By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Several Organisations with a centralised Identity Center connected with Active Directory

0

Currently there are several Organisations A, B and C. The IAM users are created by a member account (hosting the git repositories also) in Organisation A. The IAM users are currently accessing the other aws resources hosted in other organisations' member accounts with a cross-account assume role. I know i will get the question why not put all organisations under same umbrella because the organisations need to keep their billing separate as they operate in different branches of the company.

Now, there will be an integration of the Aws IAM Identity Center[formerly known as SSO] connected to an Active Directory for the Organisation A. The questions are as follows:

  • Does Organisation A with the IAM users integration with active directory affect their assume cross-account role towards other Organisations' member accounts? [According to the documentation, there will be a mapping of the AD users/groups to IAM users/groups]
  • Does the organisations B and C need their respective Identity Center connected to the same Active Directory as right now, the IAM users are working perfectly fine with the assume cross-account role without AD.
  • Does the organisations B and C need to replicate the IAM users created in organisation A upon integration with active directory?
Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Directory ServiceAWS OrganizationsAWS IAM Identity Center
Language
English
Vincent Chu
asked a year ago244 views
1 Answer
1
Accepted Answer

When using AWS Identity Center (IC), IAM users are no longer even involved. IAM users are completely separate from IC users. If you want to only have IC configured one time in OrgA, you can have new assumable roles in every account across OrgB and OrgC. However, if you have configured IC for each org, I would do that. Then the users are managed via your external Identity Provider and you can more easily manage granular permissions across accounts in each org instead of deploying unique assumable roles across your other accounts. You can deploy IC in parallel to your IAM user configuration and have no impact, use both solutions together until you have configured IC how you need, and then recommend termination IAM users for Console Access and only use them when absolutely necessary for programmatic access.

profile picture
Ross Wickman
answered a year ago
  • Vincent Chu
    a year ago

    I'm looking for like a single IC to manage all the users from a single Org instead of having to manage the users in nth Orgs which will be difficult to keep track of.
    Right now, Identity Center has not been configured for any organisations, the iam users are using assume roles. AD users have same username as IAM users.

    Is it possible to do the management of users from within a single Identity Center while integrated with the AD; without having to replicate the IAM users accross organisations ?

  • Ross Wickman
    a year ago

    As I stated, you could create a single IC configuration in OrgA. Then using permission sets in an account and role trust polices, you could, in fact, manage access to other accounts from a single IC but it will not give you the direct result you are looking for. There is no other way to use IC to access multiple Orgs. Again, IAM users are not in the equation when using IC.

    When using AD and IC, your IDP & and SCIM configuration will replicate the same users to all orgs. It just boils down to the proper configuration. This setup would be significantly more scalable, secure, and simplified than using individual IAM users in each org and account(s). N number of IC configurations is way better than N x Accounts X Users.

  • Vincent Chu
    a year ago

    I have another question what about the IAM users security credentials - will the IC users be able to use them (after being mapped to their respective IAM users) :- Access keys, MFA, SSH public keys for AWS CodeCommit, HTTPS Git credentials for AWS CodeCommit, etc.

  • Ross Wickman
    a year ago

    No, there are no IAM credentials or access keys for IC users. They will not be able to be used by IC users. Access Keys would be the remaining use case for IAM users. Temporary session credentials are provided to IC users to allow cli access. IC users can assume roles in the account but not IAM users. CodeCommit and everything else listed will still by used and the use case for IAM users. While using IC greatly reduces the need for IAM users and helps with centralized management, IC is used for Console Access primarily with the ability to have temp creds for CLI. IAM use case is for these others requirements but with IC, you should be able to completely remove console access for IAM users.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content