Overview

AWS suggests using a dedicated service account for Trustle to securely access your AWS environment. The service account operates entirely within your AWS infrastructure and provides Trustle with the permissions needed to analyze entitlements, identify over-privileged users, and streamline access management across your organization.

What you'll need:

• Administrative access to your AWS account (IAM permissions to modify users and policies)
• To create a Trustle service account and copy its Service Account Access Key ID and Secret Access Key
• Your Account’s primary AWS region

Step 1: Gather Your AWS Organization Information

Trustle needs to understand your AWS account structure to properly provide comprehensive analysis.

Instructions:

1. Sign in to AWS Management Console
   
   • Go to https://aws.amazon.com/ 
   • Sign in with your administrative account
2. Check for AWS Organizations (Multi-Account Setup)
   
   • Navigate to the AWS Organizations service in the console
   • If you see "This account is not currently a member of an organization":
     
     • You have a single-account setup
   • If you see organizational structure:
     
     • Note your Organization ID (starts with "o-", e.g., o-abc1234567)
3. Identify Your Identity Center Configuration (if applicable)
   
   • Navigate to AWS IAM Identity Center (formerly AWS SSO)
   • If enabled, note:
     
     • Your Identity Center instance ARN in the upper left corner (it looks like “ssoins-1234…”)
     • Whether you're using an external identity provider (Active Directory, etc.)

Why Trustle needs this: This information helps Trustle understand your AWS environment structure and ensures Trustle covers all accounts and access methods in your organization.

‍

Step 2: Create the Dedicated Service Account

You'll create a service account specifically for Trustle that operates with the minimum necessary permissions.

Instructions:

1. Navigate to IAM in AWS Console
   
   • Go to the IAM service in your AWS Management Console
   • Click on "Users" in the left sidebar
2. Create New User
   
   • Click "Create user"
   • User name: [YourCompany]-Trustle-Service (or similar descriptive name)
   • Select "Programmatic access" (Trustle needs API credentials, not console access). You may see this option after you create the user.
   • Do NOT select "AWS Management Console access"
3. Skip Group Assignment
   
   • Click "Next" without adding the user to any existing groups
   • You'll attach a custom policy in the next step
4. Create and Download Access Keys
   
   • After user creation, go to the user's "Security credentials" tab
   • Click "Create access key"
   • Select "Application running outside AWS"
   • Add description tag: "Trustle Integration"
   • Important: Download the CSV file containing the Access Key ID and Secret Access Key
   • Store these credentials securely - you'll enter them into the Trustle UI

Security Note: These credentials provide access to your AWS environment. Never share them through unsecured channels.

‍

Step 3: Create and Attach the Required IAM Policy

This step creates the specific permissions Trustle needs to analyze your AWS environment and automate IAM.

Instructions:

1. Navigate to IAM Policies
   
   • In the IAM console, click "Policies" in the left sidebar
   • Click "Create policy"
2. Use JSON Policy Editor
   
   • Click the "JSON" tab
   • Replace the default policy with the following:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "TrustleAWSIntegrationAccess",

      "Effect": "Allow",

      "Action": [‍

                                "cloudtrail:LookupEvents",

                                "iam:AddUserToGroup",

                                "iam:CreateUser",

                                "iam:DeleteUser",

                                "iam:GetAccessKeyLastUsed",

                                "iam:GetLoginProfile",

                                "iam:GetPolicy",

                                "iam:GetPolicyVersion",

                                "iam:GetUser",

                                "iam:GetUserPolicy",

                                "iam:GetGroup",

                                "iam:GetGroupPolicy",

                                "iam:ListAccessKeys",

                                "iam:ListAttachedGroupPolicies",

                                "iam:ListAttachedUserPolicies",

                                "iam:ListGroupPolicies",

                                "iam:ListGroups",

                                "iam:ListGroupsForUser",

                                "iam:ListPolicies",

                                "iam:ListRoles",

                                "iam:ListUserPolicies",

                                "iam:ListUsers",

                                "iam:RemoveUserFromGroup",

                                "identitystore:CreateGroupMembership",

                                "identitystore:CreateUser",

                                "identitystore:DeleteGroupMembership",

                                "identitystore:DeleteUser",

                                "identitystore:GetGroupMembershipId",

                                "identitystore:IsMemberInGroups",

                                "identitystore:ListGroupMemberships",

                                "identitystore:ListGroupMembershipsForMember",

                                "identitystore:ListGroups",

                                "identitystore:ListUsers",

                                "organizations:ListAccounts",

                                "sso:DescribePermissionSet",

                                "sso:ListAccountAssignments",

                                "sso:ListAccountAssignmentsForPrincipal",

                                "sso:ListInstances",

                                "sso:ListManagedPoliciesInPermissionSet",

                                "sso:ListPermissionSets",

                                "sts:GetCallerIdentity"

‍      ],

      "Resource": "*"

    }

  ]

}

3. Name and Create the Policy
   
   • Click "Next"
   • Policy name: Trustle-IAM
   • Description: IAM permissions for Trustle integration
   • Add tags if required by your organization
   • Click "Create policy"
4. Attach Policy to Service Account
   
   • Return to IAM > Users
   • Click on your service account user
   • Go to the "Permissions" tab
   • Click "Add permissions" > "Attach policies directly"
   • Search for Trustle-IAM
   • Select the policy and click "Add permissions"

Step 4: Configure Cross-Account Access (Multi-Account Organizations Only)

If you have multiple AWS accounts in your organization, Trustle needs access to analyze permissions across all accounts. This step creates roles that allow the Trustle service account to securely access member accounts.

Part A: Create Cross-Account Role in Management Account

1. Navigate to IAM Roles
   
   • In your AWS Console, go to the IAM service
   • Click "Roles" in the left sidebar
   • Click "Create role"
2. Configure Trust Relationship
   
   • Under "Select trusted entity," choose "AWS account"
   • Select "Another AWS account"
   • In the "Account ID" field, enter your own management account ID (the 12-digit number from Step 1)
   • Leave "Require external ID" unchecked
   • Leave "Require MFA" unchecked
   • Click "Next"
3. Attach Permissions Policy
   
   • In the search box, type Trustle-IAM
   • Check the box next to the policy you created in Step 4
   • Click "Next"
4. Name and Create the Role
   
   • Role name: Trustle-CrossAccount
   • Description: Cross-account access role for Trustle
   • Review the configuration and click "Create role"
5. Record the Role ARN
   
   • After creation, click on the role name to view details
   • Copy the Role ARN (looks like: arn:aws:iam::123456789012:role/Trustle-CrossAccount)
   • Save this ARN - you'll need it in the next step

Part B: Update Service Account Permissions

1. Return to Your Service Account
   
   • Navigate to IAM > Users
   • Click on your service account user created in Step 3
2. Add Inline Policy for Role Assumption
   
   • Go to the "Permissions" tab
   • Click "Add permissions" dropdown
   • Select "Create inline policy"
3. Create the AssumeRole Policy
   
   • Click the "JSON" tab
   • Replace the default policy with:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": "sts:AssumeRole",

      "Resource": "arn:aws:iam::*:role/Trustle-CrossAccount"

    }

  ]

}

4. Name and Create the Policy
   
   • Click "Next"
   • Policy name: AllowAssumeRole-CrossAccount
   • Click "Create policy"

Part C: Deploy Role to Member Accounts

For EACH member account in your organization, repeat these steps:

1. Switch to Member Account
   
   • Use AWS Organizations to switch to each member account, or
   • Log in directly to each member account with administrative credentials
2. Create the same IAM Policy
   
   • Go to IAM > Policies > Create policy in the member account
   • Use the same JSON from Step 3.2 above
   • Name it Trustle-IAM
3. Create the Same Cross-Account Role
   
   • Navigate to IAM > Roles in the member account
   • Click "Create role"
   • Select "AWS account" as trusted entity
   • Choose "Another AWS account"
   • Enter your management account ID (not the member account ID)
   • Click "Next"
4. Attach the IAM Policy
   
   • Attach the Trustle-IAM policy to the role:
   • In the Add permissions step, search for Trustle-IAM
   • Select Trustle-IAM and click next
5. Name the Role Consistently
   
   • In the ‘Name, review, and create’ step:
   • Role name: Trustle-CrossAccount (same name in every account)
   • Description: Cross-account access role for Trustle
   • Create the role

Verification:

• Ensure each member account has the Trustle-CrossAccount role
• Verify each role trusts your management account ID
• Confirm your service account in the management account can assume these roles

Step 5: Test and Verify Configuration

Let's ensure everything is configured correctly before entering credentials into Trustle.

Instructions:

1. Verify Service Account
   
   • In IAM > Users, confirm your service account exists
   • Verify access keys are created and downloaded

3. Check Organizations Access (if applicable)
   
   • Verify: aws organizations describe-organization
   • Should return your organization details
4. Verify Identity Center Access (if applicable)
   
   • Verify: aws sso-admin list-instances
   • Should return your Identity Center instances
   • Remember Identity Center is region specific. You may need to pass –region

What these permissions allow Trustle to do:

• User Analysis: Read information about IAM users, groups, and their relationships
• Policy Analysis: Examine all policies and their permissions to identify over-privileged access
• Organizational Mapping: Understand your account structure across the entire organization
• Identity Center Integration: Analyze modern SSO-based access patterns
• Cross-Account Visibility: Comprehensive analysis across all accounts in your organization
• Access Pattern Detection: Identify unused permissions, dormant accounts, and security risks

Security Assurances:

• The service account can only modify AWS IAM and Identity Center resources
• All API calls are logged in your CloudTrail for complete audit visibility
• Credentials are encrypted and stored using industry-standard security practices

Step 6: Enter Information Into Trustle

Once setup is complete, copy the following to enter into Trustle’s AWS setup:

Required Information:

• Service Account Access Key ID 
• Secret Access Key

What Happens Next:

1. Initial Discovery: Trustle performs a comprehensive scan of your AWS environment
2. Usage Analysis: Trustle analyzes access patterns to identify unused accounts and permissions
3. Dashboard Population: Your management dashboard populates with these findings
4. Ongoing Monitoring: Continuous analysis ensures your access governance stays current

Support and Troubleshooting

If you encounter any issues during setup or have questions about the configuration:

Common Issues:

• Permission Denied Errors: Verify your administrative account has sufficient IAM permissions
• Organizations Access Issues: Ensure you're configuring from the management account
• Identity Center Problems: Confirm Identity Center is enabled and properly configured

Getting Help:

• Contact the Trustle technical support team with specific error messages
• Provide your AWS Account ID for faster troubleshooting
• Include relevant CloudTrail logs if experiencing access issues