fbpx

Use new accounts assignment APIs for AWS SSO to automate multi-account access

In this website post, we’ll show ways to programmatically assign and audit usage of multiple AWS makes up about your AWS Single Sign-On (SSO) users and groups, utilizing the AWS Command Line Interface (AWS CLI) and AWS CloudFormation.

With AWS SSO, it is possible to centrally manage access and user permissions to all or any of one’s accounts in AWS Organizations. It is possible to assign user permissions predicated on common job features, customize them to meet up your unique security requirements, and assign the permissions to organizations or users in the precise accounts where they want access. It is possible to create, read, upgrade, and delete permission units in one spot to have consistent part policies across your complete organization. After that you can provide gain access to by assigning permission models to multiple customers and groups in several accounts all within a operation.

AWS SSO recently added new account assignment APIs and AWS CloudFormation assistance to automate entry assignment across AWS Organizations accounts. This discharge addressed suggestions from our clients with multi-account conditions who wished to adopt AWS SSO, but faced problems linked to managing AWS accounts permissions. To automate the manual procedure and save your valuable administration time previously, you can now utilize the brand new AWS SSO account assignment APIs, or AWS CloudFormation templates, to control AWS account authorization sets in multi-account conditions programmatically.

With AWS SSO account assignment APIs, now you can build your automation which will assign access for the groupings and users to AWS accounts. You can also obtain insights into who provides usage of which permission sets where accounts across your complete AWS Organizations construction. With the accounts assignment APIs, your automation program can retrieve permission pieces for audit and governance reasons programmatically, as shown in Shape 1.

Determine 1: Automating multi-account entry with the AWS SSO API and AWS CloudFormation

Figure 1: Automating multi-account accessibility with the AWS SSO API and AWS CloudFormation

Overview

In this walkthrough, we’ll illustrate how exactly to create permission units, assign permission sets to organizations and users in AWS SSO, and grant access for users and groupings to several AWS accounts utilizing the AWS Command Line Interface (AWS CLI) and AWS CloudFormation.

To grant user permissions to AWS sources with AWS SSO, you utilize permission sets. A authorization set is a assortment of AWS Identity and Access Management (IAM) policies. Permission models can contain around 10 AWS managed policies and an individual custom policy stored within AWS SSO.

A policy is an item that defines a user’s permissions. Plans contain statements that represent person access controls (enable or deny) for different jobs. This determines what duties customers can or cannot perform within the AWS accounts. AWS evaluates these plans when an IAM principal (a user or function) makes a request.

Once you provision a permission occur the AWS accounts, AWS SSO creates a corresponding IAM part on that accounts, with a trust plan that allows customers to assume the function through AWS SSO. With AWS SSO, it is possible to assign several authorization set to a consumer in the precise AWS account. Users who’ve multiple permission pieces must choose one if they indication in through an individual portal or the AWS CLI. Customers shall see these since IAM roles.

To find out more about IAM guidelines, see Policies and permissions in IAM. For more information about permission units, see Permission Sets.

Assume you’ve got a ongoing company, Example.com, which includes three AWS accounts: a business management account (ExampleOrgMaster), the development accounts (ExampleOrgDev), and a test accounts (ExampleOrgTest). Illustration.com uses AWS Organizations to control these accounts and contains already enabled AWS SSO.

Example.com gets the IT security business lead, Frank Infosec, who requirements PowerUserAccess to the test accounts (ExampleOrgTest) and SecurityAudit usage of the development accounts (ExampleOrgDev). Alice Developer, the developer, needs complete usage of Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Simple Storage Service (Amazon S3) through the growth account (ExampleOrgDev). We’ll demonstrate how exactly to assign and audit the gain access to for Frank and Alice centrally with AWS SSO, utilizing the AWS CLI.

The flow includes the next steps:

  1. Create 3 permission sets:
    • PowerUserAccess, with the PowerUserAccess plan attached.
    • AuditAccess, with the SecurityAudit plan attached.
    • EC2-S3-FullAccess, with the AmazonEC2FullAccess and AmazonS3FullAccess policies attached.
  2. Assign permission models to the AWS accounts and AWS SSO customers:
    • Assign the AuditAccess and PowerUserAccess authorization pieces to Frank Infosec, to provide the mandatory usage of the ExampleOrgTest and ExampleOrgDev accounts.
    • Assign the EC2-S3-FullAccess authorization set to Alice Programmer, to provide the mandatory permissions to the ExampleOrgDev accounts.
  3. Retrieve the designated permissions by using Accounts Entitlement APIs for governance and audit purposes.

