SEC02-BP04 Rely on a centralized identity provider
For workforce identities (employees and contractors), rely on an identity provider that allows you to manage identities in a centralized place. This makes it easier to manage access across multiple applications and systems, because you are creating, assigning, managing, revoking, and auditing access from a single location.
Desired outcome: You have a centralized identity provider where you centrally manage workforce users, authentication policies (such as requiring multi-factor authentication (MFA)), and authorization to systems and applications (such as assigning access based on a user's group membership or attributes). Your workforce users sign in to the central identity provider and federate (single sign-on) to internal and external applications, removing the need for users to remember multiple credentials. Your identity provider is integrated with your human resources (HR) systems so that personnel changes are automatically synchronized to your identity provider. For example, if someone leaves your organization, you can automatically revoke access to federated applications and systems (including AWS). You have enabled detailed audit logging in your identity provider and are monitoring these logs for unusual user behavior.
Common anti-patterns:
-
You do not use federation and single-sign on. Your workforce users create separate user accounts and credentials in multiple applications and systems.
-
You have not automated the lifecycle of identities for workforce users, such as by integrating your identity provider with your HR systems. When a user leaves your organization or changes roles, you follow a manual process to delete or update their records in multiple applications and systems.
Benefits of establishing this best practice: By using a centralized identity provider, you have a single place to manage workforce user identities and policies, the ability to assign access to applications to users and groups, and the ability to monitor user sign-in activity. By integrating with your human resources (HR) systems, when a user changes roles, these changes are synchronized to the identity provider and automatically updates their assigned applications and permissions. When a user leaves your organization, their identity is automatically disabled in the identity provider, revoking their access to federated applications and systems.
Level of risk exposed if this best practice is not established: High
Implementation guidance
Guidance for workforce users accessing AWS Workforce users like employees and contractors in your organization may require access to AWS using the AWS Management Console or AWS Command Line Interface (AWS CLI) to perform their job functions. You can grant AWS access to your workforce users by federating from your centralized identity provider to AWS at two levels: direct federation to each AWS account or federating to multiple accounts in your AWS organization.
To federate your workforce users directly with each AWS account,
you can use a centralized identity provider to federate to
AWS Identity and Access Management
To federate your workforce users with multiple accounts in your
AWS organization, you can use
AWS IAM Identity Center
After you follow the preceding guidance, your workforce users will no longer need to use IAM users and groups for normal operations when managing workloads on AWS. Instead, your users and groups are managed outside of AWS and users are able to access AWS resources as a federated identity. Federated identities use the groups defined by your centralized identity provider. You should identify and remove IAM groups, IAM users, and long-lived user credentials (passwords and access keys) that are no longer needed in your AWS accounts. You can find unused credentials using IAM credential reports, delete the corresponding IAM users and delete IAM groups. You can apply a Service Control Policy (SCP) to your organization that helps prevent the creation of new IAM users and groups, enforcing that access to AWS is via federated identities.
Note
You are responsible for handling the rotation of SCIM access tokens as described in the Automatic provisioning documentation. Additionally, you are responsible for rotating the certificates supporting your identity federation.
Guidance for users of your
applications You can manage the identities of users of
your applications, such as a mobile app, using
Amazon Cognito
Implementation steps
Steps for workforce users accessing AWS
-
Federate your workforce users to AWS using a centralized identity provider using one of the following approaches:
-
Use IAM Identity Center to enable single sign-on to multiple AWS accounts in your AWS organization by federating with your identity provider.
-
Use IAM to connect your identity provider directly to each AWS account, enabling federated fine-grained access.
-
-
Identify and remove IAM users and groups that are replaced by federated identities.
Steps for users of your applications
-
Use Amazon Cognito as a centralized identity provider towards your applications.
-
Integrate your custom applications with Amazon Cognito using OpenID Connect and OAuth. You can develop your custom applications using the Amplify libraries that provide simple interfaces to integrate with a variety of AWS services, such as Amazon Cognito for authentication.
Resources
Related best practices:
Related documents:
Related videos:
Related examples:
Related tools:
