Enterprise companies who commit to a cloud infrastructure strategy find themselves with many teams running many workloads on AWS. The best practice for partitioning between environments and applications is to separate these into their own dedicated AWS accounts. This allows for maximum flexibility when assigning role-based permissions to various workloads, and also creates a small blast radius in the event that credentials become compromised.
But along with the benefits of a multi-account strategy come some additional management complexities. One of the primary areas of concern is managing AWS IAM permissions.
By design, IAM users and groups are constrained to the account that they are created in. In a poorly managed environment, one may have an individual user for each of the dozens (or hundreds!) of accounts that they need to access. This creates a management nightmare, and may actually be less secure due to the challenges of onboarding and offboarding users.
Amazon solved this problem years ago with cross account role capabilities. Cross account roles allow permissions to be delegated to external accounts. This still requires administration in several accounts, and in addition, the user experience is not brain-dead simple. Users need to know the cross account role name, the account number, log in to their main account, and then enter this info into a cross account form. In addition, this only solves permissions management for AWS.
AWS has since released AWS SSO, a great SSO service that can be used for both simplifying AWS console access as well as managing SSO for other 3rd party services. In addition to AWS’ service, AWS also supports SSO integration via SAML.
Our client, a genetic testing company, required a highly partitioned environment to meet their security requirements, and quickly began to struggle with IAM permissions management. Our client chose Okta as their SSO tool. By integrating Okta with their existing Microsoft AD, and AWS, they quickly had the solution they had been looking for. After configuring their AWS accounts to fit the Okta integration model, employees who required console access to various AWS accounts had a one click interface to get to any account they had access to. Administrators love the model, as they can easily onboard and offboard account permissions with minimal effort.
SSO has always been a good value add service for enterprises, but with a multi-account AWS strategy it becomes a requirement.