Sym Security Overview

Terraform Connector modules provide tightly scoped access to your cloud environment.

Sym and Your AWS Environment

For Access Flows that manage access to AWS directly or rely on retrieving secrets from AWS Secrets Manager (for example, Okta or GitHub API keys), Sym assumes a limited-scope role in your AWS environment during execution.

Sym does this using Connector modules in Terraform.

Introducing Sym Connectors

Sym publishes Connector modules in the Terraform Registry. When writing Sym config in Terraform, you include the modules in your provisioning pipelines to ensure Sym has the access required to integrate with your systems.

Connectors are a simple tool for ensuring that the Sym Runtime has exactly the access it needs to operate in your environment, and no more.


What permissions does Sym need in my AWS account?

The minimum required permissions will depend on your use case. If you only need to use AWS to provide API keys (e.g. for our Okta Access Strategy), Sym will only need permissions to retrieve secrets specifically tagged for Sym. Check out our Managing Secrets docs to learn more.

If you want to use Sym to integrate with other AWS Services like IAM Identity Center (SSO), then you'll need to include additional connectors to grant these privileges (see below).

For example, here's a Runtime Connector declaration. This Connector will provision a single IAM role that the Sym Runtime can use at execution time that can assume roles that have a path beginning with /sym/, and access specific AWS Secrets via Sym's AWS Secrets Manager addon:

# Creates an AWS IAM Role that the Sym Runtime can use for execution
# Allow the runtime to assume roles in the /sym/ path in your AWS Account
module "runtime_connector" {
  source  = "symopsio/runtime-connector/aws"
  version = ">= 1.0.0"

  # The aws/secretsmgr addon is required to access secrets
  addons = ["aws/secretsmgr"]

  environment = "main"

Connector modules give you full control

You always have complete control over when, where, and how Connector modules are provisioned. You can review the source code as well as the Terraform plans these modules produce before applying them. As Sym updates and enhances our Connector modules, you can review and validate these updates before applying to your environment.


Sym's Terraform Provider provisions resources in the Sym Platform.
Connector modules provision resources in your environment.

Sym Runtime Connector

Every Sym Flow depends on a Sym Runtime environment. Sym Runtimes execute your flows using a Runtime Connector IAM Role. The Runtime Connector provides the baseline permissions your Flows need to run. You can enable specific capabilities depending on what your flows need:

  • Access secrets in AWS Secrets Manager that have a certain tag (SymEnv by default).
  • Assume other Connector Roles (such as the IAM connector) to support a Sym Strategy.
  • Ship data to a reporting destination if you enable one of Sym’s AWS Log Destinations.

The Runtime Connector IAM Role grants access to secrets required for other Sym Integrations.

Sym's Runtime Connector IAM Role has a trust relationship with Sym's production AWS account. This trust relationship allows the Sym platform to securely assume your Runtime Connector IAM role without a password. The Runtime Connector module ensures that we use an External ID when assuming your IAM Role per AWS best practices.

Sym Strategy Connectors

Each Sym Strategy uses a corresponding Sym Connector with least privilege access. Most Sym Connectors are focused on granting and removing entitlements from existing user accounts.


Sym Strategy Connectors define least privilege access to target services.

  • Sym’s AWS IAM Identity Center (SSO) Strategy can only assign and unassign users from existing AWS SSO Permission Sets. Sym cannot create new accounts or access the permissions that these AWS Permission Sets grant to end-users.
  • Sym’s AWS Lambda Strategy uses a Connector that can only invoke specific named AWS Lambda functions. You have complete control over what capabilities these AWS Lambda functions have, Sym does not have access or visibility to the internals of these Lambda functions.
  • Sym’s AWS IAM Strategy manages temporary AWS access by changing end-user group membership. The AWS IAM Strategy uses an AWS IAM Connector role that can only modify a specific subset of your AWS IAM Groups. The IAM Connector cannot access other parts of your infrastructure, or access the elevated permissions of the users that it moves in and out of IAM groups.

What’s Next