Vous avez un projet ?

SSO on AWS – 1/3 – Survey

Publié le 13 septembre 2023
scroll
N’oubliez pas
de partager
cet article

A brief context

  • This project concerns a large multi-cloud customer: more than 10,000 employees
  • Who has an AWS landing-zone automation: 30 -> 600 AWS accounts in 3 years
  • And several AWS Organizations

Customer AWS access, whether human or programmatic, relied on centralizing all connections through a single AWS account ‘Identity’.

The hard limit of ‘5000 roles/AWS account’ launched the SSO project (aka IAM Identity Center).

The SSO Project:

Target

  • Manage AWS console access for projects on their dedicated AWS accounts

Cross-functional access and IAC remain on the Identity model so as not to overload AWS IAM Identity Center, which has API limits to consider.

Constraints

  • Implement security: corporated MFA and source IP restriction
  • Be scalable: up to 10,000 users
  • Manage segmentation between multi AWS organizations

The question

  • What to populate the AWS SSO directory with ?

The answers

Several sources can be proposed because the customer has differents Active Directories, and the analysis of interest will be made according to the specificities of each.

  • AWS SSO and customer directory:

This solution does not change the customer referential and procedures, but requires development of functionalities, such as synchroni

  • AWS SSO and Azure AD :

This solution natively integrates the most features: MFA management and restriction of source IPs with Azure Conditionnal Access and SCIM synchronization with AWS SSO. Its main flaw is to create a dependency between AWS and Azure.

  • AWS SSO and AD Onprem :

This solution involves the use of the AWS Managed AD service. Its interest is to support by-design link failure. Its default is to impose the management of a new Tenant AD to the customer.

Review

The choice

The use of Azure AD was established after having been debated by various decision-making committees of the customer, helped by the SAAS culture of the company.


Next

After this survey, the architecture and automation of SSO accesses will be discussed in sections 2/3 and 3/3 of this story.

We will discuss logical roles management for such a quantity and various technical constraints such as synchronization between Azure and AWS as well as handling some limits of SSO API calls.

Paul Boucher, Team Leader AWS