Show
Chris Kuo/Dr. Dataman Aug 19, 2021 20 min read Security: People may concern if their data are safe on cloud. AWS had designed multiple layers to secure data and services at the highest level. Security is achieved by controlling who can access (authorize) to what services (authenticate). In this Section you will learn how to use the Identity and Access Management (IAM) service to control who… Skip to main content This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Azure Active Directory identity management and access management for AWSThis article provides AWS identity architects, administrators, and security analysts with immediate insights and detailed guidance for deploying Azure AD identity and access solutions for AWS. You can configure and test these Microsoft security solutions without affecting your existing identity providers and AWS account users until you're ready to switch over. ArchitectureAWS creates a separate Identity and Access Management (IAM) store for each account it creates. The following diagram shows the standard setup for an AWS environment with a single AWS account: The root user fully controls the AWS account, and delegates access to other identities. The AWS IAM principal provides a unique identity for each role and user that needs to access the AWS account. AWS IAM can protect each root, principal, and user account with a complex password and basic MFA. Many organizations need more than one AWS account, resulting in identity silos that are complex to manage: To allow centralized identity management and avoid having to manage multiple identities and passwords, most organizations want to use single sign-on for platform resources. Some AWS customers rely on server-based Microsoft Active Directory for SSO integration. Other customers invest in third-party solutions to synchronize or federate their identities and provide SSO. Azure AD provides centralized identity management with strong SSO authentication. Almost any app or platform that follows common web authentication standards, including AWS, can use Azure AD for identity and access management. Many organizations already use Azure AD to assign and protect Microsoft 365 or hybrid cloud identities. Employees use their Azure AD identities to access email, files, instant messaging, cloud applications, and on-premises resources. You can quickly and easily integrate Azure AD with your AWS accounts to let administrators and developers sign in to your AWS environments with their existing identities. The following diagram shows how Azure AD can integrate with multiple AWS accounts to provide centralized identity and access management: Azure AD offers several capabilities for direct integration with AWS:
Advanced Azure AD identity management with AWS accountsOther advanced Azure AD features can provide extra layers of control for the most sensitive AWS accounts. Azure AD Premium P2 licenses include these advanced features:
Scenario detailsAmazon Web Services (AWS) accounts that support critical workloads and highly sensitive information need strong identity protection and access control. AWS identity management is enhanced when combined with Azure Active Directory (Azure AD). Azure AD is a cloud-based, comprehensive, centralized identity and access management solution that can help secure and protect AWS accounts and environments. Azure AD provides centralized single sign-on (SSO) and strong authentication through multi-factor authentication (MFA) and Conditional Access policies. Azure AD supports AWS identity management, role-based identities, and access control. Many organizations that use AWS already rely on Azure AD for Microsoft 365 or hybrid cloud identity management and access protection. These organizations can quickly and easily use Azure AD with their AWS accounts, often without extra cost. Other, advanced Azure AD features like Privileged Identity Management (PIM) and Advanced Identity Protection can help protect the most sensitive AWS accounts. Azure AD easily integrates with other Microsoft security solutions, like Microsoft Defender for Cloud Apps and Microsoft Sentinel. For more information, see Defender for Cloud Apps and Microsoft Sentinel for AWS. Microsoft security solutions are extensible and have multiple levels of protection. Organizations can implement one or more of these solutions along with other types of protection for a full security architecture that protects current and future AWS deployments. RecommendationsSecurityThe following principles and guidelines are important for any cloud security solution:
Basic AWS account securityTo ensure basic security hygiene for AWS accounts and resources:
AWS IAM securityA key aspect of securing the AWS Management Console is controlling who can make sensitive configuration changes. The AWS account root user has unrestricted access. The security team should fully control the root user account to prevent it from signing in to the AWS Management Console or working with AWS resources. To control the root user account:
Clearly understand and review other AWS IAM account components for appropriate mapping and assignments.
Some IAM service accounts must continue to run in AWS IAM to provide programmatic access. Be sure to review these accounts, securely store and restrict access to their security credentials, and rotate the credentials regularly. Deploy this scenarioThis next section shows you how to deploy Azure AD for single sign-on to an individual AWS account. Plan and prepareTo prepare for deployment of Azure security solutions, review and record current AWS account and Azure AD information. If you've more than one AWS account deployed, repeat these steps for each account.
