Case Study | AWS Multi-Account Strategy for Access Management | AppSec Leader
AWS Multi-Account Strategy for Access Management
Case Study Overview
Stratus10's client, a leader in the AppSec industry, experienced rapid growth in recent years with 13% YoY revenue growth and an expanding global workforce. With multiple AWS Organizations utilizing separate AWS SSO instances and traditional IAM Users, the company faced growth-related frustrations during onboarding and access provisioning due to complexity and varied credential sets. They needed a scalable and efficient way to manage their multiple AWS Accounts and user base.
Stratus10 offered a centralized and automated solution, providing a single source of truth for user credentials, groups, and memberships. With consolidated user access under one system, the company gained enhanced control, visibility, and efficiency in managing user identities and permissions. Stratus10 also improved the end-user experience by simplifying authentication processes thus increasing productivity. By leveraging Terraform to automate permission sets and AWS Account assignments, they were ensured consistent and scalable access management.
Overall Stratus10's solution was instrumental in addressing the client's complex access management challenges, empowering them to effectively manage their AWS environment while reducing administrative overhead.
Highlights
- Reduced administration complexity and improved user lifecycle management
- Unified and streamlined user management, authentication, and authorization across AWS environments
- Enhanced user experience by leveraging Okta to provide flexibility and reduce frustration
- Automated processes and AWS SSO management for greater control and consistent access across AWS accounts
Challenges
Managing multiple AWS SSO Instances
A headache for any administrator, managing multiple AWS SSO Instances leads to vulnerabilities and risks. The challenge with limited user account management posed risks in terms of user autonomy and password security. Users were unable to manage their own account passwords and relied on administrative intervention for any password changes. Enabling the "user must change password on login" option would have been an additional burden for administrators, hindering user self-service and potentially leading to further security vulnerabilities.
Limited MFA options
The absence of multiple multi-factor authentication (MFA) options represented a security risk. Users were limited to a single MFA option, which is susceptible to compromise and hindered flexibility for different user preferences or compliance requirements. This limited choice weakens the overall security posture; whereas a diverse range of MFA options provides stronger defense against unauthorized access and identity theft.
Separate credentials for different AWS SSO instances
Separate credentials for different AWS SSO instances presented a significant challenge for users, leading to frustration and decreased productivity. Remembering and maintaining multiple sets of credentials across different environments can be cumbersome and prone to error.
Manual and complex processes for user administration
The complexity associated with user management, such as disabling access for departing employees or onboarding new employees, introduced administrative burdens and risks. Without a centralized solution, these tasks would have become more time-consuming and error-prone. Manual processes for user administration can lead to delays in access provisioning or revocation, potentially resulting in security gaps or unauthorized access.
No automation in user administration
The absence of automation created numerous challenges–-manual processes are inherently time-consuming and prone to human error. Without automation, the company's scalability and agility would be significantly hindered.
Why AWS, Okta and Terraform
AWS
The decision to use AWS, Okta and Terraform was driven by the unique strengths and capabilities offered by each platform. AWS provided a robust foundation for the client's cloud infrastructure needs. With AWS Organizations, they gained centralized management and governance of multiple AWS accounts. AWS SSO further enhanced the access management process by providing a unified single sign-on experience for users across AWS accounts within the AWS Organization. This integration allowed for consistent user authentication and authorization, simplifying access management and reducing administrative overhead.
Okta
In conjunction with AWS, Okta provides advanced identity and access management capabilities. Okta is a leading identity provider in delivering secure and seamless authentication and authorization services. By configuring SAML integration between AWS SSO and Okta, the client benefited from Okta's industry-leading authentication features, including support for multi-factor authentication (MFA) and adaptive access policies. Additionally, user provisioning using the SCIM protocol allowed for automated and synchronized user lifecycle management between Okta and AWS SSO. The combination of AWS and Okta provided a comprehensive solution that encompassed both the infrastructure and identity management aspects, ensuring a robust, scalable, and user-friendly environment for the entire workforce.
Terraform
Terraform, an infrastructure as code tool, automates the configuration of permission sets and AWS Account assignments within AWS SSO. Terraform enabled the client to define the desired state of permissions and account assignments in a declarative manner. With Terraform, the process of provisioning and managing permissions becomes streamlined and repeatable. Changes to permission sets or account assignments could be made through code, ensuring consistency and eliminating the need for manual configuration. With task automation from Terraform, they achieved greater agility and control over their access management processes, reducing the risk of misconfigurations and enabling efficient updates as their requirements evolved.
Why Stratus10
Stratus10’s experience delivering complex solutions across the AWS ecosystem gave the client confidence that their challenges would be resolved. Stratus10 was the ideal partner to address their challenges, simplify access management, improve user experience, and establish a scalable framework for ongoing user lifecycle management. Stratus10’s experience with Terraform and Okta ensured a streamlined, automated, secure, and efficient approach to access management across their AWS environment.
Solution Delivered
Stratus10's solution to the client's complex access management challenges leveraged a combination of AWS services, Okta's advanced IAM capabilities, and Terraform’s IaaC for automation.
AWS Organizations
To streamline and unify access management, AWS Organizations was used to centralize management and governance of AWS accounts. This allowed for easier administration and enhanced security controls. Within AWS Organizations, AWS SSO was utilized as the centralized identity provider, creating a unified single sign-on experience for users across all AWS accounts within the AWS Organization. AWS SSO simplified user authentication and authorization, enabling users to securely access the resources they needed without having to remember multiple sets of credentials.
Okta Integration Using SAML and SCIM
Integration between AWS SSO and Okta was established using the Security Assertion Markup Language (SAML) protocol. This integration allowed for seamless and secure authentication and authorization between the two platforms. Okta, a leading identity provider, brought robust features such as multi-factor authentication (MFA) and adaptive access policies, providing enhanced security controls to protect user accounts and sensitive data.
To automate user lifecycle management, Stratus10 leveraged the System for Cross-domain Identity Management (SCIM) protocol. SCIM enabled automated provisioning and synchronization of user accounts and attributes between Okta and AWS SSO. This streamlined user onboarding and offboarding processes, ensuring that access was granted or revoked in a timely and accurate manner. Additionally, AWS Identity and Access Management (IAM) policies and roles were used to define granular permissions and access controls for different user groups, ensuring that users had the appropriate level of access to AWS resources.
Terraform IaaC for Automation
Stratus10 incorporated Terraform to automate the configuration of permission sets and AWS account assignments within AWS SSO. Terraform provided a declarative approach to defining the desired state of permissions and assignments in code, allowing for streamlined provisioning and management, and ensuring consistency and repeatability across their AWS environment.
Terraform brought several benefits. Firstly, it eliminated the need for manual configuration of permissions and account assignments. Any changes or updates to permission sets or account assignments could be made through code, enabling efficient updates and eliminating the need for manual intervention. Furthermore, Terraform facilitated scalability and adaptability. As the client's access management requirements evolved, Terraform made it easier to scale the solution and make changes to permissions and account assignments as needed. The infrastructure-as-code approach provided agility and control, enabling teams to efficiently manage their access management processes while reducing the risk of misconfigurations.
Implementation
Assess existing access management setup
The implementation of Stratus10's solution began with a comprehensive assessment of the client's existing access management setup. This involved auditing the multiple AWS Organizations and AWS SSO instances, as well as evaluating the IAM Users in the third AWS Organization.
Integrate AWS SSO for each AWS Organization with Okta
To establish the integration between AWS SSO and Okta, the team configured the SAML integration, which required configuring the necessary trust relationships and exchanging metadata between AWS SSO and Okta. This enabled seamless authentication and authorization between the two platforms. The integration allowed users to authenticate using their Okta credentials and provided a consistent user experience across all AWS SSO instances and AWS accounts.
Automate user and group provisioning using SCIM
The next step was to automate user and group provisioning and synchronization using the SCIM protocol. Stratus10 leveraged Okta's SCIM capabilities to automatically provision user accounts, group, and group memberships and synchronize them with AWS SSO. This eliminated the manual effort required for user onboarding and offboarding.
Define granular permissions and access controls
To define granular permissions and access controls, the team leveraged AWS IAM Policies and Permission Sets in AWS SSO. The IAM policies were aligned with company security requirements and configured according to user roles. These Permission Sets were then assigned to specific user groups and AWS accounts, ensuring that users had the appropriate level of access to AWS resources.
Incorporate Terraform to automate the configuration of permission sets and AWS account assignments
Throughout the implementation process, Terraform was utilized to automate the configuration of permission sets and AWS account assignments within AWS SSO. The team defined the desired state of permissions and account assignments in Terraform code, enabling automated provisioning and management. Terraform ensured consistency, repeatability, and scalability, allowing the company to easily make changes and updates to their access management configuration.
Collaborate with the client's IT team
During the implementation, Stratus10 worked closely with the IT team to ensure a smooth transition and minimize any disruptions. Stratus10 provided comprehensive documentation and training to empower IT administrators and end users to effectively use the new access management solution. Regular communication and collaboration ensured that the implementation met the client's specific requirements and aligned with their overall IT strategy.
Results and Benefits
By centralizing and automating access management processes using AWS SSO, Okta and Terraform, the client achieved improved efficiency, enhanced security, and a streamlined user experience.
The client can now swiftly and accurately onboard new employees or revoke access for departing employees.
Centralized access management eliminated the complex administration of user credentials, groups, and memberships. Users went from having 3-4 sets of credentials to just one.
Through third-party integration with Okta users can choose their MFA options from push notifications, SMS, email verification, or a combination of those.
Leveraging multiple AWS services (Organizations, SSO, IAM policies, and Permission Sets), the client now has a unified and efficient access management solution.
Overall, the solution brought significant improvement in access management efficiency, user experience, and cost savings. By leveraging AWS services, third-party integrations, and automation through Terraform, the AppSec leader achieved their goals of streamlining operations and enhancing security.
About the Client
With a mission to ensure that software is secure from the start, the AppSec leader provides software security analyses on a single platform, delivering an automated, on-demand solution to accurate and cost-effective vulnerability scans. The software security platform finds flaws and vulnerabilities at every stage of the modern software development lifecycle, and the on-demand model ensures a cost-effective solution for their customers.
Trusted by security teams, developers, and business leaders from thousands of the world’s leading organizations, the AppSec leader is a pioneer, redefining what intelligent software security means. The company has been consistently ranked a top place to work and named a Gartner Magic Quadrant for Application Security Testing. They serve more than 3,500 customers worldwide and have assessed over 138 trillion lines of code.
About Stratus10
Stratus10 is an AWS Advanced Consulting Partner helping companies migrate to the cloud or if they are already on AWS we help them implement best practices. Specialty areas include application modernization, DevOps automation, migration, security, and cost optimization to help clients take full advantage of the latest technologies AWS has to offer.
Use case: AWS SSO & Access Management
Client: AppSec Leader
Date: June 2023
Category: Security
Need help with your AWS account structure?
Talk to one of our cloud experts and let us help answer all your questions!