Data
Reader small image

You're reading from  Implementing Identity Management on AWS

Product typeBook
Published inOct 2021
PublisherPackt
ISBN-139781800562288
Edition1st Edition
Tools
AWS
Concepts
Identity Management
Right arrow
Author (1)
Jon Lehtinen
Jon Lehtinen
author image
Jon Lehtinen

Jon Lehtinen has 16 years of enterprise identity and access management experience and specializes in both the strategy and execution of IAM transformation in global-scale organizations such as Thomson Reuters, General Electric, and Apollo Education Group. In addition to his work in the enterprise space, he has held positions on Ping Identity's Customer Advisory Board and as an advisor to identity verification start-up EvidentID. He currently owns the workforce and customer identity implementations at Okta. Jon is dedicated to the growth and maturity of IAM as a profession and serves on the Board of Directors for IDPro org. He is also a member of the Kantara Initiative, ISC2, OpenID Foundation, and Women in Identity. Jon has presented his work at several conferences, including RSA, Identiverse, and KuppingerCole's European Identity and Cloud Conference. Currently, he owns Okta's workforce and customer IAM implementations as their Director of Okta on Okta.
Read more about Jon Lehtinen

Right arrow

Chapter 10: Administrative Single Sign-On to the AWS Backplane

In the previous chapter, we built out the provisioning and account synchronization processes between our Amazon Web Services (AWS) environment and the Redbeard Identity organization's existing identity provider (IDP). Our administrative users are now synchronized to the AWS single sign-on (SSO) user directory from our external IDP using the System for Cross-domain Identity Management (SCIM). Of course, populating the AWS SSO user store is only half of the administrative access equation. Next, we will address administrative user authentication and authorization to ensure that each administrator can only access the environment that is appropriate for them.

The following topics will be covered in this chapter:

  • Why use federation for AWS administrators?—Learn why identity federation is a good pattern for managing administrator access into the AWS control plane
  • Assigning access to AWS accounts—...

Technical requirements

To get the most out of this chapter, you will need the following:

  • An AWS account
  • A Security Assertion Markup Language 2 (SAML2) and an SCIM-compliant IDP such as Okta Identity Cloud, PingOne, or Azure Active Directory (Azure AD)
  • A populated user directory to act as the user store for that IDP
  • A workstation running the AWS CLI
  • A text editor or integrated development environment (IDE) to edit JavaScript Object Notation (JSON)/YAML Ain't Markup Language (YAML) files, such as Microsoft Visual Studio Code (VS Code)

The code samples used in the chapter can be found at the following links:

Why use federation for AWS administrators?

Before we dive into the mechanics of connecting our AWS environment with our external IDP, let's take a moment to revisit our assumptions around why we would choose to use an external IDP for AWS access in the first place. As we have seen throughout this book, AWS has multiple services capable of addressing user authentication and authorization. It could be argued that given the AWS Identity and Access Management (IAM) service itself already evaluates every transaction and has the capability to handle user management, authentication, and authorization, daisy-chaining additional components to that service unnecessarily complicates matters.

The argument for using identity federation with administrative accounts echoes the same arguments for identity federation with most other third-party applications. Identity federation, especially automated provisioning and deprovisioning, helps control the proliferation of user and company data on...

Assigning access to AWS accounts

Now that we can sign in to AWS SSO with our external IDP, we need to assign accounts to users within AWS SSO in order to close the loop between the authorization controlled by the IDP and the authorization controlled by AWS. If we considered the IDP's authorization control coarse-grained, AWS SSO provides options for fine-grained control through a variety of mechanisms. Let's start with some basic authorization controls and refine the permissions further as we go.

We can see all of our AWS accounts listed in the AWS accounts menu inside AWS SSO, as illustrated in the following screenshot:

Figure 10.6 – Our AWS accounts

Presently, we have no users assigned to any of them. We also do not have any permission sets assigned to any of the accounts. A permission set defines what an AWS user can do within an AWS account when signing in through AWS SSO. A permission set is stored as an AWS IAM role that is assumed...

Implementing fine-grained access management for administrators

So far, we only have two levels of access for our administrators inside our AWS accounts once those administrators are placed inside a group that allows them to sign in to AWS SSO: AdministratorAccess and ReadOnly. If we defined group-based access that determines if a user is permitted to even access AWS SSO as coarse-grained access management, then the access granted by these two permission sets represents a very rudimentary example of role-based access control (RBAC). By layering on additional concepts, we can further refine our authorization model into something that is only allowed access to specific resources based upon the assumed role and the user's attributes, to achieve fine-grained access management through attribute-based access control (ABAC).

Permission sets and managed authorization policies

To achieve fine-grained access management through ABAC, we will need to marry an improved set of permission...

Administrative SSO using the AWS CLI

One of the primary benefits of using AWS SSO for administrative access is the issuance of temporary credentials. Whereas we have used durable programmatic credentials for AWS CLI access in the past, we can now use a browser for SSO and instantiate a temporary session without needing to issue or store those credentials on our workstation. We do this by selecting the command-line or programmatic access link after signing in to AWS SSO from our external IDP, as illustrated in the following screenshot:

Figure 10.40 – Our temporary AWS CLI credentials through AWS SSO

We will sign in as the Iam Dev user once again and copy the commands to export the variables we need to use the AWS CLI with our temporary credentials. These credentials are valid for the duration of the session we defined within the permission set for this assumed role. For this particular role, these credentials are good for 9 hours. Once we enter the values...

Summary

In this chapter, we put into practice what we have learned across several AWS services to design and apply an administrative account authentication and authorization model. By using an external IDP, we were able to quickly deprovision access for administrators. Synchronizing our external IDP's users and groups into AWS SSO via SCIM laid the foundation for us to pair coarse-grained authorization control managed at the IDP with a fine-grained authorization policy controlled by AWS to fulfill our administrative authorization business objectives. We wrote a custom authorization policy for our permission sets using conditional operators. Finally, we saw how that model extends into the AWS CLI as well and improves security by eliminating long-lived programmatic credentials.

In the next chapter, we will switch our focus to application-centric identity using Amazon Cognito. We will address making our enterprise user accounts available for our applications hosted in AWS.

...

Questions

  1. What is coarse-grained authorization?
  2. What is fine-grained authorization?
  3. What is a permission set?
  4. How does a permission set grant access to the AWS accounts to which it is attached?

    a. It provisions users into that account.

    b. It automatically creates an assumable AWS IAM role for the federated user to assume in the managed AWS account.

    c. It doesn't.

  5. AWS CLI access through AWS SSO removes the need to use long-lived programmatic credentials managed through AWS IAM.

    a. True

    b. False

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 13 of 17
Next Chapter
You have been reading a chapter from
Implementing Identity Management on AWS
Published in: Oct 2021Publisher: PacktISBN-13: 9781800562288
© 2021 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Jon Lehtinen

Jon Lehtinen has 16 years of enterprise identity and access management experience and specializes in both the strategy and execution of IAM transformation in global-scale organizations such as Thomson Reuters, General Electric, and Apollo Education Group. In addition to his work in the enterprise space, he has held positions on Ping Identity's Customer Advisory Board and as an advisor to identity verification start-up EvidentID. He currently owns the workforce and customer identity implementations at Okta. Jon is dedicated to the growth and maturity of IAM as a profession and serves on the Board of Directors for IDPro org. He is also a member of the Kantara Initiative, ISC2, OpenID Foundation, and Women in Identity. Jon has presented his work at several conferences, including RSA, Identiverse, and KuppingerCole's European Identity and Cloud Conference. Currently, he owns Okta's workforce and customer IAM implementations as their Director of Okta on Okta.
Read more about Jon Lehtinen

Other recommended products

Related to this chapter

AWS Security Cookbook

AWS Security Cookbook

AWS Security Cookbook lists all the practical solutions to the common problems faced by individuals or organizations in securing their instances. Here readers will learn to troubleshoot security concerns and understand additional patterns and services for securing AWS infrastructure.