Plan Azure AD deploymentThe Azure AD deployment procedures assume that Azure AD is already configured for the organization, such as for a Microsoft 365 implementation. Accounts can be synchronized from an Active Directory domain, or can be cloud accounts created directly in Azure AD. Plan RBACIf the AWS installation uses IAM groups and roles for RBAC, you can map the existing RBAC structure to new Azure AD user accounts and security groups. If the AWS account doesn't have a strong RBAC implementation, start by working on the most sensitive access:
Plan migrationAzure AD centralizes all authentication and authorization. You can plan and configure user mapping and RBAC without affecting administrators and developers until you're ready to enforce the new methods. The high-level process for migrating from AWS IAM accounts to Azure AD is as follows. For detailed instructions, see Deployment.
For service accounts and programmatic access, use the same approach. Update each application that uses the account to use an equivalent Azure AD user account instead. Make sure any remaining AWS IAM users have complex passwords with MFA enabled, or an access key that's replaced regularly. The following diagram shows an example of the configuration steps and final policy and role mapping across Azure AD and AWS IAM: Single sign-on integrationAzure AD supports single sign-on integration with AWS SSO. You can connect Azure AD to AWS in one place and centrally govern access across hundreds of accounts and AWS SSO integrated applications. This capability enables seamless Azure AD sign-in experience for users to use the AWS CLI. The following Microsoft security solution procedure implements SSO for the example roles AWS Administrators and AWS Developers. Repeat this process for any other roles you need. This procedure covers the following steps:
The following links provide full detailed implementation steps and troubleshooting:
Add an AWS app to your Azure AD enterprise applicationsAWS administrators and developers use an enterprise application to sign in to Azure AD for authentication, then redirect to AWS for authorization and access to AWS resources. The simplest method to see the application is by signing in to Follow the instructions in add Amazon Web Services (AWS) from the gallery to set up the enterprise application. These instructions will let you know what AWS app to add to your Azure AD enterprise applications. If there's more than one AWS account to administer, such as DevTest and Production, use a unique name for the enterprise application that includes an identifier for the company and specific AWS account. Configure Azure AD SSO for AWSFollow the steps below to configure Azure AD SSO for AWS:
Based on these configuration steps, you can diagram the interactions like this: On AWS Console, follow the steps below to create more roles.
How to update role mappingBecause you're using two roles, perform these extra steps:
If you can't see or select a role, go back to the Provisioning page to confirm successful provisioning in the Azure AD provisioning agent, and make sure the IAM User account has the correct permissions. You can also restart the provisioning engine to attempt the import again:
Test Azure AD SSO into AWS Management ConsoleTest signing-in as each of the test users to confirm that the SSO works.
Enable Conditional AccessTo create a new Conditional Access policy that requires MFA:
You might need to create several Conditional Access policies to meet business needs for strong authentication. Consider the naming convention you use when creating the policies to ensure ease of identification and ongoing maintenance. Also, unless MFA is already widely deployed, make sure the policy is scoped to affect only the intended users. Other policies should cover other user groups' needs. Once you enable Conditional Access, you can impose other controls such as PAM and just-in-time (JIT) provisioning. For more information, see What is automated SaaS app user provisioning in Azure AD. If you have Defender for Cloud Apps, you can use Conditional Access to configure Defender for Cloud Apps session policies. For more information, see Configure Azure AD session policies for AWS activities. Next steps
FeedbackSubmit and view feedback for Which AWS service can be used for authentication and authorization of user?You can use AWS Identity Services to manage identities, resources, and permissions securely and at scale.
What is authentication and authorization in AWS?Authentication is how you sign in to AWS using your credentials. As a principal, you must be authenticated (signed in to AWS) using an entity (root user, IAM user, or IAM role) to send a request to AWS. An IAM user can have long-term credentials such as a user name and password or a set of access keys.
Which items can be used to authenticate to the AWS account?These include users, groups, and roles. The IAM resource objects that AWS uses for authentication. These include IAM users and roles. A person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.
Which service enables AWS customers to manage users and permissions in AWS?AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use Account Management resources.
|