AWS Multi-Account Management

Introduction to AWS Multi-Account Management

When working with AWS at scale, it's common to have multiple accounts to separate environments (such as development, testing/QA, and production) for better resource management, security, and billing clarity. Managing access to these accounts efficiently and securely is a challenge that AWS IAM Identity Center helps address.

What is AWS IAM Identity Center?

AWS IAM Identity Center allows you to centrally manage access to multiple AWS accounts and applications using a single user identity. This means that you can have users log in to a central portal and access the AWS accounts and resources they are authorized to use, without needing separate IAM users in each account.

The Role of SAML in AWS IAM Identity Center

Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). In the context of AWS, SAML enables IAM Identity Center to authenticate and authorize users to assume roles in other AWS accounts via federation, without the users needing IAM user credentials in those accounts.

Setting Up the Environment

Central Account Configuration

  1. Enable IAM Identity Center: This is where you manage your users and their group memberships. Think of it as the central hub for your organization's access management.

  2. Create Applications: In IAM Identity Center, an application typically represents access to a resource, such as an AWS account. You'll define applications for each AWS account your users need access to (e.g., Dev, QA, Prod).

Account Setup for Dev, QA, Prod

  1. Create SAML Providers: In each AWS account (Dev, QA, Prod), you create a SAML provider in IAM. This involves uploading metadata from IAM Identity Center that describes how authentication assertions should be handled. The SAML provider is what enables the trust relationship between this AWS account and IAM Identity Center.

  2. Create IAM Roles: In each account, you also create IAM roles that external identities (from IAM Identity Center) can assume. These roles define what actions the user can perform in the account. The trust policy of these roles references the SAML provider you created, establishing a link that says, "I trust users authenticated by this SAML provider to assume me."

How It Works: A User's Journey

  1. User Authentication: A user logs into the IAM Identity Center user portal using their central account credentials.

  2. Account Selection: Once authenticated, the user sees a list of applications (which, in this case, represent the Dev, QA, and Prod AWS accounts they have access to).

  3. Role Assumption: When the user selects an application, IAM Identity Center uses SAML assertions to request that the AWS account (Dev, QA, Prod) allow the user to assume a pre-configured IAM role.

  4. Access Granted: If the role's trust policy accepts the SAML assertion (which it does, because the SAML provider in the account trusts IAM Identity Center), the user is granted the permissions associated with that role in the AWS account.

Detailed Steps

Creating a SAML Provider

  1. Extract Metadata from IAM Identity Center: In the IAM Identity Center setup, you'll find an option to download metadata XML. This file contains information that other AWS accounts will use to recognize authentication assertions from IAM Identity Center.

  2. Create SAML Provider in Each AWS Account: Go to the IAM dashboard, navigate to "Identity Providers," and create a new SAML provider. Upload the metadata XML from IAM Identity Center. This step establishes the trust relationship on the AWS account side.

Configuring IAM Roles

  1. Define Role Trust Policy: The trust policy of an IAM role specifies who can assume the role. In this case, you'll edit the trust policy to include the SAML provider you just created. This links the role to the SAML provider, allowing users authenticated by IAM Identity Center to assume the role.

    Example trust policy snippet:

     jsonCopy code{
       "Version": "2012-10-17",
       "Statement": [
         {
           "Effect": "Allow",
           "Principal": {
             "Federated": "arn:aws:iam::<account-id>:saml-provider/<SAML-Provider-Name>"
           },
           "Action": "sts:AssumeRoleWithSAML",
           "Condition": {
             "StringEquals": {
               "SAML:aud": "https://signin.aws.amazon.com/saml"
             }
           }
         }
       ]
     }
    
  2. Attach Permissions: Define what resources and actions the user can access while assuming this role. This could range from read-only access to specific S3 buckets to full administrative privileges, depending on the role's intended use.

Assigning Access in IAM Identity Center

  1. Link Applications to Roles: Back in IAM Identity Center, when you configure applications (representing the AWS accounts), you specify which roles in those accounts can be assumed through this application. This ties the application to specific IAM roles in the target accounts.

  2. Assign Users/Groups to Applications: Determine which users or groups should have access to each application. Assigning a user or group to an application effectively grants them the ability to assume the linked IAM roles in the target AWS accounts.

Conclusion

This setup leverages the power of AWS IAM Identity Center and SAML to create a secure, scalable, and manageable way to handle cross-account access. Users enjoy the simplicity of single sign-on (SSO) to access multiple AWS accounts and resources, while administrators benefit from centralized user management and granular control over permissions.