    Note: AWS SSO Permission units can contain either AWS managed policies or even custom policies which are stored within AWS SSO. In this website we attach AWS managed polices to the AWS SSO Permission models for simplicity. To greatly help protected your AWS assets, follow the typical security suggestions of granting least privilege access making use of AWS SSO custom plan while creating AWS SSO Permission set.

Determine 2: AWS Businesses accounts entry for Alice and Frank

Figure 2: AWS Companies accounts entry for Alice and Frank

To greatly help simplify administration of accessibility permissions, we advise that you assign usage of groups instead of to individual users directly. With groups, it is possible to grant or deny permissions to sets of users, than needing to apply those permissions to every individual rather. For simplicity, in this website you’ll assign permissions to the users directly.

Prerequisites

Before this walkthrough is began by you, complete these steps:

Use the AWS SSO API from the AWS CLI

To be able to call the AWS SSO account assignment API utilizing the AWS CLI, you have to install and configure AWS CLI v2. To learn more about AWS CLI construction and installation, see Installing the AWS CLI and Configuring the AWS CLI.

Stage 1: Create permission pieces

In this task, you figure out how to generate EC2-S3FullAccess, AuditAccess, and PowerUserAccess permission units in AWS SSO from the AWS CLI.

Before you create the permission sets, run the next command to have the Amazon Resource Name (ARN) of the AWS SSO instance and the Identity Store ID, that you will need afterwards in the process once you create and assign permission sets to AWS accounts and users or groups.

aws sso-admin list-instances

Figure 3 shows the full total outcomes of running the command.

Determine 3: AWS SSO listing instances

Body 3: AWS SSO checklist instances

Following, create the permission established for the security group (Frank) and dev group (Alice), as follows.

Permission fixed for Alice Programmer (EC2-S3-FullAccess)

Run the next command to generate the EC2-S3-FullAccess permission arranged for Alice, as proven in Figure 4.

aws sso-admin create-permission-established --instance-arn '' --title 'EC2-S3-FullAccess' --explanation 'EC2 and S3 gain access to for developers'

Determine 4: Creating the authorization set EC2-S3-FullAccess

Amount 4: Creating the authorization set EC2-S3-FullAccess

Permission place for Frank Infosec (AuditAccess)

Run the next command to generate the AuditAccess permission fixed for Frank, as demonstrated in Figure 5.

aws sso-admin create-permission-arranged --instance-arn '' --name 'AuditAccess' --explanation 'Audit Access for safety team on ExampleOrgDev account'

Determine 5: Creating the permission collection AuditAccess

Determine 5: Creating the permission collection AuditAccess

Permission place for Frank Infosec (PowerUserAccess)

Run the next command to generate the PowerUserAccess permission established for Frank, as proven in Figure 6.

aws sso-admin create-permission-fixed --instance-arn '' --name 'PowerUserAccess' --explanation 'Power User Accessibility for security group on ExampleOrgDev account'

Determine 6: Creating the permission set PowerUserAccess

Number 6: Creating the permission set PowerUserAccess

Copy the permission arranged ARN from these responses, that you shall need once you attach the managed policies.

Action 2: Assign plans to permission models

In this task, you learn to assign managed guidelines to the permission pieces that you made in step one 1.

