By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access reviews in AWS identity Center

0

Hi, just moved our AWS accounts into AWS Organizations and starting to enroll user accounts in AWS Identity Center and closing down old local user accounts in AWS IAM.

Problem: With the new Identity Center I can't find a good consolidated view on an individual users actual access. Things get really muddy with how access with authorisation is provisioned to an individual user and a group. I understand the process and have individual Users that are attached to Groups, but then the step comes with adding a Group to one or more Permission Set (with underlying IAM policies) to one ore more AWS Accounts.

ISO27001 and other standards requires Access Reviews on a regular basis (for example quarterly). That was pretty easy doing in AWS IAM by reviewing AWS account by AWS account per user/group. But in Identity Center I can't seem to find a way to start at an individual user and get a consolidated view of either a single user/group or on a single AWS account to review who has access and what that user is authorised to do.

Am I missing something or how is this supposed to be done in AWS Identity Center?

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
Magnus
asked a year ago543 views
1 Answer
0

To confirm: You were using the IAM Management console, under users, "last activity" column for manual compliance reviews. And this column is not available in IAM Identity Center user console. Per https://aws.amazon.com/iam/identity-center/features/: Audit access events across applications and AWS accounts All administrative and multi-account access activity is recorded in AWS CloudTrail, giving you the visibility to audit IAM Identity Center activity centrally. Through CloudTrail, you can view activity such as sign in attempts, application assignments, and directory integration changes. For instance, you can see the applications that a user accessed over a given period or when a user was given access to a specific application. Are you using CloudTrail?

rePost-User-4039873
answered a year ago
  • Magnus
    a year ago

    Yes, among other thing the "last activity" column was used but the key thing that is reviewed was who has access to what, reviewing things as permission creeps etc and segregation of duties more of a governance review where the account owner was forced to make decisions if the right user/individuals had access to their account with the right policies in place (some of them may never have been used as they are there for incident management). So in this case I'm not really interested (but of course we are interested of that too) in what activity has happened rather the governance and decisions about what access rights is present for a user and within the accounts.

    And yes, we have an AWS Organizations wide CloudTrail in place in line with AWS Well-Architected and delegated account for Identity Center in place where daily identity and access management takes place. Are there some good bluer prints in place to get started in what happens from an IAM perspective?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content