We are using Federation & Role-switching and have no current need to use the SSO admin users which are necessarily created via Account Factory. Ideally, we'd like to delete them, but I worry about Control Tower drift. I would also consider disabling them and/or putting a highly restrictive SCP on them (which I'm thinking is our most likely scenario).
We'd like an option wherein we do not need to have the same kind of routines that we use for admin users which are actually used or have the potential to have a valid use case.
Related
I need a best practice how to automate listing of all users at once under AWS organization multi accounts using AWS-CLI with any script?
I have tried all possible AWS CLI commands but they are all for manual steps and for individually listing users. Also, I tried to get credentilas report for all accounts, it didnt work for all, I again had to go with manually for individual account to get credential report. We have more then 300 accnts under AWS-organization so I want to automate this task, not manually
I’m not aware of a tool that can accomplish this (but that doesn’t mean that it doesn’t exist).
That being said, I would recommend a different approach to user management across a multi-account organisation:
Create exactly one account where all user accounts are managed and into which users log in.
Allow usage of other accounts only through assuming roles.
Disallow creating users in other accounts via SCP.
I understand that you already have an existing organisation with lots of accounts and probably even more users. Setting this up would probably be a very painful activity; especially if users are used for technical purposes (e.g. deployments) as well. But it might be worth the effort as you will have a much easier user management in the future.
I am new to the AWS ecosystem, coming over from Firebase. I needed a step up in configuration, and especially permissions. This might be an obvious question, but I'm not sure how to reason about it...
My Problem
I am trying to build an app that will have dozens, perhaps around 100 different permissions to perform different actions. I plan on implementing these with IAM policies on AWS Cognito Identity pools, since a maximum of 25 attributes and 25 groups won't be enough for the number of distinct permissions that I will be dealing with. How could I go about letting the front-end UI know what permissions any given user has?
If, for example, I had all of the permissions listed in the attributes, then that would be easy; I would just check the user's JWT and read out the attributes and update the UI to hide the actions user's don't have access to. Same thing goes for groups. But I am not sure on how this could be done for IAM policies?
I am aware that an option would be to just query a backend endpoint when the user tries to perform an action, and if permission is denied, then warn the user...but that is, in my opinion, a terrible UX.
I can also imagine that you could have some kind of endpoint, let's call it getUserPermissions, where when you call, a lambda function retrieves the IAM policies, parses them, and returns some permissions' describing object back to the front end. But doing this feels awkward, and might lead to outdated permissions if one forgets to query the endpoint. Is this the best/only option?
Any tips would be much appreciated.
Please note I also purposefully didn't mention what front-end (web, native, etc.) or backend I am using, because I would like to know in the general case how this works
I basically want them to have access to create/modify anything that they create, but not really able to modify/delete existing resources.
Or in some other way put them in their own bubble.
I actually got AWS certified associate in architecture, so should have some idea of whatever you say. I forgot most of what I learned for the test.
For now I made them a PowerUser.
Thanks!
Currently, there is no elegant solution for this in a shared AWS account. If you need this level of separation, creating a sub-account is the way to achieve this.
but not really able to modify/delete existing resources.
You can use resource and/or identity tags and then allow or deny actions based on tags. E. g. you can deny any action for tags env=production. See https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html
You can create simple or more complex Tag Policies to enforce consistent resource tagging.
And there is a way to enforce the owner identity in a tag, so you can allocate costs. (just search the inet for it if you want)
Or in some other way put them in their own bubble.
To keep it simple the development is usually done on a separate (organizational) account and the developers shoup deliver a deployment script/procedure to deploy the resources to other stages (cloudformation, terraform,..) .
. i started by granting PowerUser. then SystemAdministrator
This is something... the developers should not need. If so, you could implement an SCP (Service control policies) to limit even the admin users (deny disabling the cloudtrail, access to sensitive kms, modify roles with certain tags,.. .)
We are attempting to use AzureAD as a IDP for Amazon Web Services and provide the ability for our users to role switch into other accounts / levels of access based on their AD Group memberships.
The following is a link which gives us exactly what we are after using ADFS. Cleverly named AD Groups are transformed into AWS Roles that are passed on as claims.
https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/
Specifically, the part that achieves this with ADFS is the Custom Claim Transformations you can do when adding a Role to a Relying Party Trust.
Unfortunately, we have to use AzureAD and cannot use ADFS, at the moment we cannot find a way to use RegEx transformations to get the outcomes we can with ADFS.
Can anyone advise us of an approach or if this is even possible?
Thanks!
I don't think this is possible.
What you can do however, is assign the groups into roles that you define in the apps' manifests.
That way you aren't dependent on magic strings in group names as well.
Note this does require paid licenses as group-based access management isn't available in Free AAD.
On Free, you have to assign user roles to each user individually and a user can only have one role.
With group-based you can assign multiple roles to a user.
More info: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
Can AWS IAM be used to control access for custom applications? I heavily rely on IAM for controlling access to AWS resources. I have a custom Python app that I would like to extend to work with IAM, but I can't find any references to this being done by anyone.
I've considered the same thing, and I think it's theoretically possible. The main issue is that there's no call available in IAM that determines if a particular call is allowed (SimulateCustomPolicy may work, but that doesn't seem to be its purpose so I'm not sure it would have the throughput to handle high volumes).
As a result, you'd have to write your own IAM policy evaluator for those custom calls. I don't think that's inherently a bad thing, since it's also something you'd have to build for any other policy-based system. And the IAM policy format seems reasonable enough to be used.
I guess the short answer is, yes, it's possible, with some work. And if you do it, please open source the code so the rest of us can use it.
The only way you can manage users, create roles and groups is if you have admin access. Power users can do everything but that.
You can create a group with all the privileges you want to grant and create a user with policies attached from the group created. Create a user strictly with only programmatic access, so the app can connect with access key ID and secure key from AWS CLI.
Normally, IAM can be used to create and manage AWS users and groups, and permissions to allow and deny their access to AWS resources.
If your Python app is somehow consuming or interfacing to any AWS resource as S3, then probably you might want to look into this.
connect-on-premise-python-application-with-aws
The Python application can be upload to an S3 bucket. The application is running on a server inside the on-premise data center of a company. The focus of this tutorial is on the connection made to AWS.
Consider placing API Gateway in front of your Python app's routes.
Then you could control access using IAM.