Intro
Corporate cloud environments usually consist of multiple accounts. Managing the different users, groups, and access policies per account can be a complex and daunting process. IAM identity center to the rescue! With IAM identity center we can use SSO effectively to switch quickly between different AWS accounts that we have been given access.
Managing users and groups
Although we can create users and groups directly in IAM Identity Center and manage them using IaC, it is more efficient to use an enterprise identity provider (IdP), such as Entra ID, Okta, etc. Using an IdP, offers the SSO advantage: no need to generate new credentials, the existing credentials used to login to the corporate account are sufficient.
At Mentech we are using Entra ID, which supports provisioning users and groups to IAM Identity Center. So, the first step is to define those groups and users and provision them.
Managing account access and permissions
Now that the groups and users are there, it’s time to give them the required access to the relevant AWS accounts. That is optimally done with IaC, and at Mentech we use terraform. The terraform registry has an identity center module, but I prefer using the official AWS module, currently hosted only on GitHub. The repo contains nice examples of giving access to accounts and defining permissions, thus I won’t repeat that here to keep it short. Leave a comment below if you need help.
Caveats
When defining fine-grained permission sets, it is advised to maximise the use of AWS managed policies. Unfortunately, there is a hard quota of 20 managed + customer policies per account. For lengthy permission sets that reach this quota, or when there are no suiting managed policies available (yes, it can happen), the referenced module supports defining an inline policy, as shown below:
SampleGroupPermissionSet:
description: "Permission set of a sample group"
tags: null
session_duration: "PT4H"
inline_policy: "sample-group-perms" # the inline policy is in the file sample-groups-perms.json
aws_managed_policies:
- "AmazonEC2ReadOnlyAccess"
- "AmazonS3ReadOnlyAccess"
customer_managed_policies: null
permissions_boundary: null