Access Server

Access Server is the component of FMAC responsible for giving users temporary credentials to cloud accounts by assuming an IAM role after a user's access request has been approved. Access Server can be deployed in a customer environment or hosted by FireMon. It includes an API Gateway which optionally provides authentication.

Access Server API

The Access Server exposes one HTTP endpoint expecting a request parameter of request (eg. https://accessserver.com/?request=abc123). The request parameter should be a JWT signed by FMAC with a key known only to FMAC and the customer. Contained in the JWT is an access request JSON object:

TypeScript Interface

export interface AccessRequest {
    requestId: string;
    userId: string;
    username: string;
    roleArn: string;
    policy?: string;
    policyArns?: string[];
    exp: number;
    nbf: number;
    iat?: number
    sessionId?: string;
    comment?: string;
}

Example JSON

{
  "comment": "yep",
  "exp": 1627931141,
  "nbf": 1627931041,
  "sessionId": "am-jbrazil-265dca29-8965-4572-b9e2-ac9f0b7465c6",
  "requestId": "265dca29-8965-4572-b9e2-ac9f0b7465c6",
  "policyArns": ["arn:aws:iam::aws:policy/CloudWatchLogsReadOnlyAccess"],
  "roleArn": "arn:aws:iam::057637124865:role/dops_accessserver",
  "username": "jody.brazil",
  "userId": "U017T1N7ZQB"
}

Verification

The JWT is verified for a valid signing key and exp and nbf claims. The token is de-serialized into a request object. No additional verification is performed.

The Access Server will self-register the signing key with Cloud Defense as a part of the deployment process. This means that no one needs to ever see the signing key used to secure the requests.

User verification

The current implementation does NOT verify that the user that performed the get request to the Access Server is the same user that made the initial request. If you are self-hosting the access server, however, you can add an extra layer of authentication using an OAuth2-compatible identity provider.