Attach plans to the EC2-S3-FullAccess permission established

Run the next command to add the amazonec2fullacess AWS handled policy in order to the EC2-S3-FullAccess permission set, as demonstrated in Figure 7.

aws sso-admin attach-managed-policy-to-permission-fixed --instance-arn '' --permission-set-arn '' --managed-policy-arn 'arn:aws:iam::aws:plan/amazonec2fullaccess'

Determine 7: Attaching the AWS managed plan amazonec2fullaccess to the EC2-S3-FullAccess permission set

Shape 7: Attaching the AWS managed plan amazonec2fullaccess to the EC2-S3-FullAccess permission set

Run the next command to add the amazons3fullaccess AWS maintained policy in order to the EC2-S3-FullAccess permission set, as proven in Figure 8.

aws sso-admin attach-managed-policy-to-permission-arranged --instance-arn '' --permission-set-arn '' --managed-policy-arn 'arn:aws:iam::aws:plan/amazons3fullaccess'

Shape 8: Attaching the AWS managed plan amazons3fullaccess to the EC2-S3-FullAccess permission set

Determine 8: Attaching the AWS managed plan amazons3fullaccess to the EC2-S3-FullAccess permission set

Attach an insurance plan to the AuditAccess authorization set

Run the next command to add the SecurityAudit managed plan to the AuditAccess authorization set that you produced earlier, as demonstrated in Figure 9.

aws sso-admin attach-managed-policy-to-permission-established --instance-arn '' --permission-set-arn '' --managed-policy-arn 'arn:aws:iam::aws:policy/SecurityAudit'

Shape 9: Attaching the AWS managed plan SecurityAudit to the AuditAccess permission fixed

Figure 9: Attaching the AWS managed plan SecurityAudit to the AuditAccess permission fixed

Attach an insurance plan to the PowerUserAccess authorization set

The following command is comparable to the prior command; it attaches the PowerUserAccess handled plan to the PowerUserAccess authorization set, as proven in Figure 10.

aws sso-admin attach-managed-policy-to-permission-arranged --instance-arn '' --permission-set-arn '' --managed-policy-arn 'arn:aws:iam::aws:policy/PowerUserAccess'

Figure 10: Attaching AWS managed plan PowerUserAccess to the PowerUserAccess permission fixed

Figure 10: Attaching AWS managed plan PowerUserAccess to the PowerUserAccess permission established

In the next action, you assign users (Frank Infosec and Alice Developer) with their particular permission sets and assign permission sets to accounts.

Phase 3: Assign permission models to users and organizations and grant usage of AWS accounts

In this step, you assign the AWS SSO permission sets you intended to groups and users and AWS accounts, to grant the mandatory access for these groupings and users on respective AWS accounts.

To assign usage of an AWS take into account an organization or user, using a permission fixed you created, you need the next:

  • The principal ID (the ID for an individual or group)
  • The AWS account ID to which you should assign this permission set

To secure a user’s or group’s principal ID (UserID or GroupID), you should employ the AWS SSO Identity Store API. The AWS SSO Identification Store service allows you to retrieve all your identities (customers and organizations) from AWS SSO. Notice AWS SSO Identity Store API for additional information.

Utilize the first two commands proven to obtain the principal ID for both users here, Alice (Alice’s user title is alice@instance.com) and Frank (Frank’s consumer name is frank@illustration.com).

Alice’s user ID

Run the next command to obtain Alice’s consumer ID, as demonstrated in Figure 11.

aws identitystore list-users --identity-store-id '' --filtration system AttributePath='UserName',AttributeValue='alice@example.com'

Figure 11: Retrieving Alice’s consumer ID

Physique 11: Retrieving Alice’s consumer ID

Frank’s user ID

Run the next command to obtain Frank’s consumer ID, as demonstrated in Figure 12.

aws identitystore list-users --identity-store-id ''--filtration system AttributePath='UserName',AttributeValue='frank@example.com'

Figure 12: Retrieving Frank’s consumer ID

Determine 12: Retrieving Frank’s consumer ID

Note: To obtain the principal ID for an organization, utilize the following command.

aws identitystore list-groups --identity-store-id '' --filtration system AttributePath='DisplayName',AttributeValue=''

Assign the EC2-S3-FullAccess authorization set in order to Alice in the ExampleOrgDev accounts

Run the next command in order to assign Alice usage of the ExampleOrgDev account utilizing the EC2-S3-FullAccess permission set. This can give Alice full usage of Amazon EC2 and S3 solutions in the ExampleOrgDev accounts.

