I'm currently using AWS IAM to provision access to the AWS resources for the users. Recently I created an AWS Organization to separate the Dev & Prod environments. While doing this I supposed to create another IAM user for all users for the Dev AWS Organization Account. so there is 2 IAM user for every user so that all users can access the resources in both Dev & Prod environments. (Yes, its conditional access, not all AWS resources is provisioned).
We started to implement AWS SSO using SAML & came to know about the IAM Identity Center, using which a single user can access resources in both the AWS accounts (Organizations) with a single username itself which is good.
I've some queries regarding the AWS SSO,
Question 1
AWS SSO requires AWS Organization to be enabled by default with an message. What does this means? Once AWS SSO is enabled I can't create new additional/sub organizations?
After you create an organization, you cannot join this account to
another organization until you delete its current organization
Question 2
Once I setup AWS Organization & AWS SSO and changed the identity source it syncs the groups & users to the AWS root account using which we can provision the resources. Will it remove/delete the existing IAM user & role?
If NO, can I still be able to login with the IAM username & password other than this AWS SSO?
Question 3
While I change the identity source using the AWS SSO it warns that the MFA configurations will be deleted. Will it delete the MFA for the root account and the IAM users? or Just the users inside the AWS SSO?
IAM Identity Center will delete your current multi-factor authentication (MFA) configuration.
Question 4
Why I can't setup the AWS SSO from an organization account? Is there any specific reason?
Final Question
Did I understood the AWS SSO (IAM Identity Center) Properly?
Related
We would like to move a bitnami vm to the Elastic cloud offering on Azure.
We've created an instance in a resource group - And as the owner I can login and start managing this cluster.
Now I would like to invite other people to this cluster. We don't have the organization option in the Settings (elastic docs: Organizations are currently not supported for Azure Marketplace accounts.).
Therefore I added a user in "Stack Management > Security > Users", but that user can't login, can't reset a password, ...
Am I wrong by adding Users in the Stack Management, can we manage this in Azure AD?
Thanks!
There are 2 commands I am confused for some time:
gcloud iam service-accounts get-iam-policy
gcloud iam service-accounts set-iam-policy
from the --help command, these 2 commands treat service account as a resource, most often I use service account as an identity, for example, in a project, set policy by binding role with service account so this service account can operate on something in that project.
Can someone please point out what is the usage to attach the policy to service account? how does service account act as a resource rather than an identity?
As explained in this below part of the official documentation Managing service accounts
:
When thinking of a service account as a resource, you can grant roles to other users to access or manage that service account.
So, use it as a resource has to goal for you to manage who can use and control the service account. To provide some additional details, as in this example here, with the policies attached to them, you can configure the level of access that different users can have within service accounts - as mentioned there, you can configure that some users have viewer access, while others have editor level.
To summarize, the functinality of attaching policies to a service account is for you to set different levels of access and permissions to users who can access the service account.
I want to give access to my developer to my MongoDB which is hosted by an EC2 Instance on AWS.
He should be able to make mongodump, upload the new backend and do some changes on our control Panel.
I created an IAM User with EC2FullAccess Permissions - I have seen that he was able to add his own IP to the Security Group so he could connect.
I don't feel so comfortable with that - what should I do, to secure myself that he has just enough access to do the necessary work:
Upload new code to server
Do MongoDB dump
I don't want him to be able to switch off/delete my instance or be able to delete my database at all.
Looking at your use case, you do not need to give any EC2 permissions, your developer does not even need IAM user, he can simply have the IP of the instance and the login credentials to the EC2 Instance, that should be suffice to log in to the instance and make the required changes. No need for an IAM user or AWS Console access.
IAM roles are for the purpose of accessing a service on behalf of another. Say, you want to access AWS DynamoDB or S3 from EC2 instance. In this case, an IAM role with required permissions attached to EC2 will server the purpose.
IAM User is for users who need access to AWS services either through Console or through API (programmatic). AWS credentials are required to access the service.
In your case, MongoDB is installed on EC2 and your developer needs access to "the server on which MongoDB is installed" and is not required any access of "AWS EC2 Service".
As correctly pointed out in answer by #X-Men, IAM role or IAM user is not at all required. What required is, your developer to have the IP of server and credentials to login to that server. Username-password or username-key.
Restriction which you need on developer related to MongoDB are to be configured on MongoDB itself and not on EC2 level.
Assuming I have an instance of Jira (or any other non-aws app that supports SAML), and it is running in my VPC, what steps do I need to take enable single-sign on using AWS Directory Service MicrosoftAD? (Ideally, when people try to access the app, they should be authenticated first, and the app should be able to access their user attributes.)
AWS Directory Service says in its documentation that it has disabled powershell access in AWS Directory Service. Does that mean that it is impossible to enable single sign on programmatically?
You can use AWS Cognito User Pools and Connect Active Directory as a Federated Identity Provider to the User Pool. After the integration you can use Cognito User Pools and SDKs to integrate with any web applications for authentication.
Check the AWS documentation of Using Federation for Amazon Cognito User Pools for more details.
After implementing the integration of Azure Active Directory and some other could applications like Salesforce, and syncing On-Premise Active Directory data by using Azure AD Connect, now I could auto login Salesforce and other cloud apps with Single Sign-On by using the credentials I used for desktop logon, but I still need to key in the credentials once when accessing Azure Applications page (Azure Portal).
Is there any configuration in Azure I can change to support auto-login by using the Windows credentials, so that once I log into my encrypted machine, I could auto login the Azure Applications page (the Azure portal) without key in password again? If Azure does not support no sign-on, what's the best way to do some development to support no sign-on?
Any post or suggestion will be appreciated!
You can always try to authorize users using Graph API. Maybe this will be helpfully: https://github.com/devkimchi/Graph-API-App-Only-Web-API-Sample
I had a similar issue when using ADFS for federated identity and the following article helped, not sure if it applies to Azure AD Connect but it might give you some useful info.
https://support.microsoft.com/en-us/kb/2535227
Thanks thedev and dawidr for your reply.
Finally I found a solution which might achieve the No Sign-On. AAD supports federation authentication, so just try to integrate the ADFS and AAD by using Azure AD Connect to implement the federation identify with On-Premise AD, then no more password key-in when accessing the Azure Applications. I don't have a proxy server with public IP so it's just a solution in my mind without verification.