cancel
Showing results for 
Search instead for 
Did you mean: 

Setting up SSO for AWS IAM or AWS Identity Center

shawnsong
Rising Star III
Rising Star III

I know the subject of this post may seem confusing at first, but rest assured, you will leave with a clear understanding of these concepts (hopefully).

Keep calm and read on 😉

What are these terms?

First thing first - let's clarify AWS IAM and AWS Identity Center:

  • AWS IAM - manage the permission and access for user / groups to AWS resources.
  • AWS Identity Center - manage resources in a similar way as above; AND it can be your IdP to setup SSO(SAML, OIDC, API, & SCIM) for accessing other applications.

But wait, there's more:

  • Both services supports login from external identity sources via SSO.
  • Additionally, AWS Identity Center supports SCIM to sync identities from external identity sources. 

Ok, let's dive into each one before things get messier, shall we?

 

Setup SSO for AWS IAM

Good for:

  • You have more than 1 AWS accounts.
  • Multiple teams require various different accesses to different AWS accounts and resources.
  • A relatively small engineering team with not-too-crazy people movements - less than 100 ideally. 

It looks like this conceptually:

shawnsong_1-1681454375146.png

Setting it up:

  • Follow this KB to setup SSO connector.
  • Now, we design and create the roles in AWS for reflecting the permissions you wanted to control:
    • i.e. I wanted to have an Admin role which has full access to all my AWS services and resources:shawnsong_2-1681455561539.png

       

    • And a role has access to EC2 only:shawnsong_3-1681455634063.png

       

    • Take note on the account name and ARN.
    • Do the same with a different account name for the other AWS accounts. 
  • Next, we "map" these roles in JC, as user groups, and bind the SSO connector to the groups too:shawnsong_4-1681455771379.png

     

  • Link the groups with the roles we created in AWS - i.e. for the admins on different accounts:shawnsong_5-1681455958075.png

    the attribute value looks like this: 

    arn:aws:iam::YOUR_AWS_ACCOUNT_NUMBER:role/ROLE_NAME,arn:aws:iam::YOUR_AWS_ACCOUNT_NUMBER:saml-provider/JumpCloud. 

     

Then, update the SSO connector you created initially, with these role names:shawnsong_6-1681456165301.png

  • Lastly, add the users to the groups you created respectively, it looks like this when users login:shawnsong_7-1681456542162.pngshawnsong_8-1681456591769.png

    The downside:

  • You will have to create new roles in AWS and map it with new user groups in JC every time there are additional new permissions to handle.
  • Delicate design and clear documentation are required - for maintaining and day-to-day operations.

How to address these ^ on a scale? Read on please. 

Setup SSO for AWS Identity Center

Good for:

  • You have more a ton of AWS accounts. 
  • Scattered and distributed engineering team across different geo locations and timezones, require various different accesses to different AWS accounts and resources.
  • Large engineering team in general - typically more than 100 people. 

 

It looks like this conceptually:

shawnsong_9-1681457734717.png

Setting it up:

  • Follow the KB here. 
  • Once the SCIM is up, similarly design the groups with different permission projections in JC, and bind the SSO connector  to these groups:shawnsong_10-1681457919449.png

     

  • Bind the users respectively to these groups.
  • Now go to AWS Identity center, these groups and users will be created accordingly via SCIM:shawnsong_11-1681458187677.png

     

  • Then, create the permission sets to define the boundaries of the permissions to your AWS resources:shawnsong_12-1681458281783.png

     

  • Assign the groups to respective AWS accounts - with the desired permission sets:shawnsong_13-1681458363800.png
  • Lastly, user from the JC groups login looks like this:shawnsong_14-1681458645103.png

    The downside:

  • You will need to get familiar with how AWS identity center works.
  • Keep monitoring the SCIM provisioning status between JC and AWS - if the account is not provisioned in Identity Center, user wont be able to login. 
  • Permission sets need deep understanding and delicate designs to avoid potential conflicts, or permission loopholes. 
  • Still have to assign the groups with permission sets for each account you have. 

Alright, that's it! I hope you have gained a clear understanding by reading this far. That's right; these are not black & white options to choose from. Both carry pros & cons and are suitable for different environments.

Happy designing, folks!

0 REPLIES 0