This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AWS to FNMS connector

Jump to solution
clugo1
By
Level 4

Hi All,

We are in the process to implement the AWS connector for one of our customers, and we have suggested the use of Roles and Policies provided by Flexera. Now we are facing some questions that suggest there are opportunities to enhance the connector so the clients don't have to put a lot of effort during its implementation, here some of the questions raised by their AWS team:

• Collecting information using AWS policies which need to be hardcoded & updated each time a new account gets its created.
• There’s a hard character limit per policy (6,144 characters) and each role has a limit on number of policies you can attach to it (10 policies per role).
• It will eventually hit a max limit as there will be more accounts in AWS. Therefore it’s not scalable and/or sustainable.

Have you experienced similar questions?
How did you go through them?
Is there any kind of config example you can share?

Thanks in advance.

C

‎Jun 25, 2021 01:43 AM

(1) Solution

Jump to solution
mag00_75
By Level 8 Champion
Level 8 Champion
Hi

It is possible to have multiple policies to come around the limit, verified in our environment. The connector will read all attached policies.

I discussed on additional potential limit in another thread with the developer. Upon execution it assumes all roles and if you have a lot of accounts these assumed tokens can expire. An enhancement would be to report a request that the connector should only assume roles from one policy at the time.

We have taken another path, we built our own interface that gets updates based on events and when we call that api we get all 500+ accounts in a minute instead of 30+ minutes

View solution in original post

‎Jun 28, 2021 05:57 AM

0 Kudos
(2) Replies

Jump to solution
jasonlu
By Level 7 Champion
Level 7 Champion
It's my experience that an additional policy can be added that contains the additional child ARN lines.
I too would be interested in hearing other stories, and also knowin if anyone has updated the addition of child AWS accounts the policies.

j

‎Jun 28, 2021 05:15 AM

Jump to solution
mag00_75
By Level 8 Champion
Level 8 Champion
Hi

It is possible to have multiple policies to come around the limit, verified in our environment. The connector will read all attached policies.

I discussed on additional potential limit in another thread with the developer. Upon execution it assumes all roles and if you have a lot of accounts these assumed tokens can expire. An enhancement would be to report a request that the connector should only assume roles from one policy at the time.

We have taken another path, we built our own interface that gets updates based on events and when we call that api we get all 500+ accounts in a minute instead of 30+ minutes

‎Jun 28, 2021 05:57 AM

0 Kudos