My entire team accesses a single AWS account through federated login. Apart from my team, only admin (root user) has access to this account. But the root user is only for administration purpose.
We all login to the AWS console through a SAML-based SSO. The navbar of the AWS console shows the user info as:
Federated Login:
TEAM-NAME/email.of.logged.in.user#organization.com
Account:
1234-5678-1234
Since it is a single account, the account id is common for all federated users. But the emails are their own. Also, on clicking "My Account" link in navbar, the account name is shown as
assumed-role/TEAM-NAME/email.of.logged.in.user#organization.com
A part of my project is to identify the creator of some AWS resources. Now, suppose a bucket was created by some federated user. Can I, another federated user, track who (email) created this bucket? What about other kind of resources (not just s3 buckets)?
You can track that using the Amazon cloud trail. But as a federated user, you will have to make sure that you have Amazon Cloud Trail access. Once you've Cloud Trail access you can filter the bucket name using Resource Name filter.
Related
I have AWS account A which has some users and roles I created manually. Now I created AWS Organizations and created account B. I wanted to connect azure id as External Identity Provider(Idp) to AWS SSO.
would it delete/disable users and roles I created manually in account A when I enable Idp?
I found some information on this page https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-considerations.html but all it says it will disable users created using AWS SSO but doesn't say anything for users and roles created manually.
I have a Google cloud project created.
I created a service account with project editor role.
Now, if I give a user, serviceAccountUser role to the service account, it doesn't automatically gives the user permission on the project.
If I login using that user to Google cloud console, I'm unable to see the project itself.
It says in the documentation - "Users granted the Service Account User role on a service account can use it to indirectly access all the resources to which the service account has access." So, I thought I would be able to access all the projects as well. Does the above statement mean something else?
On GCP you have user accounts and service accounts. The main purpose of the service accounts is to consume GCP services via API calls, the documentation says: "A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs.". For login and interact with the GUI and resources you need a user account, if you want to see the resources the account need the viewer role, if you need perform operations on the resources you need admin role, review the documentation for more information (How IAM works).
I am setting up an AWS Account, the account will be used by an organization of employees for EC2 use/experimentation. Obviously, I do not want to distribute the root login info or set up one single IAM user for everyone to use. Unfortunately, I do not have the time to manage creating individual IAM users for everyone on a regular basis.
So, is there a way to auto-create IAM users based on a given email's domain on their first login attempt? The users should have read-only roles to begin, then an Administrator could give more roles as needed to each user. I am open to suggestions, perhaps lambda functions or linking to an identity provider?
Keep in mind that these new IAM users need to have access to the AWS Management Console, this is not necessarily intended for login to applications hosted on AWS.
Update:
Moving forward using this AWS Management Console Federation Proxy Sample found in Amazon's code reference, using with Microsoft Exchange hosted email.
If your existing identity provider supports SAML2 Federation, you can set it up to login to the AWS Management Console.
For more details refer Enabling SAML 2.0 Federated Users to Access the AWS Management Console.
Else you can implement a custom Federation Broker to return an URL to the user, after they authenticate with their corporate credentials.
For more details refer Creating a URL that Enables Federated Users to Access the AWS Management Console (Custom Federation Broker).
I login to AWS with my Active Directory account in my company. We are using federated login, as described here:
Federated Users and Roles
Federated users don't have permanent identities in your AWS account the way that IAM users do. To assign permissions to federated users, you can create an entity referred to as a role and define permissions for the role. When a federated user signs in to AWS, the user is associated with the role and is granted the permissions that are defined in the role. For more information, see Creating a Role for a Third-Party Identity Provider (Federation).
My company has a Security Token Service (STS) which is a SAML provider.
I can use that to login to AWS management console, but can I login to AWS CLI as well with my federated login?
saml2aws can be used for AWS CLI for the federated user.
Refer https://github.com/Versent/saml2aws this is based on python code from https://aws.amazon.com/de/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-0-and-ad-fs/
You can use the below command to login to default IDP AWS account, your organization will provide you the IDP account name.
saml2aws --idp-account="default" --username=USERNAME --password=PASSWORD
For using the federated user for automation, you need to use exec
saml2aws --idp-account="default" --username=USERNAME --password=PASSWORD exec command
Yes, it is possible, however it's not straight forward. There is a rather long blog post in the AWS Security Blog explaining how to be able to use the CLI as SAML-federated user: https://aws.amazon.com/de/blogs/security/how-to-implement-federated-api-and-cli-access-using-saml-2-0-and-ad-fs/
I would like to write a policy for a new IAM user so that he can have a full access to AWS Services such as EC2, RDS, Cloud Front, S3, etc. However he should be only able to view (describe) and manage the instances/services that he launches. He can't see other existing/future instances/services created by other users.
This case happens in a company that wants to outsource some projects to an outsourced company. So the new IAM user is for giving access to the outsourced company to setup the staging & production environments in AWS that belongs to the company. How can I achieve this?
Thanks.
Best Regards,
Mark
AFAICT there are no conditions on creator.
One obvious alternative is having a separated dependent and linked account with consolidated billing. You can find some detail in the third scenario of this paper
https://media.amazonwebservices.com/AWS_Setting_Up_Multiuser_Environments_Education.pdf
[...] an administrator creates separate AWS accounts for each user who
needs a new AWS account. These accounts can optionally be linked
together and a single AWS account can be designated as the paying
account using consolidated billing, which provides a single bill for
multiple AWS accounts. The administrator then creates an IAM user in
each AWS account and applies an access control policy to each user.
Users are given access to the IAM user within their AWS account, but
do not have access to the root credentials of the AWS account.
Users can log into the AWS Management Console with their IAM
credentials and then they can launch and access different AWS
services, subject to the access control policies applied to their
account. Users have direct control over the access credentials for
their resources and they can also share these resources with other
users as necessary.