Note: When you contact the CreateAccountAssignment API, AWS SSO automatically provisions the specified permission arranged on the account by means of an IAM plan mounted on the AWS SSO-created IAM part. This function is immutable: it’s completely handled by the AWS SSO, also it can’t be deleted or transformed by an individual even if an individual has full administrative legal rights on the account. If the authorization set is subsequently up-to-date, the corresponding IAM guidelines attached to functions in your accounts won’t be updated instantly. In this case, you will have to call ProvisionPermissionSet to propagate these updates.

aws sso-admin create-account-assignment --instance-arn '' --permission-set-arn '' --principal-id '<user/team ID>' --principal-type '<USER/Team>' --target-id '' --target-type AWS_ACCOUNT

Figure 13: Assigning the EC2-S3-FullAccess permission fixed to Alice upon the ExampleOrgDev accounts

Physique 13: Assigning the EC2-S3-FullAccess permission set to Alice upon the ExampleOrgDev accounts

Assign the AuditAccess authorization set in order to Frank Infosec in the ExampleOrgDev accounts

Run the next command in order to assign Frank usage of the ExampleOrgDev account utilizing the EC2-S3- AuditAccess authorization set.

aws sso-admin create-account-assignment --instance-arn '' --permission-set-arn '' --principal-id '<user/team ID>' --principal-type '<USER/Team>' --target-id '' --target-type AWS_ACCOUNT

Figure 14: Assigning the AuditAccess permission fixed to Frank upon the ExampleOrgDev accounts

Number 14: Assigning the AuditAccess permission established to Frank upon the ExampleOrgDev accounts

Assign the PowerUserAccess authorization set in order to Frank Infosec in the ExampleOrgTest accounts

Run the next command in order to assign Frank usage of the ExampleOrgTest account utilizing the PowerUserAccess permission set.

aws sso-admin create-account-assignment --instance-arn '' --permission-set-arn '' --principal-id '<user/team ID>' --principal-type '<USER/Team>' --target-id '' --target-type AWS_ACCOUNT

Shape 15: Assigning the PowerUserAccess permission fixed to Frank upon the ExampleOrgTest accounts

Shape 15: Assigning the PowerUserAccess permission fixed to Frank upon the ExampleOrgTest accounts

To see the permission units provisioned upon the AWS account, operate the following command, because shown in Figure 16.

aws sso-admin list-permission-sets-provisioned-to-account --instance-arn '' --account-id ''

Figure 16: Watch the permission pieces (AuditAccess and EC2-S3-FullAccess) assigned to the ExampleOrgDev accounts

Figure 16: See the permission models (AuditAccess and EC2-S3-FullAccess) assigned to the ExampleOrgDev accounts

To examine the created resources inside the AWS Management System, demand AWS SSO console. In the set of permission pieces on the AWS accounts tab, pick the EC2-S3-FullAccess permission set. Under AWS managed policies, the policies mounted on the authorization set are listed, as shown in Physique 17.

Figure 17: Review the permission occur the AWS SSO gaming console

Figure 17: Review the permission occur the AWS SSO system

To start to see the AWS accounts, where in fact the EC2-S3-FullAccess permission set happens to be provisioned, demand AWS accounts tab, as shown in Figure 18.

Figure 18: Review permission set account assignment in the AWS SSO console

Figure 18: Review permission set account assignment in the AWS SSO console

Step 4: Audit access

In this step, you learn to audit access assigned to your users and group utilizing the AWS SSO account assignment API. In this example, you’ll begin from a permission set, review the permissions (AWS-managed policies or perhaps a custom policy) mounted on the permission set, obtain the users and groups from the permission set, and see which AWS accounts the permission set is provisioned to.

List the IAM managed policies for the permission set

Run the next command to list the IAM managed policies which are mounted on a specified permission set, as shown in Figure 19.

aws sso-admin list-managed-policies-in-permission-set --instance-arn '' --permission-set-arn ''

Figure 19: View the managed policies mounted on the permission set

Figure 19: View the managed policies mounted on the permission set

List the assignee of the AWS account with the permission set

Run the next command to list the assignee (an individual or group with the respective principal ID) of the specified AWS account with the specified permission set, as shown in Figure 20.

aws sso-admin list-account-assignments --instance-arn '' --account-id '' --permission-set-arn ''

Figure 20: View the permission set and an individual or group mounted on the AWS account

