To accomplish least privilege in AWS, it’s essential for companies to first enable federated access via the IAM Identity Center. Enabling this allows the admin the ability to control access to resources for users already managed in the company’s identity provider.
In this post, we discuss how federation in AWS creates permission and security challenges, in addition to the solutions needed to combat them.
What is AWS Federation?
The AWS IAM Identity Center helps companies define federated access permissions for users based on their group memberships in a single centralized directory. It’s a trust-based system between two parties with the purpose of verifying users’ identities and sharing necessary information to authorize their access to resources. Within this system, an identity provider (IdP) handles user authentication, while a service provider (SP), such as an application or service, controls resource access.
Through administrative agreement and configuration, the SP places trust in the IdP to authenticate users and relies on the provided information about them. Once a user is authenticated, the IdP sends the SP an assertion message, which includes the user’s sign-in name and other attributes required by the SP to establish a user session and determine the level of resource access to grant. Federation is a commonly used approach to construct access control systems that centralize user management within a central IdP and govern user access to multiple applications and services serving as SPs.
Why is AWS IAM Federation Important?
Federation is a best practice for many reasons: first of all, it makes it much easier for system admins to manage identities and entitlements. Instead of managing more entities (i.e. a new IAM User for each user) on top of the already existing ones in the IdP – users are managed in a single location. Information about users from the IdP (e.g. assignment to groups / roles and other attributes) could also be used to establish access policies. This doesn’t only save time, but also helps avoid configuration mistakes which could result in security vulnerabilities. Additionally, you provide human users a far better access experience with an SSO log-in mechanism, which removes the need for more passwords (also a security benefit).
What are Some Problems with the AWS IAM Federation?
In IAM federation, the roles used to allow federated users access to AWS resources are static, so excessive permissions assigned to a single Role would mean excessive permissions to ALL users who have assumed that role for access to your cloud resources.
As entitlements in AWS are highly complicated to manage and business operations usually trump security best practices (if they are even considered) – excessive, sometimes absolute permissions to resources are not uncommon in many AWS environments.
Permissions are usually quick to be granted as needed – but are not so quickly taken away when no longer necessary. This kind of privilege accumulation might cause a security audit failure, or worst yet – a security breach.
Example
Scenario: A user finds out she needs access to additional resources in the cloud environment in addition to needing the ability to perform additional actions on resources she already has access to. She contacts the administrator and that person decides the request is legitimate for her but not for anyone else who shares the same Role.
Outcome: Since Federation is based on Groups within the IDP, it’s impossible to provision elevated permissions for just one user, so instead, permissions are granted to everyone in the Role, whether they need them or not.
Apono Outcome: When she contacts the administrator, he quickly provides her with the elevated access she needs without giving it to anyone else. To avoid any chance of standing permissions, he already provisioned an end date. After the time period, she is granted back her normal permissions.
What Are the Available Solutions?
Apono integrates with AWS natively, which allows you to manage access to your S3 buckets, IAM roles and groups, EC2, EKS clusters, RDS instances and many more.