BookFeb 2020440 pages
Amazon Web Services Bootcamp

Amazon Web Services Bootcamp

AWS Bootcamp is designed to teach you how to build and manage AWS resources using different ways. This highly practical guide leverages the reliability, versatility, and flexible design of the AWS Cloud. It enables you to perform tasks such as hosting multi-tier websites, running large-scale applications, data storage and archival, and a lot more with ease.

BookMar 2018338 pages
AWS for System Administrators

AWS for System Administrators

AWS for System Administrators covers a variety of tools, techniques, tips, and tricks for building highly available and fault-tolerant infrastructure. You’ll get to grips with AWS fundamentals and concepts with the help of step-by-step explanations and practical code examples.

BookFeb 2021388 pages
Serverless Programming Cookbook

Serverless Programming Cookbook

The serverless architecture allows you to build and run applications and services without having to manage the infrastructure which saves cost and improves scalability. In this book, you will learn to harness serverless technology to reduce production time, minimize cost and have the freedom to customize your code, without hindering functionality.

BookJan 2019490 pages
Mastering AWS Security

Mastering AWS Security

Security is a key ingredient when it comes to workloads deployed in cloud. Security is highest priority for any organization and it is considered job zero at AWS. Our book will dig deep into the achieving end to end automated security for all workloads deployed, running and stored in AWS cloud.

BookOct 2017252 pages
Hands-On AWS Penetration Testing with Kali Linux

Hands-On AWS Penetration Testing with Kali Linux

The cloud is gaining more popularity than ever, and every organization is looking to shift its infrastructure to it. AWS particularly rules the roost with its market share. This book gets pentesters and sysadmins hands-on with pentesting AWS services using Kali Linux, covering detailed screenshots and custom scripts for automating the process.

BookApr 2019508 pages
AWS Certified Security – Specialty Exam Guide

AWS Certified Security – Specialty Exam Guide

Amazon has come up with Specialty certifications which validates a particular user's expertise that he/she would want to build a career in. This Guide will be a companion to getting skilled with complex and creative security solutions.

BookSep 2020558 pages
AWS Administration Cookbook

AWS Administration Cookbook

Organisations today are harnessing the power of AWS cloud products and solutions to scale and grow. Amazon web services provide a cloud computing infrastructure with storage, bandwidth, security and more over the internet. This book will begin with AWS fundamentals and will go further to help you build and administer your own cloud environment.

BookApr 2017394 pages
AWS SysOps Cookbook

AWS SysOps Cookbook

The AWS cloud provides on-demand computing resources that organizations of all types and sizes harness to create products and business solutions. This book will take you from the fundamentals to advanced features and services to help you administer your own AWS cloud environment.

BookSep 2019490 pages
Okta Administration: Up and Running

Okta Administration: Up and Running

Okta is one of the leading IAM platforms that consolidate identities for company tools. Okta Administration: Up and Running is a comprehensive introduction for those who are new to Okta’s products and will help you to understand and implement Okta’s features for enhanced security in your applications.

BookDec 2020268 pages
AWS Certified Developer - Associate Guide

AWS Certified Developer - Associate Guide

With rapid adaptation of the cloud platform, the need for cloud certification has also increased. This is your one stop solution and will help you transform yourself from zero to certified. This guide will help you gain technical expertise in the AWS platform and help you start working with various AWS Services.

BookJun 2019812 pages5
Expert AWS Development

Expert AWS Development

Continuous deployment and Agile methodology have enabled huge advances in modern applications. This book will enable the reader to make use of this rapidly evolving technology to build highly scalable applications within AWS using different architectures.

BookMar 2018408 pages

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages