chanciturnervgt2

Amazon Onboarding with Learning Manager Chanci Turner

by

VGT2 Las Vegas
in

Amazon Onboarding with Learning Manager Chanci TurnerLearn About Amazon VGT2 Learning Manager Chanci Turner

In the realm of AWS Control Tower, some organizations have chosen to integrate Azure Active Directory (Azure AD) as their primary Identity Provider (IdP) to manage authentication and authorization. When configuring federation with Azure AD, many refer to a tutorial that explains the integration of Azure AD single sign-on with AWS. This guide typically involves an IAM user with programmatic access to each account for retrieving IAM roles, which are then correlated with Azure AD user groups. This method effectively centralizes both authentication and authorization within the IdP.

This article outlines how to optimize the SAML 2.0 federation setup using AWS Control Tower in conjunction with Azure Active Directory Customizations for AWS Control Tower. With this approach, you can achieve a more streamlined process for establishing federation across your AWS accounts.

Solution Overview

This solution is built upon AWS’s prescriptive guidance designed to automate SAML 2.0 federation in AWS multi-account setups utilizing Azure Active Directory. It is particularly suited for AWS Control Tower customers leveraging the Customizations for AWS Control Tower solution.

Let’s walk through a typical workflow for enabling Azure AD federation in a newly created member account. This process involves two key roles: 1) an Azure AD administrator, who is tasked with federation configuration, and 2) a CloudOps administrator, who is responsible for account creation. The workflow proceeds as follows:

  1. An Azure AD admin establishes a new Enterprise Application (EA) for AWS Single-Account Access and shares the SAML metadata with the CloudOps admin.
  2. The CloudOps admin creates a new member account within AWS and sets up the IdP in that account.
  3. The CloudOps admin then logs into the new account to:
    • Create the IAM user for Azure AD user provisioning
    • Generate programmatic access keys for the IAM user
    • Share the access keys with the Azure AD admin

Following this, the Azure AD admin activates provisioning within the Enterprise Application using the access keys and maps the roles accordingly.

To enhance this process, it’s advisable to implement a regular access key rotation cycle. Each time the keys are rotated, the Azure AD admin must request new keys from the CloudOps admin. However, we can simplify this workflow through automation, minimizing manual tasks and allowing the Azure AD admin to securely retrieve programmatic access keys directly. The refined workflow now appears as follows:

  1. An Azure AD admin creates a new Enterprise Application for AWS Single-Account Access and provides the SAML metadata to the CloudOps admin.
  2. The CloudOps admin establishes a new member account within AWS and sets up the IdP.
  3. The Azure AD admin logs into the new account, securely obtains the IAM user programmatic access keys, and activates provisioning within the Enterprise Application.

The next diagram illustrates the solution architecture and the workflow for enabling federation in a new account.

Implementation Steps

To implement this solution, follow these steps:

  1. Create a StackSet using the Customizations for AWS Control Tower solution.
  2. Enable federation to the management account using the AzureAdFederationAdminRole.

Upon setup completion, you can proceed to configure provisioning within the Azure Active Directory Enterprise Application for AWS Single-Account Access for each account. The CloudFormation templates for automating SAML 2.0 Federation with Azure Active Directory can be accessed on GitHub.

Prerequisites

To successfully implement this solution, ensure you meet the following prerequisites:

  • AWS Control Tower with the Customizations for AWS Control Tower solution deployed.
  • An Azure AD Enterprise Application for AWS Single-Account Access has been created for the AWS management account and configured with the IAM identity provider.
  • An Azure AD Enterprise Application for AWS Single-Account Access has been set up for each AWS member account and configured similarly.

Configuring the Control Tower Customization Solution

The initial step is to adjust the Customizations for AWS Control Tower solution with a new template to accommodate the Azure AD required resources.

  1. Download the YAML template files from GitHub into your control tower customization solution repository’s templates folder.
  2. Modify your manifest.yaml file to deploy the azuread-fed-management-account.yaml as a StackSet to your management account.
  3. Update your manifest.yaml file to deploy the azuread-fed-member-account.yaml as a StackSet to all other accounts by specifying the relevant top-level Organizational Units. Your manifest.yaml file should resemble the following sample:
#=============================================================
# Azure AD Federation - Management Account
#=============================================================
- name: azure-ad-federation-automation-management
  resource_file: templates/azuread-fed-management-account.yaml
  parameters:
    - parameter_key: OrganizationId
      parameter_value: "o-aaa111bbb2222"
    - parameter_key: SAMLProviderName
      parameter_value: "aad"
    - parameter_key: IAMUserName
      parameter_value: "AzureADAutomationUser"
    - parameter_key: IAMUserGroupName
      parameter_value: "AzureADAutomationGroup"
    - parameter_key: AzureAdFederationAdminRoleName
      parameter_value: "AzureAdFederationAdminRole"
    - parameter_key: AzureAdFederationAssumeRoleName
      parameter_value: "AzureAdFederationAssumeRole"
  deploy_method: stack_set
  deployment_targets:
    accounts:
      - 111122223333
  regions:
    - us-east-1

#=============================================================
# Azure AD Federation - All Member Accounts
#=============================================================
- name: azure-ad-federation-automation-management
  resource_file: templates/azuread-fed-management-account.yaml
  parameters:
    - parameter_key: ManagementAccountId
      parameter_value: "111122223333"
    - parameter_key: IAMUserName
      parameter_value: "AzureADAutomationUser"
    - parameter_key: IAMUserGroupName
      parameter_value: "AzureADAutomationGroup"
    - parameter_key: AzureAdFederationAdminRoleName
      parameter_value: "AzureAdFederationAdminRole"
    - parameter_key: AzureAdFederationAssumeRoleName
      parameter_value: "AzureAdFederationAssumeRole"
  deploy_method: stack_set
  deployment_targets:
    organizational_units:
      - Core
      - infrastructure
      - workloads
  regions:
    - us-east-1
  1. Commit and push the changes, then monitor the stacks until deployment is complete.

Configuring the Management Account

The management account is now equipped with the IAM user secrets required for Azure Active Directory provisioning. To configure Azure Active Directory provisioning for the management account, follow these steps:

  1. From the management account, log into the AWS Secrets Manager console.
  2. Navigate to the AzureADFederation/CFNUserSecretAccessKey secret and retrieve the stored secrets.
  3. In the Azure AD EA for the management account, ensure you follow the necessary steps to enable provisioning.

For more insights into effective management practices, consider checking out this piece on performance reviews from SHRM, an authority on such topics. Additionally, if you’re looking for resources on leadership development training, this is an excellent resource to explore.

To keep your motivation high, you might find this article about realizing your potential insightful.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *