AWS S3 Beat with STS Assume Role
The STS Assume role allows temporary access to AWS resources within your account, or for cross-account access, by returning a set of temporary security credentials, including an access key ID, a secret access key, and a security token.
Instructions in this section contain the following designations:
- Account A refers to the AWS Production account.
- Account B refers to the AWS Development account.
Prerequisites
- Open Collector is installed. If you have not already installed it, follow the instructions in the Open Collector Installation and User Guide, and then return to this topic.
- AWS queues are set up.
- The event on the Account A bucket is configured so that the actions performed on the bucket are sent to the queue from which the s3beat service is listening.
- The queues and bucket are on the same region, and the proper permission has been granted to the queue.
- AWS Cross Account Access Using STS Assume Role
- AWS S3-SQS Cross Account Access Configuration.
- An AWS Production account (Account A) whose resources should be accessed by an AWS Development account (Account B) via the STS assume role.
- An ARN of the role created on Account A.
The following port is open:
Direction
Port
Protocol
Source
Outbound 443 HTTPS AWSS3 Beat
Requirements for an STS Assume Role on an existing AWS S3 Beat
- With STS you do not need to share the long term actual credentials of your production/security account.
- The AWS S3 Beat will request the temporary credential using ARN for assume role that will expire after a certain time interval and can be refreshed after that.
- To assume a role from a different account, your AWS account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate that access to users in the account.
AWS S3 STS Assume Role Analysis
The table below lists the parameters required to configure the STS Assume role on the AWS S3 beat.
| Key | User Input Prompt | Default Value | Description |
|---|---|---|---|
| assumeRoleFlag | y/N | N (false) | Assume Role cross-account access enable/disable flag. If the flag is enabled (y), the user must provide the ARN value. If the flag is disabled (N), then nothing changes in the existing beat functionality. |
| assumeRoleArn | Provide the Assume Role ARN. This prompt only appears if the user has enabled assumeRoleFlag (y). | empty string array | The Assume Role ARN for cross-account access created during AWS Console configuration. For more information, see AWS Cross Account Access Using STS Assume Role. |
| stsCredsExpirationTime | 1 hour | The maximum session duration for the Assume Role access. Range: 15 minutes to 12 hours (Default: 1 hour). This setting should always be less than or equal to the maximum session duration set for the corresponding Assume Role on AWS. |
Deploying the STS Assume Role on a running AWS S3 Beat requires migration. During migration, the parameters in the table above will be added in the s3beat.yml with their default values. After migration, you must restart the AWS S3 Beat to enable the STS Assume Role feature.
If you deploy the STS Assume Role on a non-running AWS S3 Beat, you will be prompted to input the parameters in the table above.