Amazon VGT2 Las Vegas: Generating User Access Privilege Reports for External IdPs with AWS Audit Manager

More Info

Organizations must comply with various industry regulations and certification programs, and a crucial aspect of this compliance involves generating a detailed report on user privileges and access for cloud infrastructure. Auditors depend on these reports to ensure that permissions are managed meticulously at a granular level. However, the intricacies of access control mechanisms—which can include service control policies, resource-based policies, user/group/role policies, permission boundaries, and external identity providers—complicate the creation of a unified access report.

The popularity of external identity providers (IdPs) for managing user identities and access across cloud environments has grown significantly. However, this trend can make it more challenging to produce comprehensive user privilege reports. This article aims to streamline this process by offering a step-by-step guide on how to generate detailed access reports when using external identity management solutions.

This post focuses on how organizations that utilize external IdPs through AWS IAM Identity Center can generate user access reports. While previous articles have discussed reporting for identities stored in AWS IAM, this one specifically addresses the issues faced by customers who utilize third-party IdPs like Okta, GSuite, Active Directory, and others.

Solution Overview

In this article, we will illustrate how to create a custom AWS Config rule that automatically collects configuration evidence, which is then stored in Amazon S3 and linked to the AWS Audit Manager assessment report. This solution enables customers to automate the report generation process, significantly reducing the manual effort involved in importing evidence into their AWS Audit Manager assessments.

AWS Audit Manager is a fully managed service that provides frameworks for various industry standards and regulations, facilitating the continuous collection of evidence to prepare for audits. The automated and ongoing gathering of evidence related to AWS resource usage simplifies risk assessments and ensures compliance with regulations and industry standards.

AWS Config allows customers to evaluate the configuration settings of AWS resources through rules that compare the current state to the desired state. Customers can utilize AWS-managed rules or create custom rules. Audit Manager can capture AWS Config evaluations as evidence for audits. When creating or editing a custom control, you can specify one or more AWS Config rules as evidence collection data sources.

AWS IAM Identity Center serves as a centralized service for managing user access across multiple AWS accounts and applications. It offers single sign-on capabilities, supports various identity sources, streamlines multi-account permissions, and provides access to AWS and cloud applications. This recommended solution for human user management in AWS enhances traditional IAM with improved scalability and centralized control.

In this article, we will utilize AWS Lambda-backed AWS Config custom rules to extend AWS Config and gather configuration evidence for AWS Identity Center. This evidence will be stored in Amazon S3 and referenced in your AWS Audit Manager custom assessment report.

We will cover the following:

1. Setting up the Audit Manager assessment.
2. Configuring the AWS Config custom rule to trigger a Lambda function that generates a new AWS IAM Identity Center access report.

Figure 1: Architecture of the solution

Prerequisites

Before proceeding, ensure you have the following prerequisites in place:

• An S3 bucket for the AWS Config custom rule to write evidence to.
• AWS Config must be enabled, along with an AWS Config Recorder (refer to Set up AWS Config).
• Permissions to deploy the provided AWS CloudFormation template. Sample permissions can be reviewed here.
• AWS Audit Manager must be enabled (Set up AWS Audit Manager).
• Permissions to access AWS Config, AWS Audit Manager, AWS Identity Center, and AWS Organizations.
• An AWS Cloud9 instance.

Deployment Steps

1. Log in to the AWS Console and go to the AWS Cloud9 IDE.
2. Follow the instructions to set up the AWS Cloud9 Environment on EC2. (Ensure you select the Amazon Linux 2 AMI for the platform.)
3. Create an openpyxl Lambda Layer.
   1. In the Cloud9 terminal, create a new directory for your layer:
      mkdir openpyxl-layer && cd openpyxl-layer
   2. Create a Python 3.9 virtual environment:
      python3.9 -m venv venv
source venv/bin/activate
   3. Create a python directory and copy the installed packages:
      mkdir -p python/lib/python3.9/site-packages
cp -r venv/lib/python3.9/site-packages/* python/lib/python3.9/site-packages/
   4. Create a ZIP file of the layer contents:
      zip -r openpyxl-layer.zip python
   5. Publish the Lambda Layer:
      aws lambda publish-layer-version --layer-name openpyxl-layer --zip-file fileb://openpyxl-layer.zip --compatible-runtimes python3.9
   6. Copy the LayerVersionArn.
4. Create an S3 Bucket using the steps outlined here. (Note: Enable versioning on the S3 bucket.)
5. Navigate to CloudFormation, choose ‘Create stack’, then ‘With new resources (standard)’. In the ‘Specify template’ section, paste the Amazon S3 URL below and hit ‘Next.’
6. Enter the requested information:
   • ConfigRuleName – specify a unique name for the AWS Config Rule that will run periodically to invoke a custom lambda function for generating a report on user privileges and saving it to the specified S3 bucket.
   • Under LambdaLayerVersionARN – enter the ARN copied in Step 3.
   • For the S3BucketName – input the bucket name created in Step 4.
   • Choose ‘Next.’
7. Continue through the prompts, check the Capabilities checkbox, and select ‘Create stack.’ Wait until the stack is in the ‘CREATE_COMPLETE’ state.
8. Create a custom control in Audit Manager that will utilize your new AWS Config custom rule as a data source by following these instructions. Attach your custom AWS Config rule:
   1. In the ‘Control Library’ section, click on ‘Create Custom Control’, enter Control Name, and click ‘Next.’
   2. Uncheck entries under the ‘AWS managed sources – new’ section. Under Customer managed sources, select ‘Use a data source to collect manual or automated evidence’ and select ‘AWS Config custom rule.’
   3. Choose the ‘Custom Rule’ created when launching the AWS CloudFormation template. The default is ‘AuditManagerUserAccessEvidenceRule.’ Choose this option unless you have made modifications.
   4. Follow through the wizard, review, and save your changes.
9. With the custom control defined leveraging the AWS Config custom rule, it’s time to create a framework that will use the custom control. Note that you could modify any existing framework to include the custom control, but for this article, we’ll create a new custom framework and add the control you previously created.
10. Select ‘Framework Library’ from the left pane.
11. Choose ‘Custom frameworks,’ then ‘Create custom framework.’

For additional insights on managing user access and compliance in AWS environments, check out this related blog post here. Furthermore, for authoritative guidance on this topic, you can refer to this expert source. If you’re seeking valuable resources, be sure to explore this excellent guide on interview questions for Amazon.