chanciturnervgt2

Create User Access Privilege Reports for External IdP Users Using AWS Audit Manager | AWS Cloud Operations Blog

by

VGT2 Las Vegas
in

Create User Access Privilege Reports for External IdP Users Using AWS Audit Manager | AWS Cloud Operations BlogMore Info

Organizations must comply with various industry regulations and certification programs, with a critical aspect being the generation of detailed user privilege and access reports for their cloud infrastructure. Auditors rely heavily on these reports to ensure that permissions are managed effectively at a granular level. However, the intricate nature of access control mechanisms, which include service control policies, resource-based policies, user/group/role policies, permission boundaries, and external identity providers, complicates the task of compiling a unified access report.

External Identity Providers (IdPs) are increasingly favored for managing user identities and access across cloud environments. Unfortunately, this shift can complicate the compilation of user privilege reports. To assist with this challenge, we present a comprehensive guide on generating detailed access reports when using external identity management solutions.

This article is particularly focused on generating user access reports for organizations that utilize external IdPs through AWS IAM Identity Center. While previous discussions have addressed reporting for identities managed in AWS IAM, this article specifically tackles the challenges encountered by users who depend on third-party IdPs such as Okta, GSuite, Active Directory, and others. For further reading, you can explore this blog post for additional insights.

Solution Overview

This article will illustrate how to establish a custom AWS Config rule that automatically collects configuration evidence, stores it in Amazon S3, and links that evidence within the AWS Audit Manager assessment report. By implementing this solution, users can automate the reporting process and minimize the manual effort required to import evidence into their AWS Audit Manager assessments.

AWS Audit Manager is a fully-managed service that offers prebuilt frameworks for standard industry regulations and facilitates the continuous collection of evidence to help prepare for audits. This ongoing and automated evidence gathering simplifies compliance efforts with regulations and industry standards.

AWS Config allows organizations to assess the configuration settings of their AWS resources. This is accomplished through AWS Config rules, which compare the current state against the desired state. Users can utilize either AWS-managed or custom rules. Moreover, Audit Manager can capture AWS Config evaluations as evidence for audits. When creating or modifying a custom control, users can designate one or more AWS Config rules as a data source for evidence collection.

AWS IAM Identity Center is a centralized service designed for managing user access across multiple AWS accounts and applications. It provides single sign-on capabilities, supports various identity sources, enhances multi-account permissions, and facilitates access to AWS and other cloud applications. This solution is ideal for human user management in AWS, as it offers improved scalability and centralized control compared to traditional IAM.

In this blog, we will leverage AWS Lambda-backed AWS Config custom rules to extend AWS Config and collect configuration evidence for AWS Identity Center. This evidence will be stored in Amazon S3 and referenced within your AWS Audit Manager custom assessment report. For expert perspectives, check out this resource.

What We’ll Cover:

  • Setting up an Audit Manager assessment
  • Configuring an AWS Config custom rule to trigger a Lambda function that generates a new access report for AWS IAM Identity Center

Prerequisites

Before you proceed, ensure you have the following prerequisites in place:

  • An S3 bucket for the AWS Config custom rule to write evidence.
  • AWS Config must be enabled, complete with an AWS Config Recorder (Refer to AWS Config setup).
  • Necessary permissions to deploy the provided AWS CloudFormation template. Sample permissions can be reviewed here.
  • AWS Audit Manager must be enabled (Set up AWS Audit Manager).
  • Permissions to access AWS Config, AWS Audit Manager, AWS Identity Center, and AWS Organizations.
  • An AWS Cloud9 instance.

Deployment Steps

  1. Log into the AWS Console and navigate to AWS Cloud9 IDE.
  2. Follow the instructions to set up an AWS Cloud9 Environment on EC2. (Ensure you select the Amazon Linux 2 AMI for the platform.)
  3. Create an openpyxl Lambda Layer:
    • In the Cloud9 terminal, create a new directory for your layer:
      mkdir openpyxl-layer && cd openpyxl-layer
    • Create a Python 3.9 virtual environment:
      python3.9 -m venv venv
      source venv/bin/activate
    • Create a python directory and copy the installed packages:
      mkdir -p python/lib/python3.9/site-packages
      cp -r venv/lib/python3.9/site-packages/* python/lib/python3.9/site-packages/
    • Create a ZIP file of the layer contents:
      zip -r openpyxl-layer.zip python
    • Publish the Lambda Layer:
      aws lambda publish-layer-version --layer-name openpyxl-layer --zip-file fileb://openpyxl-layer.zip --compatible-runtimes python3.9
    • Copy the LayerVersionArn.
  4. Create an S3 Bucket by following the steps outlined here. (Note: Enable versioning on the S3 bucket.)
  5. Navigate to CloudFormation. Choose ‘Create stack’ followed by ‘With new resources (standard)’. In the ‘Specify template’ section, paste the Amazon S3 URL and click ‘Next’.
  6. Enter the required information:
    • ConfigRuleName – specify a unique name for the AWS Config Rule that runs periodically to invoke a custom Lambda function for generating a user privileges report saved to the specified S3 bucket.
    • Under LambdaLayerVersionARN – enter the ARN copied in Step 3.
    • For the S3BucketName – provide the name of the bucket created in Step 4.
    • Click ‘Next’.
  7. Click ‘Next’, check the Capabilities checkbox, and select ‘Create stack’. Wait until the stack is in the ‘CREATE_COMPLETE’ state.
  8. Now, create a custom control in Audit Manager. To create a custom control that will utilize your new AWS Config custom rule as a data source, follow these instructions:
    • In the ‘Control Library’ section, click on ‘Create Custom Control’, enter the Control Name and click ‘Next’.
  9. Uncheck entries under the ‘AWS managed sources – new’ section. Under Customer managed sources, select ‘Use a data source to collect manual or automated evidence’ and choose ‘AWS Config custom rule’.
  10. Select the ‘Custom Rule’ created during the AWS CloudFormation template launch. The default value is ‘AuditManagerUserAccessEvidenceRule’. If you made modifications, select your customized version.
  11. Continue through the wizard, review the details, and save changes.
  12. With a custom control defined that leverages the AWS Config custom rule you created, it’s time to set up a framework to apply the custom control. You can modify any existing framework or create a new one, which we will do in this article.
  13. From the left pane, select ‘Framework Library’.
  14. Choose ‘Custom frameworks’, and then click ‘Create custom framework’.

By following these steps, you can effectively generate comprehensive access reports for users managed through external IdPs in your AWS environment.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *