...
Recommendations
The following should be considered as some best practices for account strategy and be adapted to meet the organizational needs:
- Develop and enforce common tagging practices which meet minimum requirements for billing and chargeback
- Implement a consolidated single master account which provides billing consolidation and reporting across all institutional units (sub-accounts)
- Define a sub-account creation policy based on specific requirements for isolation or delegation as per governance and security requirements; initially it is recommended to segregate based on operating environment (i.e., production vs. non-production)
- Consider additional VPCs as boundaries for workloads that require specialized controls
- Leverage a common services model using VPC peering to minimize duplication of resources across accounts
AWS Provisioning and IAM Roles at Penn State
In AWS an account owner provisions users who will have access to the AWS console. Using AWS Identity and Access Management (IAM) roles with specific levels of permissions can be assigned to users by the account owner.
...
Example attribute resolver stanzas for group naming convention in the form of "aws.123456789012.read-only"
<resolver:AttributeDefinition id="awsRoles" xsi:type="ad:Mapped" sourceAttributeID="MemberOf"> <resolver:Dependency ref="ldap"/> <resolver:AttributeEncoder name="https://aws.amazon.com/SAML/Attributes/Role" friendlyName="Role" /> <ad:ValueMap> <ad:ReturnValue>arn:aws:iam::$1:saml-provider/Shibboleth,arn:aws:iam::$1:role/$2</ad:ReturnValue> <ad:SourceValue>cn=aws.([^.]*).([^,]*),.*</ad:SourceValue> </ad:ValueMap> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="awsRoleSessionName" xsi:type="ad:Simple" sourceAttributeID="mail"> <resolver:Dependency ref="ldap"/> <resolver:AttributeEncoder name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" friendlyName="RoleSessionName" /> </resolver:AttributeDefinition> |
A caveat with the use of roles is that roles do not support MFA. However, the institution could enforce MFA at the IDP or SSO layer. One of the obvious advantages of using IAM roles over IAM users is that there are no credentials on the AWS side to manage. When a user is taken out of the group or they leave the institution, they lose access to the AWS environment.
...
(a) denotes intended to be automated process
Securing Workloads of Differing Sensitivities in AWS at UNC Chapel Hill -
We are just getting started but we are looking at Landing Zone and Control Tower (https://aws.amazon.com/controltower/) as one way to implement auditing and compliance for workloads in AWS for our institution. Specifically, we are looking for a way to manage accounts, monitor the accounts, and set baseline policies for the accounts that are created for researchers or departments. We are also looking into Transit Gateway (https://aws.amazon.com/transit-gateway/) to manage network connections within AWS and back to campus. I expect many of you are already using Organizations (https://docs.aws.amazon.com/organizations/index.html) along with service control and/or AWS Config.
...