Configuring policy controls for AWS
Forcepoint ONE SSE provides contextual access controls similar to our other protected applications for AWS. You can control access by user/group, device type (managed vs unmanaged) as well as location.
Forcepoint ONE SSE also provides you a way to assign Role ARN's by policy under the Actions column. This will allow you to utilize Forcepoint ONE SSE contextual access control in conjunction with AWS's own role's. A Role ARN is a role created in AWS that can grant users temporary permissions based on the context of their login. For example you can grant Admin users on the corporate network an AWS admin Role ARN with full access, but other users logging in from outside the network get a read-only role. To learn more about Role ARNs in AWS, refer to their web page here.
Reminder that you are required to set the Provider ARN in step 2 above during the Forcepoint ONE SSE App SSO configuration portion before you are able to set Role ARNs as part of your contextual access control policies.
These Role ARN policies are also different from the attribute statements you can set in the App SSO settings. The attribute statements are used to send static information during all logins that may be required by AWS (a UPN or static SAML value). Role ARNs as part of the policy will apply specific AWS RBAC controls to the user once they authenticate into AWS.
- To setup a Role ARN, create a new policy line as you normally would and set the access criteria (User, Device, Location).
- Once set click into the Action column. Notice your only available options are Direct App Access and Deny.
- Select Direct App Access and click the Green Plus icon to add a new line for the Role ARN assignment.
- You can apply the Role ARN by separate App Instances.
- You can apply the Role ARN by separate App Instances.