Squareup

AWSMulti-AccountConfigurationGuide

AWSMulti-AccountConfigurationGuide

2

Table of Contents Overview ............................................................................................................................................................ 3

How it Works ................................................................................................................................................................................... 3User Access to AWS Accounts and Roles .......................................................................................................................... 3Managing User & Group Access to Accounts and Roles ................................................................................................ 5

High-Level Design ........................................................................................................................................................................... 7Set Up AWS for SAML ............................................................................................................................................................... 7Create a Management Layer of Groups in AD / LDAP ..................................................................................................... 7Configure the AWS App in Okta for Group-Based Role Assignment ........................................................................... 7

Set Up Instructions ........................................................................................................................................... 8Prerequisites .................................................................................................................................................................................... 8Step 1: Setting Up Your AWS Accounts & Roles for SAML SSO ....................................................................................... 8Step 2: Creating AWS Role Groups in AD / LDAP ................................................................................................................. 8Step 3: Configuring AD / LDAP Management Groups to Map Users to AWS Accounts & Roles ............................. 9Step 4: Importing AWS Role Groups and Management Groups into Okta ..................................................................... 11Step 5: Enabling Group Based Role Mapping in Okta ........................................................................................................ 12Step 6: Assign All AWS Management Groups to the AWS App in Okta ......................................................................... 13

AWSMulti-AccountConfigurationGuide

3

OverviewIthasbecomeincreasinglycommonforAWScustomershavealargesetofAWSaccounts–somefordevelopment,somefortesting,othersforproduction,etc.Infact,itisnotuncommontohaveover100AWSaccountstomanagealloftheseusecases.Inresponse,itisnowpossibleinOktatoprovideasecureandscalablewayofgrantingsinglesign-onaccessacrossanunlimitednumberofAWSaccountsandroles.Additionally,thismodelensuresthateachgroupofusersareonlygrantedaccesstotheappropriateAWSrolestheyneed,offeringfine-grainedentitlementmanagement.ThisisanEarlyAccessfeature.ContactOktaSupporttoenableit.ThisguidewillexplainhowtheOkta’sAWSMulti-Accountsolutionworksandwalksthroughset-upinstructionstogetstartedwiththenewfeature.HowitWorks

UserAccesstoAWSAccountsandRolesOnceyouhavegrantedAWSaccesstocertainindividualsorgroups,eachuserwillbeginbysimplyloggingintotheOktaEnd-UserDashboard.FromheretheycanthenselectanAWSchickletthatappearsoncetheyhavebeenassignedtheapp.

AWSMulti-AccountConfigurationGuide

4

OncetheAWSappisselected,anAWSaccount&rolepickerpagewillappear.Thispagewilldisplayalloftherolesacrossalloftheaccountsthatthespecificuserisgrantedaccessto.Thiswilldifferdependingontheentitlementsthatusersaregranted–forinstance,yourDevOpsadministratormayseerolesandaccountsrequiringmoreelevatedpermissionsascomparedtoyourTier1Supportagent.

Behindthescenes,OktaisabletopassalistofrolesandaccountstheuserisauthorizedfortoAWSinrealtimebasedoffthespecificgroupsthattheuserbelongsto.Thismakesadministrationextremelysimple,byallowingadminstosimplyassignuserstospecificADorLDAPgroupsthatareauthorizedforacertainlistofAWSaccounts&roles.Moredetailsareexplainedbelowabouttheadminexperience.

AWSMulti-AccountConfigurationGuide

5

ManagingUser&GroupAccesstoAccountsandRolesIntheinitialreleaseofthissolution,administrationofthisfeatureisprimarilysupportedinAD&LDAP.Fromhere,administratorsworkwithtwodifferentlogicalsetsofAD/LDAPgroups:

1 AWSRoleSpecificGroupsAgroupmustexistinADorLDAPforeachspecificaccountandrolecombinationthatyouwanttoprovideaccessto.YoucanthinkofthesegroupsasAWSRoleSpecificGroups.Thegroupnameshouldfollowaparticularsyntaxaswell(moredetailsinsetupinstructionsonthistopic).

Anyuserwhoisamemberoftheserolespecificgroupsisessentiallygrantedasingleentitlement-accesstoonespecificroleinonespecificAWSaccount.Thesegroupscanbecreatedbyascript,exportedasalistfromAWS,orcreatedmanually.

2 ManagementGroupsAsyoumightimagine,itdoesnotscaletomanageuseraccessbyassigningeachusertospecificAWSRoleGroups.Tosimplifyadministration,werecommendyoualsocreateanumberofgroupsforallofthedistinctuser-setsinyourorganizationthatrequiredifferentsetsofAWSentitlements.ThesegroupsmayalreadyexistinyourAD/LDAPhierarchyintheformofdifferentdepartmentspecificgroups,butcanalsobecreatedsolelyforAWSifpreferred.

AWSMulti-AccountConfigurationGuide

6

Thesemanagementgroupsbecometheadministrationlayerwhereyouassignusers(asgroupMembers)andmaptheseuserstospecificentitlementsthroughAWSRoleGroups(asMembersOf)

OncethesegroupshavebeencreatedinActiveDirectoryorLDAP,alladministrationshouldtakeplacewiththeManagementGroups.Add/RemoveuserstothesegroupstograntaccesstoyourlistedAWSaccounts&roles,andupdatethespecificentitlementsbyaddingorremovingAWSRoleGroupsintheMemberOfgrouppropery.

AWSMulti-AccountConfigurationGuide

7

High-LevelDesign

SetUpAWSforSAMLTobegin,eachofyourAWSaccountsmustbeconfiguredforSAMLaccess.ThisentailsaddingOktaasatrustedIDPtoyourAWSaccountandthencreatingatrustrelationshipforeachofyourrolesthatpermitsaccessviathenewIDP.ThesearethesamestepsthatonewouldfollowtoprovideSAMLSSOintoanysingleAWSaccount,butmustbeperformedacrossallofyouraccounts.Foradvancedorganizations,thiscanbeautomatedwithCloudFormationorAWSAPIscriptsforsimpleSAMLsetupineachAccount.

CreateaManagementLayerofGroupsinAD/LDAPOnceSAMLhasbeenconfigured,youmustnowcreateAWSRoleGroupsinAD/LDAPforeachrole&accountyouwantuserstobeabletoaccesthroughOkta.ThiscanbecompletedviaascriptbetweenAWSandAD/LDAP,byexportingaCSVtoADandscriptingagainsttheCSVontheADside,orbymanualeffort.Next,youcancreatealinkbetweentheseAWSRolespecificGroupsandotherAD/LDAPgroupsbyassigningManagementGroupsasMembersOftheAWSRoleGroupsyouwanttograntthemaccessto.Oncecomplete,assignuserstotheseManagementgroupstoallowaccesstoalloftheAWSrolesandaccountsthattheManagementGroupisamemberof.

ConfiguretheAWSAppinOktaforGroup-BasedRoleAssignmentFinally,inOkta,importboththeAD/LDAPManagementGroups&RoleGroupsviaOkta’sADorLDAPAgent.Next,assignyourmanagementgroupstotheAWSapplicationyousetupinStep1–thisassignstheproperuserstotheAWSapp.Lastly,setupGroupBasedRoleAssignmenttotranslatethenamesofeachofyourAWSRoleGroupsintoaformatthatAWScanconsumetolisttheproperrolesontheRolePickerPageforyourusers.

AWSMulti-AccountConfigurationGuide

8

SetUpInstructionsThesestepsassumeyouunderstandtheintendedexperienceandhigh-leveldesignofthisfeature.Ifunsure,pleasereviewthesectionsabove.PrerequisitesThisfeaturerequirestheEarlyAccessfeatureflag,PROV_AMAZON_AWS_USE_DYNAMIC_ROLE_MAPPING,tobeenabledinyourorg.ContactOktaSupport.PleasenotethatthistakeseffectinallAWSappsinyourorgandthereforeshouldonlybeenabledinOktaOrgswhereyoudonotcurrentlyhaveanactiveAWSappsetupthatusersareactivelyusing.Otherwise,theconfigurationforyourpreviouslysetupAWSappswouldtemporarilybreakasitexpectstoutilizethisnewmethodofaccess.Assuch,thisfeatureiscurrentlydesignedinEarlyAccessforuseinnon-productionorgsonly.Pleaseplanaccordingly.Step1:SettingUpYourAWSAccounts&RolesforSAMLSSOFirstwewillsetupallofyourAWSaccountsforSAMLaccesswithOkta.

1 BeginbycreatinganewAWSappinOktaandselectSAMLfromtheSingleSign-Ontab.2 Openthein-productguide,andperformsteps1and2underthe“ConnectOktatoaSingleAWS

Instance”portionoftheguide:a. (SingleInstance)Step1:ConfigureOktaasyourIdentityProviderinyourAWSaccountb. (SingleInstance)Step2:AddOktaIdentityProviderasaTrustedSourceinyourAWSRoles

3 DothisforallofyourAWSaccountsandrolesthatyouwanttograntusersaccessto–andensurethatallofyouraccountshavebeensetupwiththesameexactSAMLmetadataandhavebeennamedthesameexactname.AnyaccountwithadifferentSAMLprovidernameormetadatadocumentwillnotbeaccessible.

Step2:CreatingAWSRoleGroupsinAD/LDAPOnceallAWSaccountshavebeenconfiguredforSAML,groupsmustbecreatedinADforeachAWSroleineachaccountthatyouwantuserstohaveaccessto.Thiscanbeaccomplishedinafewdifferentways:

• Option1:ScriptbetweenAWSandAD/LDAPthatcreatesADgroupsforeachroleineachaccountThisoffersthegreatestpossibilityofautomation,butrequirescoordinationbetweenyourAWSmanagementteamsandAD/LDAPmanagementteamsforthescripttobeconfigured.Inthefuture,Oktahopestoprovidesamplescriptstohelpsimplifythesetup,butnosuchscriptswillbeprovidedintheinitialreleaseofthissolution.

• Option2:CSVExportfromAWSIfascriptingapproachbetweenAWSandAD/LDAPisnotapossibility,alighterweightapproachmaybetosimplyexportalistofrolenamesforeachofyourAWSaccountsinaCSVthatyouprovidetoyouAD/LDAPadministrationteams.Fromthere,theycanmanagethecreationofAWSRolegroups

AWSMulti-AccountConfigurationGuide

9

howevertheyseefitwithoutanysortofdependenciesordirectintegrationwithyourAWSaccountsthemselves.

• Option3:ManualCreationLastly,itisalwayspossibletocreateAWSRoleGroupsinAD/LDAPmanually.Thismodelisthesimplest,however,itwillrequireupkeepaswellasamplesetuptimetocreategroupsinAD/LDAPforeachoftherolesineachofyouraccounts.

Regardless,ofhowyouchoosetocreatetheseAWSRoleSpecificGroupsinyourdirectory,werecommendthefollowingprocedure:

1 CreateanewOUsomewhereinyourdirectorysothatyoucanisolateallofyourAWSRoleSpecificgroups.Thisisnotrequired,butrecommendedinordertomakegroupmanagementsimpleforyouradministrators.PotentialOUnamescouldbe“AWSRoleGroups”,“AWSEntitlements”,etc.

2 CreateADsecuritygroupsforeachrolefollowingastandardsyntax.Forsimplicity,Oktarecommendsthefollowingsyntax.

aws#<accountalias>#<rolename>#<account#>

example: aws#northamerica-production#Tier1_Support#828416469395

ifyouprefertouseyourowngroupsyntax,thenpleasemakesuretoincludeaccountalias,rolename,andaccount#withrecognizabledelimitersinbetweeneach.Thiswillalsorequireyoutobeabletocreateacustomregexexpressioninlaterstepsandthereforeshouldonlybedoneifyouarecomfortablewiththeseadvancedtopics.

Step3:ConfiguringAD/LDAPManagementGroupstoMapUserstoAWSAccounts&RolesNext,anothersetofAD/LDAPgroupswillbecreatedorusedtoestablishalinkbetweensetsofusers,andthespecificAWSaccountsandrolestheyshouldhaveaccessto.

1 IfyoudonotalreadyhavegroupsinADthatyouwanttousetomanagetheAWSentitlementsthatdifferentusersshouldhaveaccessto,then

a. CreateanotherOUinyourdirectoryfor“AWSManagementGroups”.Alternatively,youcanplacethesegroupswhereveryoupreferinyourdirectory–adifferentOUisrecommendedtosimplyaidineaseofadministration.

b. CreategroupsforeachdifferentuserpopulationthatrequiresadifferentsetofAWSrolesandaccounts.Namethesehoweveryouseefit–forinstance,“Tier1AWSSupport”,“DatabaseAdmins”,“AWSSuperAdmins”,etc.

2 Onceyouhavemanagementgroupsyouwouldliketouse,makeeachofthesegroupsamemberofalloftheAWSRoleGroupsthatthisgroupshouldhaveaccessto.ThisestablishesalinkbetweenthemanagementgroupsandtheentitlementsinallofyourAWSaccountsthatgroupusersshouldhaveaccessto.Youcanadd,remove,modify,andauditAWSentitlementsfromthispageforeachofyourmanagementgroups.

AWSMulti-AccountConfigurationGuide

10

3 Next,youcanbeginassigningusersdirectlytothegroupbymakingusersmembersofthesegroups.Similarly,youcanadd,remove,modify,andauditusermembershipofeachgroupfromthispageaswell.

Thesemanagementgroupsbecomethecentralcontrolpointforyoutomanage&audituseraccesstodifferentsetsofAWSentitlements.

AWSMulti-AccountConfigurationGuide

11

Step4:ImportingAWSRoleGroupsandManagementGroupsintoOktaNext,bothAWSrolegroupsandmanagementgroupsneedtobeimportedintoOktaandconfiguredforuseintheAWSappyouconfiguredinStep1.ImportingthesegroupsistypicallydoneviatheOktaADorLDAPAgent.InstructionsoninstallingtheOktaAD/LDAPAgentcanbefoundinproductbynavigatingtoDirectory>DirectoryIntegrations.Uponcompletion,youshouldbeabletoseebothyourAWSRolegroupsandManagementgroupsfromtheGroupspageintheOktaAdminConsole

AWSMulti-AccountConfigurationGuide

12

Step5:EnablingGroupBasedRoleMappinginOktaOncethegroupshavebeenimportedintoOkta,theAWSapplicationyousetupinStep1mustbeconfiguredtotranslateAWSRolegroupmembershipintoentitlementsthatAWScanunderstandsyntactically.

1. NavigatetotheAWSapplicationyouprevioussetupinStep1.2. GototheSingleSignOntabandchooseEditinthetoprighthandcornerofthepage.3. LocatetheAppFilter,GroupFilter,andRoleValuePatternfields–thesefieldscontrolhowOktamaps

yourAWSrolegroupsintoentitlementsforthisfeature.Configurethesefieldsasfollows:

• AppFilter-theappfilternarrowsthelistofgroupsthatOktacanuseforAWSentitlementmappingtoaspecificappordirectory.Thisexistsforsecuritypurposes,toavoidpossiblesituationswhererogueadminscreategroupsfollowingacertainsyntaxinordertointentionallygainunauthorizedaccesstoaspecificAWSaccount/role.IfyoucreatedyourgroupsinActiveDirectory,youcaninputactive_directory

• GroupFilter–thegroupfilterfieldusesaRegexexpressiontoonlyinspectgroupsfromyourchosenappfilterthatfollowaspecificsyntax.IfyoudidchosetousetheOktarecommendeddefaultAWSrolegroupsyntaxlistedabove,thenyoucansimplyusethefollowingregexstring:

^aws\#\S+\#(?{{role}}[\w\-]+)\#(?{{accountid}}\d+)$-thisregexexpressionlogicallyequateto:“findgroupsthatstartwithAWS,then#,thenastringoftext,then#,thentheAWSrole,then#,thentheAWSaccountID”.

Ifyoudidn’tusethedefaultrecommendedAWSrolegroupsyntax,thenyoumustcreatearegexexpressionthatproperlyfiltersyourAWSrolegroups,andcapturestheAWSrolenameandAWSAccountIDwithintwodistinctRegexgroupsnamed{{role}}and{{accountid}}respectively.

AWSMulti-AccountConfigurationGuide

13

• RoleValuePattern–thisfieldtakestheAWSroleandaccountIDcapturedwithinthesyntaxofyourAWSrolegroups,andtranslatesitintothepropersyntaxAWSrequiresinOkta’sSAMLassertiontoallowuserstoviewtheiraccountsandroleswhentheysignin.

Thisfieldshouldalwaysfollowthisspecificsyntax:

arn:aws:iam::${accountid}:saml-provider/<<SAMLProviderName>>,arn:aws:iam::${accountid}:role/${role}

Replace<<SAMLProviderName>>withthenameoftheSAMLproviderthatyousetupinallofyourAWSaccountsinStep1.Therestofthestringshouldnotbealtered–justcopy&paste.

Step6:AssignAllAWSManagementGroupstotheAWSAppinOktaLastly,nowthattheAWSapphasbeenproperlyconfiguredtomapAWSrolegroupstoentitlements,simplyassignallofyourAWSManagementGroupstotheapplicationinOkta.ThiswillautomaticallyassignalloftheappropriateuserstotheAWSapp,andtheinstuctionsyoucompletedinStep5willensurethattheyonlyseetheappropriateentitlementstheyshouldhaveaccessto.

Setupisnowcomplete!VerifythatuserscanaccesstheAWSappfromtheirOktaend-userdashboardandsign-onisseamless