Essential Guide to AWS Governance – Part 2: Enable Single Sign-On for AWS using ADFS 3.0 and configure Cross Account Access

In the previous post (Essential Guide to AWS Governance – Part 1) I wrote about the essential AWS Accounts you’d need to have solid governance on AWS. Now in this post I will write about the following topics in this order and I will try to add as much details as I can:

  1. Introduction to Single Sign-On (SSO) and Cross Account Access on AWS and how it works in practice
  2. Configre SSO for AWS using Active Directory Federation Service (ADFS) 3.0
  3. Configure the needed Roles and Policies on AWS
  4. Log in to AWS Management Console via SSO and Switch Roles

Introduction to Single Sign-On (SSO) and Cross Account Access on AWS

Implementing SSO for multiple accounts under one Organization is a bit tricky. You need to enable SSO for one Account (in our case the Security and Auditing Account), then you log into that Account and switch to other Accounts. In other words, the Security and Auditing Account is your landing spot. So here is the big picture”

  1. The user tries to log into AWS.
  2. His request goes through ADFS.
  3. ADFS checks the user’s username, password, and authorization (AD Group membership) with Active Directory
  4. Active Directory approves the user’s membership and issues a ticket
  5. ADFS informs AWS that the user is permitted to log in.
  6. The user logs in to AWS Security and Auditing Account.
  7. The user now tries to switch to a different Account (Project2 Account).
  8. The user’s request is approved and he/she switches to the Project2 Account.

Simple…. Right??? Wrong… Nothing is that simple 🙂 like I said, it was the big picture. To implement this you need to configure your ADFS, and then you need to make sure your AWS Accounts are configured properly. Here is all the roles and policies you need to create:

Configure SSO for AWS using Active Directory Federation Service (ADFS) 3.0

Here I assume you have a working ADFS 3.0 (or 2.0) environment. If this is not the case, please refer to this page to learn how to set up ADFS. Now take the steps below:

1- Open the AD FS management console -> Trust Relationships and then right click Relying Party Trusts and then click Add Relying Party Trust.

2- Click Start

3- Select the first option and paste the following address into the textbox and click Next:

https://signin.aws.amazon.com/static/saml-metadata.xml

4- Type in any name and click Next:

5- Select the first option and click Next:

6- Select “Permit all users to access all this relying party” and click Next:

7- Click Next:

8- Click Close:

9- Now we need to create Claim Rules. Right click on Amazon Web Services Relying Party Trust and select Edit Claim Rules:

10- Click Add Rule:

11- Select Transform an Incoming Claim and click Next:

12- Configure it like the following picture and click Finish:

13- Click Add Rule again and select Send LDAP Attributes as Claims and click Next:

14- Configure it like the picture below. Make sure the LDAP Attribute E-Mail-Addresses is selected and the value is:

https://aws.amazon.com/SAML/Attributes/RoleSessionName

and then click Finish.

15-  Add a new Rule and select Send Claims Using a Custom Rule and click Next:

16- Configure it like below with the following Custom Rule and then click Finish:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("http://temp/variable"), query = ";tokenGroups;{0}", param = c.Value);

17- Add one more new Rule and select Send Claims Using a Custom Rule and click Next:

18- Configure it like below with the following Custom Rule and then click Finish:

c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-"] => issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = RegExReplace(c.Value, "AWS-", "arn:aws:iam::111111111111:saml-provider/ADFS,arn:aws:iam::111111111111:role/ExampleCo-"));

Make sure in the code above you change the 111111111111 to your Security and Auditing Account ID and you change the ExampleCo to your company name or any other name.

19- Click Ok to close the Edit Claim Rules window.

20- Now you are done with ADFS configuration and you need to create a Security Group in Active Directory for each AWS Project Account. Only the members of each group is able to access the corresponding AWS Account. So I think this part should be pretty straightforward. But there are two things which you should pay very close attention to:

  • Your AD Group names must begin with AWS- (i.e. AWS-Project1, AWS-Project2)
  • The name which comes after “AWS-” must be exactly the same as the Role name you will create on the AWS portal – Step 8 in the next section.

Configure the needed Roles and Policies on AWS

Now we assume you have created the Security and Auditing AWS Account as well as the two Project1 and Project2 AWS Accounts and we are ready to begin the next steps:

1- Log into the Security and Auditing AWS Account with the root email (i.e. security-prod@example.com) and password and go to IAM.

2- Click Identity Providers and then click Create Provider:

3- Choose SAML as the Provider Type and then give it any name (i.e. Example) and then click Choose File to select and upload your Metadata Document. You can access your ADFS Metadata Document usually under this URL: https://<yourservername>/FederationMetadata/2007-06/FederationMetadata.xml

4- Click Next Step and then click Create.

5- Go back to IAM and then click Roles and then click Create role:

6- Select SAML 2.0 federation, then select the SAML Provider you created in the previous step and then select “Allow programmatic and AWS Management Console access” and click Next: Permissions:

 

7- Click Create policy:

8- Select the JSON tab and then paste the following JSON scripts there and click Review Policy:

{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::222222222222:role/ExampleCo-Project1"
}
}

  • Important: Remember ExampleCo- is the name you gave in step 18 in the previous section. Project1 is the same name you gave to your AD Group (after AWS-).
  • 222222222 is the Account ID of the Projec1.

9- Give it a name (i.e. ExampleCo-Project1) and click Create Policy.

10- Now go back to the Role creation wizard and select the Policy you just created and click Next-Review.

11- I normally give it the same name as the policy (i.e. ExampleCo-Project1) and clic Create Role.

12- Now log out of your Security and Auditing AWS Account and log in to your Project1 AWS Account as root (i.e. project1-prod@example.com) and then go to IAM.

13- Go to Roles and then Create role and then select Another AWS account and then type in the Account ID of the Security and Auditing Account (for our example it is 111111111111) and then click Next:Permissions

 

14- Select AdministratorAccess policy and click Next:Review

15- Give it a role name exactly as the role name you created in the Security and Auditing Account – ExampleCo-Project1 and click Create Role:

 

***Important: Please take note you need to take the same steps above in this section for Project2 as well. Of course I trust you can make those small changes (i.e. Account ID) all by yourself.

Log in to AWS Management Console via SSO and Switch Roles

Now we are done with almost everything we get to the sweet part. Make sure your username is a member of the Project1 AD group (in our case AWS-Project1) and take the steps below:

1- Open your ADFS login page: https://<ADFS_Server-Name>/adfs/ls/idpinitiatedsignon.aspx

2- Select Amazon Web Services (or any name which you typed in when you created the Relying Party Trust in the first section)

3- If you are a member of more than one AD Group/AWS Account you need to select which one you want to log in with and then you are in.

4- Now you have landed on the Security and Auditing AWS Acocunt and you need to switch to the Project1 AWS Account. In order to do this, click on your name on the top right of the Console and then click Switch Role:

5- Click Switch Role again in the next window and then type in the Project1 Account ID (222222222222) and Role name (ExampleCo-Project1) and click Switch Role:

6- You will be redirected to the Management Console again but this time you are logged into the Project1 AWS Account as an Administrator:

 

I hope this article was helpful and if you are interested, you can read on to the next posts in the same series:

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: