AWS IAM
Learn how to configure AWS Management Console access through KMS PAM for secure, audited, and just-in-time access to AWS.
KMS PAM supports secure, just-in-time access to the AWS Management Console through federated sign-in. This allows your team to access AWS without sharing long-lived credentials, while maintaining a complete audit trail of who accessed what and when.
How It Works
Unlike database or SSH resources that require a Gateway for network connectivity, AWS Console access works differently. Hanzo KMS uses AWS STS (Security Token Service) to assume roles on your behalf and generates temporary federated sign-in URLs.
sequenceDiagram
participant User
participant Hanzo KMS
participant Resource Role as Resource Role<br/>(Your AWS Account)
participant Target Role as Target Role<br/>(Your AWS Account)
participant Console as AWS Console
User->>Hanzo KMS: Request AWS Console access
Hanzo KMS->>Resource Role: AssumeRole (with ExternalId)
Resource Role-->>Hanzo KMS: Temporary credentials
Hanzo KMS->>Target Role: AssumeRole (role chaining)
Target Role-->>Hanzo KMS: Session credentials
Hanzo KMS->>Console: Generate federation URL
Console-->>Hanzo KMS: Signed console URL
Hanzo KMS-->>User: Return console URL
User->>Console: Open AWS Console (federated)Key Concepts
- Resource Role: An IAM role in your AWS account that trusts Hanzo KMS. This is the "bridge" role that Hanzo KMS assumes first.
- Target Role: The IAM role that end users will actually use in the AWS Console. The Resource Role assumes this role on behalf of the user.
- Role Chaining: Hanzo KMS uses AWS role chaining - it first assumes the Resource Role, then uses those credentials to assume the Target Role. This provides an additional layer of security and audit capability.
- External ID: A unique identifier (your Hanzo KMS Project ID) used in the trust policy to prevent confused deputy attacks.
Session Behavior
Session Duration
The session duration is set when creating the account and applies to all access requests. You can specify the duration using human-readable formats like 15m, 30m, or 1h. Due to AWS role chaining limitations:
- Minimum: 15 minutes (
15m) - Maximum: 1 hour (
1h)
Session Tracking
Hanzo KMS tracks:
- When the session was created
- Who accessed which role
- When the session expires
Important: AWS Console sessions cannot be terminated early. Once a federated URL is generated, the session remains valid until the configured duration expires. However, you can revoke active sessions by modifying the role's trust policy.
CloudTrail Integration
All actions performed in the AWS Console are logged in AWS CloudTrail. The session is identified by the RoleSessionName, which includes the user's email address for attribution:
arn:aws:sts::123456789012:assumed-role/pam-readonly/user@example.comThis allows you to correlate KMS PAM sessions with CloudTrail logs for complete audit visibility.
Prerequisites
Before configuring AWS Console access in KMS PAM, you need to set up two IAM roles in your AWS account:
- Resource Role - Trusted by Hanzo KMS, can assume target roles
- Target Role(s) - The actual roles users will use in the console
No Gateway Required: Unlike database or SSH resources, AWS Console access does not require an KMS Gateway. Hanzo KMS communicates directly with AWS APIs.
Create the PAM Resource
The PAM Resource represents the connection between Hanzo KMS and your AWS account. It contains the Resource Role that Hanzo KMS will assume.
First, create an IAM policy that allows the Resource Role to assume your target roles. For simplicity, you can use a wildcard to allow assuming any role in your account:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/*"
}]
}
For more granular control: If you want to restrict which roles the Resource Role can assume, replace the wildcard (/*) with a more specific pattern. For example:
arn:aws:iam::<YOUR_ACCOUNT_ID>:role/pam-*to only allow roles with thepam-prefixarn:aws:iam::<YOUR_ACCOUNT_ID>:role/kms-*to only allow roles with thekms-prefix
This allows you to limit the blast radius of the Resource Role's permissions.
Create an IAM role (e.g., Hanzo KMSResourceRole) with:
- The permissions policy from the previous step attached
- The following trust policy:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<INFISICAL_AWS_ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<YOUR_INFISICAL_PROJECT_ID>"
}
}
}]
}
Security Best Practice: Always use the External ID condition. This prevents confused deputy attacks where another Hanzo KMS customer could potentially trick Hanzo KMS into assuming your role.
Hanzo KMS AWS Account IDs:
| Region | Account ID |
|---|---|
| US | 381492033652 |
| EU | 345594589636 |
For Dedicated Instances: Your AWS account ID differs from the ones listed above. Please contact Hanzo KMS support to obtain your dedicated AWS account ID.
For Self-Hosted Instances: Use the AWS account ID where your Hanzo KMS instance is deployed. This is the account that hosts your Hanzo KMS infrastructure and will be assuming the Resource Role.
- Navigate to your PAM project and go to the Resources tab
- Click Add Resource and select AWS IAM
- Enter a name for the resource (e.g.,
production-aws) - Enter the Resource Role ARN - the ARN of the role you created in the previous step
Clicking Create Resource will validate that Hanzo KMS can assume the Resource Role. If the connection fails, verify:
- The trust policy has the correct Hanzo KMS AWS account ID
- The External ID matches your project ID
- The role ARN is correct
Create PAM Accounts
A PAM Account represents a specific Target Role that users can request access to. You can create multiple accounts per resource, each pointing to a different target role with different permission levels.
Each target role needs a trust policy that allows your Resource Role to assume it:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/Hanzo KMSResourceRole"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<YOUR_INFISICAL_PROJECT_ID>"
}
}
}]
}
- Navigate to the Resources tab in your PAM project and open the AWS IAM resource you created
- Click Add Account
- Fill in the account details:
A friendly name for this account (e.g., readonly, admin, developer)
Optional description of what this account is used for
The ARN of the IAM role users will assume (e.g., arn:aws:iam::123456789012:role/pam-readonly)
Session duration using human-readable format (e.g., 15m, 30m, 1h). Minimum 15 minutes, maximum 1 hour.
Due to AWS role chaining limitations, the maximum session duration is 1 hour, regardless of the target role's configured maximum session duration.
Access the AWS Console
Once your resource and accounts are configured, users can request access through Hanzo KMS:
Go to the Resources tab in your PAM project and open the AWS IAM resource.
In the resource’s accounts section, find the AWS Console account you want to access.
Click the Access button for that account.
Hanzo KMS will:
- Assume the Resource Role using your project's External ID
- Assume the Target Role using role chaining
- Generate a federated sign-in URL
- Open the AWS Console in a new browser tab
The user will be signed into the AWS Console with the permissions of the Target Role.
How is this guide?
Last updated on
Kubernetes
Learn how to configure Kubernetes cluster access through KMS PAM for secure, audited, and just-in-time access to your Kubernetes clusters.
Active Directory
Learn how to configure Active Directory access through KMS PAM for secure, audited management of your AD domain controllers and domain-joined resources.