Creating AWS roles

You will need to create an AWS Role in order to provide access to the management console when going through Forcepoint ONE SSE.

1. Login to the AWS console.
2. Navigate to the Services > Security, Identity, & Compliance > IAM page and further navigate to Access management > Roles and then click Create role.
   
   
   
   
   
3. Select SAML 2.0 federation for the trusted entity and then select the SAML provider that you created in the prior setup above.
4. With the SAML Provider selected, check off the Allow programmatic and AWS Management Console access option and you will notice that the Attribute and Value fields will automatically populate. Leave Condition blank and click Next at the bottom.
   
   
   
5. You can choose to grant whatever permissions you want for the role. This role will be used by admins accessing the AWS console via Forcepoint ONE SSE. You can create a role to give them only read access, full admin permissions, or anything in between. Once you have chosen your permission, click Next then on the next page provide a name (and description optional) and then click Create Role at the bottom.
   
   
   
   
   
6. Once you are done with the setup, navigate back to Forcepoint ONE SSE and to the Protect > Policies page and scroll down to the AWS application. Before setting up a policy line to send users through Secure App Access (reverse proxy) you will need to setup one policy line for Direct App Access and have an admin or a user login directly once to validate the SAML SSO setup. Once done you can then adjust your policies to start sending people through the Forcepoint ONE SSE proxy.