By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What would be the best way to provide a user login based on their AD groups without offering multiple roles

0

Following scenario:

Our user and access management is handled in a Microsoft Active Directory. User Michael is in the AD group "developer". This AD group is linked via an Identity Provider to a IAM role in an account (e.g. via Permission Set and IAM Identitiy Center). So when Michael logs in he sees his role attached to the account and can login.

Now Michael is additionally responsible for sensitive infrastructure so he gets added to another AD group "ECR admin". If we would apply the same process as before Michael would now see two roles attached to the account (developer and ECR admin) and he would have to choose between them upon login.

In our case this is not a valid option because he would always need to decide about his roles and change them constantly. So we would need a solution where we could check the current AD groups of a user and provide him a role with a suitable set of policies/rights.

Question:

How could an architecture of such an solution look like? Which AWS services could be used? Which parts could be provided by 3rd party products or even written by ourselves.

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS IAM Identity Center
Language
English
Philipp Arnold
asked a year ago551 views
2 Answers
1

I suppose attribute based access control (ABAC) could work if only ALL your resources are tagged accordingly. https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html

Otherwise I don't think there is any easy way to solve the problem since with role based access control (RBAC) there isn't a way to dynamically deduce Role's access policy from multiple AD groups. You would probably need a 3rd party IAM solution in between AD and AWS to do the mapping and they're typically not cheap. Maybe new AD group "developer+ECR-admin" and an IAM Role for it is satisfying solution?

Personally I think changing role is pretty agile with AWS SSO/Identity Center. In general I prefer more permissive than restrictive roles to minimize role changes in the first place but of course cloud access policy heavily depends on individual company's requirements and possible industry regulation too.

Pekka K
answered a year ago
0

Changing the Role/Permission Set in this case is the best way and is very agile. You want to make sure your permissions are least-priv. SSO/IC is specifically designed to allow this rapid switching of contexts if needed. You either give a role permission to switch to a different role, or you provide that as an option right away.

I suggest using tools to get around this. I use the free version of Ghost Brower to manage multiple sessions to the same AWS SSO/IC and be in different accounts with a different role at the same time. I also recommend https://Leapp.Cloud Alternatively if additional tools are not an option for downloading and approved software lists, then I would use Incognito or other profiles in existing browsers such as Chrome.

profile picture
Ross Wickman
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content