Figure 20: View the permission set and an individual or group mounted on the AWS account

List the accounts to that your permission set is provisioned

Run the next command to list the accounts which are of a specific permission set, as shown in Figure 21.

aws sso-admin list-accounts-for-provisioned-permission-set --instance-arn '' --permission-set-arn ''

Figure 21: View AWS accounts to that your permission set is provisioned

Figure 21: View AWS accounts to that your permission set is provisioned

In this portion of the post, we’ve illustrated how exactly to develop a permission set, assign a managed policy to the permission set, and grant access for AWS SSO users or groups to AWS accounts employing this permission set. Within the next section, we’ll demonstrate how to do exactly the same using AWS CloudFormation.

Use the AWS SSO API through AWS CloudFormation

In this section, you learn to use CloudFormation templates to automate the creation of permission sets, attach managed policies, and use permission sets to assign access for a specific user or group to AWS accounts.

Register to your AWS Management Console and develop a CloudFormation stack utilizing the following CloudFormation template. To find out more on how to develop a CloudFormation stack, see Creating a stack on the AWS CloudFormation console.

//start of Template//

    "AWSTemplateFormatVersion": "2010-09-09",
  
    "Description": "AWS CloudFormation template to automate multi-account access with AWS Single Sign-On (Entitlement APIs): Create permission sets, assign access for AWS SSO groups and users to AWS accounts using permission sets. Before you utilize this template, we assume you have enabled AWS SSO for the AWS Organization, added the AWS accounts to that you desire to grant AWS SSO usage of your organization, signed into the AWS Management Console together with your AWS Organizations management account credentials, and also have the required permissions to utilize the AWS SSO console.",
  
    "Parameters": 
      "InstanceARN" : 
        "Type" : "String",
        "AllowedPattern": "arn:aws:sso:::instance/(sso)?ins-[a-zA-Z0-9-.]16",
        "Description" : "Enter AWS SSO InstanceARN. Ex: arn:aws:sso:::instance/ssoins-xxxxxxxxxxxxxxxx",
        "ConstraintDescription": "should be the name of a preexisting AWS SSO InstanceARN from the management account."
      ,
      "ExampleOrgDevAccountId" : 
        "Type" : "String",
        "AllowedPattern": "d12",
        "Description" : "Enter 12-digit Developer AWS Account ID. Ex: 123456789012"
        ,
      "ExampleOrgTestAccountId" : 
        "Type" : "String",
        "AllowedPattern": "d12",
        "Description" : "Enter 12-digit AWS Account ID. Ex: 123456789012"
        ,
      "AliceDeveloperUserId" : 
        "Type" : "String",
        "AllowedPattern": "^([0-9a-f]10-,
        "FrankInfosecUserId" : 
            "Type" : "String",
            "AllowedPattern": "^([0-9a-f]10-
    ,
    "Resources": 
        "EC2S3Access": 
            "Type" : "AWS::SSO::PermissionSet",
            "Properties" : 
                "Description" : "EC2 and S3 access for developers",
                "InstanceArn" : 
                    "Ref": "InstanceARN"
                ,
                "ManagedPolicies" : ["arn:aws:iam::aws:policy/amazonec2fullaccess","arn:aws:iam::aws:policy/amazons3fullaccess"],
                "Name" : "EC2-S3-FullAccess",
                "Tags" : [ 
                    "Key": "Name",
                    "Value": "EC2S3Access"
                  ]
              
        ,  
        "SecurityAuditAccess": 
            "Type" : "AWS::SSO::PermissionSet",
            "Properties" : 
                "Description" : "Audit Access for Infosec team",
                "InstanceArn" : 
                    "Ref": "InstanceARN"
                ,
                "ManagedPolicies" : [ "arn:aws:iam::aws:policy/SecurityAudit" ],
                "Name" : "AuditAccess",
                "Tags" : [ 
                    "Key": "Name",
                    "Value": "SecurityAuditAccess"
                  ]
              
