Date: Fri, 29 Mar 2024 05:41:58 +0000 (UTC) Message-ID: <1921756870.7509.1711690918502@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7508_56841610.1711690918500" ------=_Part_7508_56841610.1711690918500 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Once an account has been provisioned. There are a number of conf= iguration items to set before providing the account to its eventual owner. = Admin role creation, linking the account with a campus Identity Provider, a= nd enabling logging are just a few of the items. Some of these can be compl= eted programmatically, but others are a strictly manual process. Below are = some examples of how the community is tackling this work.
http://blogs.co= rnell.edu/cloudification/2016/07/05/using-shibboleth-for-aws-api-and-cli-ac= cess/
A plugin for the AWS command = line tool that allow= s a user to generate temporary credentials via Amazon's STS using = ;SAML via ECP with support for= Duo for authentication. This has the obvious security advantage that a user no longer needs to stor= e long term credenti= als on disk.
Pypi: https://pypi.org/project/awscli-login/
GitHub: https://github.com/cites-illinois/awscli-login<= /p>
In consultation with Cornell IT Security Office and Cornell financial ad= ministrators, two "standard" configurations of AWS accounts have been defin= ed, one for general uses and one for research. Each configuration follows A= WS, Cornell, and security best practices. Not all best practices can be imp= lemented by policy and configuration. Individual AWS users also need to fol= low best practices see the Cloudification Services Tech Blog and AWS IAM best practices documentation<= /a>.
See: https://confluence.c= ornell.edu/display/CLOUD/Standard+AWS+Account+Configurations
AWS Account Setup Example GitHub Repo: https= ://github.com/CU-CommunityApps/aws-account-setup-example
The University of Arizona has a set of CloudFormation templates we use t= o set up new central IT accounts.
U of A CloudFormation Template Library: https://bitbucket.org= /ua-ecs/service-catalog
Dave Miller presenting on May 22nd, 2017.
University of Illinois uses Active Directory and Shibboleth to grant acc= ess to an AWS account. AWS accounts configured under our campus contract us= e Shibboleth as the default login mechanism to the AWS Console. More inform= ation can be found here: https://answers.uillinois.edu/page= .php?id=3D71883