I'm looking forward to presenting "Centralizing identity across AWS, Azure and GCP" at fwd:cloudsec, a new, community organised, not-for-profit conference on cloud security. The event takes place on 29 June 2020 and is free to attend online.
To see the abstract for the talk, please click on the "Read More" link below.
We begin by looking at the approaches to Identity and Organizations adopted by AWS, Azure and GCP.
Azure and GCP both use an inherently centralized model for identity:
By default, AWS user identities are not centralized across multiple AWS accounts – it’s possible to create separate IAM users in each AWS account. However, this is definitely not recommended from a security perspective as it’s then all too easy for user credentials to remain active after someone has left the organization.
There are two principal design patterns for centralizing identity across multiple AWS accounts:
Whichever cloud provider is used, it’s important to federate identity back to a single source of truth – commonly on-premise Active Directory for larger enterprises.
We’ll look at an organization which had IAM users created within several different AWS accounts, and no federation of identity.
As this organization was an Office 365 customer, Azure AD was already in place as the identity source for Office 365, synchronized with on-premise Active Directory.
I’ll talk about my experience leading the implementation of AWS Single Sign-On (SSO) across the AWS Organization, synchronized to Azure AD, using on-premise Active Directory identities.
You’ll see a live demonstration of user synchronization and single sign-on using AWS Organizations, AWS SSO, Azure AD and Active Directory, and hear about some of the practical issues encountered in adoption across multiple AWS accounts within the enterprise.
Paul Schwarzenberger is a Cloud Security Architect and DevSecOps specialist