

4. Create Stack

   • Click Create stack > With new resources (standard)
   • Select Upload a template file
   • Click Choose file and select the downloaded CloudFormation template
   • Click Next

5. Specify Stack Details

   • Stack name: Enter a name (e.g., ciphrix-role-based-integration)
   • Parameters:
     • IssuerDomain: Enter issuer.ciphrix.app (replace the placeholder)
     • ConnectionId: Paste the Connection ID you copied from Ciphrix in Step 1 (replace the placeholder)
   • Click Next

6. Configure Stack Options

   • Add tags if needed (optional)
   • Leave other settings as default
   • Click Next

7. Review and Create

   • Review all the configuration
   • Check the box: I acknowledge that AWS CloudFormation might create IAM resources
   • Click Submit or Create stack

8. Wait for Stack Creation

   • The stack creation will take 2-5 minutes
   • Wait for the status to change to CREATE_COMPLETE
   • Do not close this page

Step 3: Copy IAM Role ARN

1. View Stack Outputs

   • Once the stack shows CREATE_COMPLETE, click on the Outputs tab
   • You will see an output named RoleArn

2. Copy the Role ARN

   • Copy the full ARN value (e.g., arn:aws:iam::123456789012:role/Ciphrix-Platform-{ConnectionId}-Role)
   • This ARN will be used in the next step

Step 4: Complete Connection in Ciphrix

1. Return to Ciphrix Form

   • Go back to the Ciphrix connection form you left open in Step 1

2. Fill Integration Form

   • Connection Name: Enter a name for this connection (e.g., "Production AWS Account")
   • Connection Identifier: Enter the 12 digit AWS Account Number (e.g. 123456789123)
   • Role ARN: Paste the IAM Role ARN you copied from CloudFormation in Step 3
   • Region: Select the AWS regions you want to monitor
   • Select Items: Select the AWS capabilities in Ciphrix you want to enable. Compliance checks are enabled by default

3. Create Connection

   • Click Create Connection
   • Wait for the connection to be validated

Step 5: Verify Connection

1. Check Connection Status

   • After creating the connection, you'll see the integration status
   • Status should show Connected or Active

2. Initial Scan

   • Ciphrix will automatically begin scanning your AWS infrastructure
   • Ciphrix scans your environment once a week
   • You can contact support@ciphrix.com to know your next scan date
   • Compliance checks will run automatically

3. View Results

   • Navigate to Monitoring
   • View compliance check results and findings

IAM Policies Applied

Ciphrix applies the following policies to the IAM role for compliance monitoring. Feel free to add statements to deny certain services based on your requirements:

Managed Policy

• ReadOnlyAccess - AWS managed policy providing read-only access to AWS services

Custom Deny Policy

To ensure data security, Ciphrix also applies a custom policy that explicitly denies access to sensitive data plane operations:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyS3GetAndList",
            "Effect": "Deny",
            "Action": ["s3:GetObject", "s3:GetObjectVersion", "s3:ListBucket", "s3:GetBucketLocation"],
            "Resource": "*"
        },
        {
            "Sid": "DenyDynamoDBRead",
            "Effect": "Deny",
            "Action": ["dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan"],
            "Resource": "*"
        },
        {
            "Sid": "DenySecretsManagerView",
            "Effect": "Deny",
            "Action": ["secretsmanager:GetSecretValue"],
            "Resource": "*"
        },
        {
            "Sid": "DenyKMSDecrypt",
            "Effect": "Deny",
            "Action": ["kms:Decrypt"],
            "Resource": "*"
        },
        {
            "Sid": "DenyLogsRead",
            "Effect": "Deny",
            "Action": ["logs:GetLogEvents", "logs:FilterLogEvents"],
            "Resource": "*"
        }
    ]
}

This policy ensures that Ciphrix:

• ✅ Can read resource configurations and metadata for compliance checks
• ❌ Cannot access actual data stored in S3 buckets
• ❌ Cannot read data from DynamoDB tables
• ❌ Cannot view secrets from Secrets Manager
• ❌ Cannot decrypt KMS-encrypted data
• ❌ Cannot read CloudWatch log contents

Troubleshooting

Connection Failed

Issue: Integration connected but showing permission errors

• Verify the Role ARN is correct and properly formatted
• Ensure there are no extra spaces when copying the Role ARN
• Check that the CloudFormation stack deployed successfully
• Verify the OIDC provider was created correctly
• Ensure the Connection ID matches exactly
• Verify the IssuerDomain is set to issuer.ciphrix.app
• Ensure no Service Control Policies (SCPs) are restricting access

No Data Appearing

Issue: Integration connected but no compliance data showing for more than 7 days

• Contact Ciphrix Support support@ciphrix.com

CloudFormation Stack Failed

Issue: CloudFormation stack creation failed

• Check the CloudFormation Events tab for error messages
• Verify you have permissions to create IAM roles and OIDC providers
• Ensure the Connection ID is correct
• Try deleting the failed stack and redeploying

Role Assume Failed

Issue: Ciphrix cannot assume the IAM role

• Verify the trust relationship in the IAM role includes the correct OIDC provider
• Check that the Connection ID in the role's trust policy matches your Ciphrix Connection ID
• Ensure the role has not been manually modified after creation

Support

Need help with AWS Role Based integration?

• Email: support@ciphrix.com
• See also: AWS Integration for IAM user based connection