okta aws multi-account configuration guide · aws multi-account configuration guide 6 these...
TRANSCRIPT
Squareup
AWSMulti-AccountConfigurationGuide
AWSMulti-AccountConfigurationGuide
2
Table of Contents Overview ............................................................................................................................................................ 3
How it Works ................................................................................................................................................................................... 3User Access to AWS Accounts and Roles .......................................................................................................................... 3Managing User & Group Access to Accounts and Roles ................................................................................................ 5
High-Level Design ........................................................................................................................................................................... 7Set Up AWS for SAML ............................................................................................................................................................... 7Create a Management Layer of Groups in AD / LDAP ..................................................................................................... 7Configure the AWS App in Okta for Group-Based Role Assignment ........................................................................... 7
Set Up Instructions ........................................................................................................................................... 8Prerequisites .................................................................................................................................................................................... 8Step 1: Setting Up Your AWS Accounts & Roles for SAML SSO ....................................................................................... 8Step 2: Creating AWS Role Groups in AD / LDAP ................................................................................................................. 8Step 3: Configuring AD / LDAP Management Groups to Map Users to AWS Accounts & Roles ............................. 9Step 4: Importing AWS Role Groups and Management Groups into Okta ..................................................................... 11Step 5: Enabling Group Based Role Mapping in Okta ........................................................................................................ 12Step 6: Assign All AWS Management Groups to the AWS App in Okta ......................................................................... 13
AWSMulti-AccountConfigurationGuide
3
OverviewIthasbecomeincreasinglycommonforAWScustomershavealargesetofAWSaccounts–somefordevelopment,somefortesting,othersforproduction,etc.Infact,itisnotuncommontohaveover100AWSaccountstomanagealloftheseusecases.Inresponse,itisnowpossibleinOktatoprovideasecureandscalablewayofgrantingsinglesign-onaccessacrossanunlimitednumberofAWSaccountsandroles.Additionally,thismodelensuresthateachgroupofusersareonlygrantedaccesstotheappropriateAWSrolestheyneed,offeringfine-grainedentitlementmanagement.ThisisanEarlyAccessfeature.ContactOktaSupporttoenableit.ThisguidewillexplainhowtheOkta’sAWSMulti-Accountsolutionworksandwalksthroughset-upinstructionstogetstartedwiththenewfeature.HowitWorks
UserAccesstoAWSAccountsandRolesOnceyouhavegrantedAWSaccesstocertainindividualsorgroups,eachuserwillbeginbysimplyloggingintotheOktaEnd-UserDashboard.FromheretheycanthenselectanAWSchickletthatappearsoncetheyhavebeenassignedtheapp.
AWSMulti-AccountConfigurationGuide
4
OncetheAWSappisselected,anAWSaccount&rolepickerpagewillappear.Thispagewilldisplayalloftherolesacrossalloftheaccountsthatthespecificuserisgrantedaccessto.Thiswilldifferdependingontheentitlementsthatusersaregranted–forinstance,yourDevOpsadministratormayseerolesandaccountsrequiringmoreelevatedpermissionsascomparedtoyourTier1Supportagent.
Behindthescenes,OktaisabletopassalistofrolesandaccountstheuserisauthorizedfortoAWSinrealtimebasedoffthespecificgroupsthattheuserbelongsto.Thismakesadministrationextremelysimple,byallowingadminstosimplyassignuserstospecificADorLDAPgroupsthatareauthorizedforacertainlistofAWSaccounts&roles.Moredetailsareexplainedbelowabouttheadminexperience.
AWSMulti-AccountConfigurationGuide
5
ManagingUser&GroupAccesstoAccountsandRolesIntheinitialreleaseofthissolution,administrationofthisfeatureisprimarilysupportedinAD&LDAP.Fromhere,administratorsworkwithtwodifferentlogicalsetsofAD/LDAPgroups:
1 AWSRoleSpecificGroupsAgroupmustexistinADorLDAPforeachspecificaccountandrolecombinationthatyouwanttoprovideaccessto.YoucanthinkofthesegroupsasAWSRoleSpecificGroups.Thegroupnameshouldfollowaparticularsyntaxaswell(moredetailsinsetupinstructionsonthistopic).
Anyuserwhoisamemberoftheserolespecificgroupsisessentiallygrantedasingleentitlement-accesstoonespecificroleinonespecificAWSaccount.Thesegroupscanbecreatedbyascript,exportedasalistfromAWS,orcreatedmanually.
2 ManagementGroupsAsyoumightimagine,itdoesnotscaletomanageuseraccessbyassigningeachusertospecificAWSRoleGroups.Tosimplifyadministration,werecommendyoualsocreateanumberofgroupsforallofthedistinctuser-setsinyourorganizationthatrequiredifferentsetsofAWSentitlements.ThesegroupsmayalreadyexistinyourAD/LDAPhierarchyintheformofdifferentdepartmentspecificgroups,butcanalsobecreatedsolelyforAWSifpreferred.
AWSMulti-AccountConfigurationGuide
6
Thesemanagementgroupsbecometheadministrationlayerwhereyouassignusers(asgroupMembers)andmaptheseuserstospecificentitlementsthroughAWSRoleGroups(asMembersOf)
OncethesegroupshavebeencreatedinActiveDirectoryorLDAP,alladministrationshouldtakeplacewiththeManagementGroups.Add/RemoveuserstothesegroupstograntaccesstoyourlistedAWSaccounts&roles,andupdatethespecificentitlementsbyaddingorremovingAWSRoleGroupsintheMemberOfgrouppropery.
AWSMulti-AccountConfigurationGuide
7
High-LevelDesign
SetUpAWSforSAMLTobegin,eachofyourAWSaccountsmustbeconfiguredforSAMLaccess.ThisentailsaddingOktaasatrustedIDPtoyourAWSaccountandthencreatingatrustrelationshipforeachofyourrolesthatpermitsaccessviathenewIDP.ThesearethesamestepsthatonewouldfollowtoprovideSAMLSSOintoanysingleAWSaccount,butmustbeperformedacrossallofyouraccounts.Foradvancedorganizations,thiscanbeautomatedwithCloudFormationorAWSAPIscriptsforsimpleSAMLsetupineachAccount.
CreateaManagementLayerofGroupsinAD/LDAPOnceSAMLhasbeenconfigured,youmustnowcreateAWSRoleGroupsinAD/LDAPforeachrole&accountyouwantuserstobeabletoaccesthroughOkta.ThiscanbecompletedviaascriptbetweenAWSandAD/LDAP,byexportingaCSVtoADandscriptingagainsttheCSVontheADside,orbymanualeffort.Next,youcancreatealinkbetweentheseAWSRolespecificGroupsandotherAD/LDAPgroupsbyassigningManagementGroupsasMembersOftheAWSRoleGroupsyouwanttograntthemaccessto.Oncecomplete,assignuserstotheseManagementgroupstoallowaccesstoalloftheAWSrolesandaccountsthattheManagementGroupisamemberof.
ConfiguretheAWSAppinOktaforGroup-BasedRoleAssignmentFinally,inOkta,importboththeAD/LDAPManagementGroups&RoleGroupsviaOkta’sADorLDAPAgent.Next,assignyourmanagementgroupstotheAWSapplicationyousetupinStep1–thisassignstheproperuserstotheAWSapp.Lastly,setupGroupBasedRoleAssignmenttotranslatethenamesofeachofyourAWSRoleGroupsintoaformatthatAWScanconsumetolisttheproperrolesontheRolePickerPageforyourusers.
AWSMulti-AccountConfigurationGuide
8
SetUpInstructionsThesestepsassumeyouunderstandtheintendedexperienceandhigh-leveldesignofthisfeature.Ifunsure,pleasereviewthesectionsabove.PrerequisitesThisfeaturerequirestheEarlyAccessfeatureflag,PROV_AMAZON_AWS_USE_DYNAMIC_ROLE_MAPPING,tobeenabledinyourorg.ContactOktaSupport.PleasenotethatthistakeseffectinallAWSappsinyourorgandthereforeshouldonlybeenabledinOktaOrgswhereyoudonotcurrentlyhaveanactiveAWSappsetupthatusersareactivelyusing.Otherwise,theconfigurationforyourpreviouslysetupAWSappswouldtemporarilybreakasitexpectstoutilizethisnewmethodofaccess.Assuch,thisfeatureiscurrentlydesignedinEarlyAccessforuseinnon-productionorgsonly.Pleaseplanaccordingly.Step1:SettingUpYourAWSAccounts&RolesforSAMLSSOFirstwewillsetupallofyourAWSaccountsforSAMLaccesswithOkta.
1 BeginbycreatinganewAWSappinOktaandselectSAMLfromtheSingleSign-Ontab.2 Openthein-productguide,andperformsteps1and2underthe“ConnectOktatoaSingleAWS
Instance”portionoftheguide:a. (SingleInstance)Step1:ConfigureOktaasyourIdentityProviderinyourAWSaccountb. (SingleInstance)Step2:AddOktaIdentityProviderasaTrustedSourceinyourAWSRoles
3 DothisforallofyourAWSaccountsandrolesthatyouwanttograntusersaccessto–andensurethatallofyouraccountshavebeensetupwiththesameexactSAMLmetadataandhavebeennamedthesameexactname.AnyaccountwithadifferentSAMLprovidernameormetadatadocumentwillnotbeaccessible.
Step2:CreatingAWSRoleGroupsinAD/LDAPOnceallAWSaccountshavebeenconfiguredforSAML,groupsmustbecreatedinADforeachAWSroleineachaccountthatyouwantuserstohaveaccessto.Thiscanbeaccomplishedinafewdifferentways:
• Option1:ScriptbetweenAWSandAD/LDAPthatcreatesADgroupsforeachroleineachaccountThisoffersthegreatestpossibilityofautomation,butrequirescoordinationbetweenyourAWSmanagementteamsandAD/LDAPmanagementteamsforthescripttobeconfigured.Inthefuture,Oktahopestoprovidesamplescriptstohelpsimplifythesetup,butnosuchscriptswillbeprovidedintheinitialreleaseofthissolution.
• Option2:CSVExportfromAWSIfascriptingapproachbetweenAWSandAD/LDAPisnotapossibility,alighterweightapproachmaybetosimplyexportalistofrolenamesforeachofyourAWSaccountsinaCSVthatyouprovidetoyouAD/LDAPadministrationteams.Fromthere,theycanmanagethecreationofAWSRolegroups
AWSMulti-AccountConfigurationGuide
9
howevertheyseefitwithoutanysortofdependenciesordirectintegrationwithyourAWSaccountsthemselves.
• Option3:ManualCreationLastly,itisalwayspossibletocreateAWSRoleGroupsinAD/LDAPmanually.Thismodelisthesimplest,however,itwillrequireupkeepaswellasamplesetuptimetocreategroupsinAD/LDAPforeachoftherolesineachofyouraccounts.
Regardless,ofhowyouchoosetocreatetheseAWSRoleSpecificGroupsinyourdirectory,werecommendthefollowingprocedure:
1 CreateanewOUsomewhereinyourdirectorysothatyoucanisolateallofyourAWSRoleSpecificgroups.Thisisnotrequired,butrecommendedinordertomakegroupmanagementsimpleforyouradministrators.PotentialOUnamescouldbe“AWSRoleGroups”,“AWSEntitlements”,etc.
2 CreateADsecuritygroupsforeachrolefollowingastandardsyntax.Forsimplicity,Oktarecommendsthefollowingsyntax.
aws#<accountalias>#<rolename>#<account#>
example: aws#northamerica-production#Tier1_Support#828416469395
ifyouprefertouseyourowngroupsyntax,thenpleasemakesuretoincludeaccountalias,rolename,andaccount#withrecognizabledelimitersinbetweeneach.Thiswillalsorequireyoutobeabletocreateacustomregexexpressioninlaterstepsandthereforeshouldonlybedoneifyouarecomfortablewiththeseadvancedtopics.
Step3:ConfiguringAD/LDAPManagementGroupstoMapUserstoAWSAccounts&RolesNext,anothersetofAD/LDAPgroupswillbecreatedorusedtoestablishalinkbetweensetsofusers,andthespecificAWSaccountsandrolestheyshouldhaveaccessto.
1 IfyoudonotalreadyhavegroupsinADthatyouwanttousetomanagetheAWSentitlementsthatdifferentusersshouldhaveaccessto,then
a. CreateanotherOUinyourdirectoryfor“AWSManagementGroups”.Alternatively,youcanplacethesegroupswhereveryoupreferinyourdirectory–adifferentOUisrecommendedtosimplyaidineaseofadministration.
b. CreategroupsforeachdifferentuserpopulationthatrequiresadifferentsetofAWSrolesandaccounts.Namethesehoweveryouseefit–forinstance,“Tier1AWSSupport”,“DatabaseAdmins”,“AWSSuperAdmins”,etc.
2 Onceyouhavemanagementgroupsyouwouldliketouse,makeeachofthesegroupsamemberofalloftheAWSRoleGroupsthatthisgroupshouldhaveaccessto.ThisestablishesalinkbetweenthemanagementgroupsandtheentitlementsinallofyourAWSaccountsthatgroupusersshouldhaveaccessto.Youcanadd,remove,modify,andauditAWSentitlementsfromthispageforeachofyourmanagementgroups.
AWSMulti-AccountConfigurationGuide
10
3 Next,youcanbeginassigningusersdirectlytothegroupbymakingusersmembersofthesegroups.Similarly,youcanadd,remove,modify,andauditusermembershipofeachgroupfromthispageaswell.
Thesemanagementgroupsbecomethecentralcontrolpointforyoutomanage&audituseraccesstodifferentsetsofAWSentitlements.
AWSMulti-AccountConfigurationGuide
11
Step4:ImportingAWSRoleGroupsandManagementGroupsintoOktaNext,bothAWSrolegroupsandmanagementgroupsneedtobeimportedintoOktaandconfiguredforuseintheAWSappyouconfiguredinStep1.ImportingthesegroupsistypicallydoneviatheOktaADorLDAPAgent.InstructionsoninstallingtheOktaAD/LDAPAgentcanbefoundinproductbynavigatingtoDirectory>DirectoryIntegrations.Uponcompletion,youshouldbeabletoseebothyourAWSRolegroupsandManagementgroupsfromtheGroupspageintheOktaAdminConsole
AWSMulti-AccountConfigurationGuide
12
Step5:EnablingGroupBasedRoleMappinginOktaOncethegroupshavebeenimportedintoOkta,theAWSapplicationyousetupinStep1mustbeconfiguredtotranslateAWSRolegroupmembershipintoentitlementsthatAWScanunderstandsyntactically.
1. NavigatetotheAWSapplicationyouprevioussetupinStep1.2. GototheSingleSignOntabandchooseEditinthetoprighthandcornerofthepage.3. LocatetheAppFilter,GroupFilter,andRoleValuePatternfields–thesefieldscontrolhowOktamaps
yourAWSrolegroupsintoentitlementsforthisfeature.Configurethesefieldsasfollows:
• AppFilter-theappfilternarrowsthelistofgroupsthatOktacanuseforAWSentitlementmappingtoaspecificappordirectory.Thisexistsforsecuritypurposes,toavoidpossiblesituationswhererogueadminscreategroupsfollowingacertainsyntaxinordertointentionallygainunauthorizedaccesstoaspecificAWSaccount/role.IfyoucreatedyourgroupsinActiveDirectory,youcaninputactive_directory
• GroupFilter–thegroupfilterfieldusesaRegexexpressiontoonlyinspectgroupsfromyourchosenappfilterthatfollowaspecificsyntax.IfyoudidchosetousetheOktarecommendeddefaultAWSrolegroupsyntaxlistedabove,thenyoucansimplyusethefollowingregexstring:
^aws\#\S+\#(?{{role}}[\w\-]+)\#(?{{accountid}}\d+)$-thisregexexpressionlogicallyequateto:“findgroupsthatstartwithAWS,then#,thenastringoftext,then#,thentheAWSrole,then#,thentheAWSaccountID”.
Ifyoudidn’tusethedefaultrecommendedAWSrolegroupsyntax,thenyoumustcreatearegexexpressionthatproperlyfiltersyourAWSrolegroups,andcapturestheAWSrolenameandAWSAccountIDwithintwodistinctRegexgroupsnamed{{role}}and{{accountid}}respectively.
AWSMulti-AccountConfigurationGuide
13
• RoleValuePattern–thisfieldtakestheAWSroleandaccountIDcapturedwithinthesyntaxofyourAWSrolegroups,andtranslatesitintothepropersyntaxAWSrequiresinOkta’sSAMLassertiontoallowuserstoviewtheiraccountsandroleswhentheysignin.
Thisfieldshouldalwaysfollowthisspecificsyntax:
arn:aws:iam::${accountid}:saml-provider/<<SAMLProviderName>>,arn:aws:iam::${accountid}:role/${role}
Replace<<SAMLProviderName>>withthenameoftheSAMLproviderthatyousetupinallofyourAWSaccountsinStep1.Therestofthestringshouldnotbealtered–justcopy&paste.
Step6:AssignAllAWSManagementGroupstotheAWSAppinOktaLastly,nowthattheAWSapphasbeenproperlyconfiguredtomapAWSrolegroupstoentitlements,simplyassignallofyourAWSManagementGroupstotheapplicationinOkta.ThiswillautomaticallyassignalloftheappropriateuserstotheAWSapp,andtheinstuctionsyoucompletedinStep5willensurethattheyonlyseetheappropriateentitlementstheyshouldhaveaccessto.
Setupisnowcomplete!VerifythatuserscanaccesstheAWSappfromtheirOktaend-userdashboardandsign-onisseamless