        ,    
        "PowerUserAccess": 
            "Type" : "AWS::SSO::PermissionSet",
            "Properties" : 
                "Description" : "Power User Access for Infosec team",
                "InstanceArn" : 
                    "Ref": "InstanceARN"
                ,
                "ManagedPolicies" : [ "arn:aws:iam::aws:policy/PowerUserAccess"],
                "Name" : "PowerUserAccess",
                "Tags" : [ 
                    "Key": "Name",
                    "Value": "PowerUserAccess"
                  ]
                    
        ,
        "EC2S3userAssignment": 
            "Type" : "AWS::SSO::Assignment",
            "Properties" : 
                "InstanceArn" : 
                    "Ref": "InstanceARN"
                ,
                "PermissionSetArn" : 
                    "Fn::GetAtt": [
                        "EC2S3Access",
                        "PermissionSetArn"
                     ]
                ,
                "PrincipalId" : 
                    "Ref": "AliceDeveloperUserId"
                ,
                "PrincipalType" : "USER",
                "TargetId" : 
                    "Ref": "ExampleOrgDevAccountId"
                ,
                "TargetType" : "AWS_ACCOUNT"
              
          ,
          "SecurityAudituserAssignment": 
            "Type" : "AWS::SSO::Assignment",
            "Properties" : 
                "InstanceArn" : 
                    "Ref": "InstanceARN"
                ,
                "PermissionSetArn" : 
                    "Fn::GetAtt": [
                        "SecurityAuditAccess",
                        "PermissionSetArn"
                     ]
                ,
                "PrincipalId" : 
                    "Ref": "FrankInfosecUserId"
                ,
                "PrincipalType" : "USER",
                "TargetId" : 
                    "Ref": "ExampleOrgDevAccountId"
                ,
                "TargetType" : "AWS_ACCOUNT"
              
          ,
          "PowerUserAssignment": 
            "Type" : "AWS::SSO::Assignment",
            "Properties" : 
                "InstanceArn" : 
                    "Ref": "InstanceARN"
                ,
                "PermissionSetArn" : 
                    "Fn::GetAtt": [
                        "PowerUserAccess",
                        "PermissionSetArn"
                     ]
                ,
                "PrincipalId" : 
                    "Ref": "FrankInfosecUserId"
                ,
                "PrincipalType" : "USER",
                "TargetId" : 
                    "Ref": "ExampleOrgTestAccountId"
                ,
                "TargetType" : "AWS_ACCOUNT"
              
          
    

//End of Template//

Once you create the stack, supply the following information for setting the example permission sets for Frank Infosec and Alice Developer, as shown in Figure 22:

  • The Alice Frank and Developer Infosec user IDs
  • The ExampleOrgTest and ExampleOrgDev account IDs
  • The AWS SSO instance ARN

Launch the CloudFormation stack then.

Figure 22: User inputs to launch the CloudFormation template

Figure 22: User inputs to launch the CloudFormation template

AWS CloudFormation creates the resources which are shown in Figure 23.

Figure 23: Resources produced from the CloudFormation stack

Figure 23: Resources produced from the CloudFormation stack

Cleanup

To delete the resources you developed by utilizing the AWS CLI, use these commands.

Run the next command to delete the account assignment.

delete-account-assignment --instance-arn '' --target-id '' --target-type 'AWS_ACCOUNT' --permission-set-arn '' --principal-type '<USER/GROUP>' --principal-id '<user/group ID>'

Following the account assignment is deleted, run the next command to delete the permission set.

delete-permission-set --instance-arn '' --permission-set-arn ''

To delete the resource that you developed by utilizing the CloudFormation template, go directly to the AWS CloudFormation console. Choose the appropriate stack you created, and choose delete then. Deleting the CloudFormation stack cleans up the resources which were created.

Summary

In this website post, we showed how exactly to utilize the AWS SSO account assignment API to automate the deployment of permission sets, how exactly to add managed policies to permission sets, and how exactly to assign access for AWS users and groups to AWS accounts through the use of specified permission sets.

To learn more concerning the AWS SSO APIs designed for you, start to see the AWS Single Sign-On API Reference Guide.

When you have feedback concerning this post, submit comments in the Comments section below. When you have questions concerning this post, take up a new thread on the AWS SSO forum or contact AWS Support.

Want more AWS Security how-to content, news, and show announcements? Follow us on Twitter.

%d bloggers like this: