Skip to content

Permissions Management, AWS and Federated Access

July 7, 2022

In the last post I talked about my first impressions with Permissions Management and AWS account. Since then, I had a chance to play a bit more with this configuration. Specifically, I configured federated access from my Azure AD tenant to AWS account. One of the reasons I wanted to test this configuration is to see if we can use privileged access workstation (PAW) for cloud services management, which is joined to Azure AD tenant and managed via Azure based controls and uses Azure AD account, to manage AWS Account. The configuration is shown in the following diagram.

Federated access with AWS does not require an account in AWS IAM. If we look in AWS Account IAM, we will not see AWSAdmin user account. As we configure this configuration, we create a role in the AWS Account and assign this role with necessary policy, as in the below diagram I configured it with the highest permission – AdministratorAccess policy. As part of this configuration this role is synchronized to Azure AD application for AWS federated access. Azure AD then can assign AD based user account to this role.

The authentication flow works at high level in the following order:

  • User logs on to their PAW with Azure AD account, in this example AWSAdmin account
  • User initiate an IDP Initiated SSO to AWS account
  • User is authenticated to AWS Account with their AWSAdmin federated account and have permissions in AWS Account based on the role permissions, in this example, AdministratorAccess policy

So what does it have to do with Entra Permissions Management?

I was pleasantly surprised to find that Permissions Management reports federated accounts used to access AWS Account as privileged accounts and shows them as SAML user accounts. This is very valuable information as we need to perform account disposition on AWS account.

To be fair, there should be a way to identify these accounts by looking in AWS logging or other native way to identify it, but as mentioned before, I’m not an expert in AWS and having tool like Entra Permissions Management identifying it in single user interface accounts that require attention is very helpful.

The following diagram shows couple accounts from my Azure AD tenant that have Super Identity access to AWS Account.

Till next time my friends!

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: