Identity Federation - Centralized user repository

Centralized User Repository using your existing Directory as Identity Provider

It is recommended to use centralized user repositories such as AWS Directory Services (Active Directory/SimpleAD), Okta, Azure Active Directory, PingIdentity, OneLogin, to avoid the use of durable credentials such as IAM Users / Access Keys and reduce the risk of compromised credentials and exposed access keys.

AWS IAM Identity Center

Integrating your repository using AWS IAM Identity Center (successor to AWS Single Sign-On) is simple, and provides temporary credentials to users accessing AWS.

If your organization is just starting and you don’t have a repository yet, you can use AWS IAM Identity Center’s internal directory. Using this repository you will still get the benefits of using temporary credentials.

It is also important that the repository is integrated with the human resources management system to propagate employee terminations (either through an identity management system or directly into the centralized authentication repository).

AWS IAM Identity Center (successor to AWS Single Sign-On)

Well Architected Framework Recommendation Mapping

Risk Mitigation

  • [Credential Access] Unauthorized users such as ex-employees may retain their privileges after being fired if they hold durable credentials such as Access Keys, while if using a centralized directory his access will be removed when the user’s accesses are deprovisioned.

Guidance for assessments

  • Where are you authenticating your employees ?
  • Are you using AWS IAM Identity Center ?
  • Are IAM users provisioned for human access ? how often they get rotated ? is the security team removing access keys from fired employees ?
  • When someone gets fired, the user repository gets automatically updated ?
  • if not, how much time does it take since HR process the removal until their access is removed on the repository ?

Pricing

AWS IAM Identity Center (successor to AWS Single Sign-On) is a free AWS service that makes it easy to manage identities across multiple accounts.