Integrations
Integrations
Breadcrumbs

AWS IAM

Introduction

This plugin is used in coordination with the storage technology plugins connected to the AWS IAM to provision the groups representing DSAs and additionally manages the memberships representing the acceptance of DSAs by users.

Services available in the plugin

  • Create and associate permissions to groups: Create groups with users, associate access permissions to the bucket and parts of it.

  • Add user to groups: Add users to existing groups.

  • Remove users from groups: Remove users from groups.

  • Remove access: Modify group policies to remove access to a particular resource.

  • Delete groups: Delete previously created groups and delete the policy created for them.

Integration Model

Active governance of access permissions

In general terms, the DSAs (Data Sharing Agreements) managed in Anjana Data are represented as groups in AWS IAM, and the users signing each agreement are managed as members of those groups. In this way, membership in a group materializes effective access to the data resources governed by the DSA.

Anjana Data Platform creates, updates and deletes these groups automatically, including or excluding users based on the adherence and de-adherence processes defined in the platform. This ensures that the permissions assigned in AWS always remain aligned with the governance and validation state of the agreements.

The groups created by Anjana Data Platform follow this naming convention:

<configurable prefix>_<DSA logical name>_v<DSA version number>

Where:

  • <configurable prefix>: prefix defined by the organization to identify the groups managed by Anjana Data Platform. Configured in the plugin's YAML.

  • <DSA logical name>: functional name of the agreement as it appears in Anjana.

  • v<DSA version number>: DSA version number, which allows distinguishing active and historical versions.

The provisioning of these groups and the management of their members is carried out through the AWS SDK interface, which Anjana Data Platform uses to automate the lifecycle of the groups and ensure their consistency with the governance model.

Required Credentials

Active governance of access permissions

For active governance, a service credential with the following IAM permissions is required:

  • AddUserToGroup: Add users to groups.

  • AttachGroupPolicy: Associate access policies with groups.

  • CreateGroup: Create groups.

  • CreatePolicy: Create access policies.

  • CreatePolicyVersion: Creates a new version of a policy.

  • DeleteGroup: Delete groups.

  • DeletePolicy: Deletes a policy.

  • DeletePolicyVersion: Deletes a version of a policy.

  • DeleteGroupPolicy: Deletes the policies of a group.

  • DetachGroupPolicy: Detach the managed policies of a group.

  • GetGroup: Retrieve groups

  • GetPolicy: Retrieve policies.

  • GetPolicyVersion: Retrieves a version of a policy.

  • GetUser: List and retrieve users.

  • ListAttachedGroupPolicies: List and retrieve the managed policies of a group.

  • ListGroupPolicies: List and retrieve the policies of a group.

  • ListPolicyVersions: List the versions of a policy.

  • RemoveUserFromGroup: Remove users from groups.

Additionally, the following S3 permissions will be required:

  • ListBucket: Retrieve list of available buckets

  • ListAllMyBucket: Retrieve list of buckets belonging to the configuration credentials

  • GetObject: retrieve file information (must be assigned to specific buckets)

  • ListBucket: list objects within a bucket (must be assigned to specific buckets)

  • GetBucketLocation: list the region of a bucket (must be assigned to specific buckets)

The available services use the following permissions:

  • Create and associate permissions to groups: AddUserToGroup, AttachGroupPolicy, CreateGroup, CreatePolicy, GetGroup and GetUser.

  • Add user to groups: AddUserToGroup, GetGroup and GetUser.

  • Remove users from groups: GetGroup, GetUser and RemoveUserFromGroup.

  • Remove access: CreatePolicyVersion, DeletePolicyVersion, GetGroup, GetPolicyVersion and ListPolicyVersions.

  • Delete groups: DeleteGroup, DeleteGroupPolicy, DeletePolicy, DetachGroupPolicy, GetGroup, ListAttachedGroupPolicies, ListGroupPolicies and RemoveUserFromGroup.


Restrictions

The prefix for groups (and the DSA name itself) cannot contain spaces and the only permitted characters are alphanumeric and _=,.@-; if the prefix has a value and is not valid, the plugin will not start and will generate a log with the error.

Given the maximum length of policies, it is not recommended to govern more than 100 datasets in the same DSA.

Due to AWS limitations, a user cannot be adhered and/or be an owner's (the sum of both) of more than X DSAs. The specific number of DSAs depends on the AWS quota: IAM Quotas