AWS SSO

There are several ways to enable a user to access resources across multiple accounts. One of them makes use of the AWS SSO service as covered at a high level in the course “Security Engineering on AWS”.

This service is integrated with AWS Organisations and allows a user to logon to a portal and choose the account they wish to access.

For a brief getting started, the following assumes you have set up a least 2 accounts as part of an AWS Organisation.

Go to AWS Organisations, Settings. There are several services which can be enabled, including AWS SSO.

Go to AWS SSO to see the following options:

Choose “manage your directory”, and create an sso user. You will need to supply a valid email address.  The user will receive an invitation to accept.

Next create a permission set. There are a number of built in job function policies. I chose “ViewOnlyAccess”.

The trust relationship policy associated with the permissions policy looks like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::xxxxxxxxxx:saml-provider/AWSSSO_047700dc7e52a8bb_DO_NOT_DELETE"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}

 

Assign the permission set to the user. You are given a “user logon portal” which can be customised. I used https://thetrainit.awsapps.com/start

Logon as the user using the email address.

The user can then choose from a list of accounts and gets directed to the management console.

You can also configure single sign-on (SSO) access to multiple cloud applications and any custom applications that support identity federation with SAML 2.0.

 

IAM Policies with MFA Conditions

For certain actions like stop or terminate an instance, you might require MFA, while for less potentially destructive actions like describe-instance, you might not require MFA.

For a simple test of this, I used this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:TerminateInstances",
                "ec2:StopInstances"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances",
            "Resource": "*"
        }
    ]
}

I made 2 users, UserMFA and UserNoMFA, both with console access.

For UserMFA, I enabled MFA using Google Authenticator for iPhone. If you havn’t done this before, create a user, then go to the  Security Credentials tab and you are guided through the process, which involves pointing the iPhone camera at a QR code and entering the two 6-digit codes which appear on the iPhone app.

Attach the policy to the two users.

Log in as UserMFA. The user can see the EC2 instances because they have describe-instance permission, and can stop an instance because they are logged in using MFA.

Log in as UserNoMFA. The user can see the EC2 instances because they have describe-instance permission, but cannot stop an instance because they are not logged in using MFA. They receive the following error:

The same concept can apply to use of CLI and APIs, rather than the console, but that’s another story.