Introduction

Note:Human users, also known as human identities, are the people, administrators, developers, operators, and consumers of your applications. They must have an identity to access your AWS environments and applications. Human users that are members of your organization are also known as workforce identities. Human users can also be external users with whom you collaborate, and who interact with your AWS resources. They can do this via a web browser, client application, mobile app, or interactive command-line tools.

AWS Terminology

let’s first define a few key AWS terms that are vital to the subject matter. These definitions are taken directly from AWS

Account

An AWS account is a container of AWS resources. Using multiple AWS accounts is a best practice for scaling environments, as it provides a natural billing boundary for costs, isolates resources for security, gives flexibility for individuals and teams, in addition to being adaptable for new business processes.

Organization

An AWS Organization is a collection of AWS accounts that can be organized into a hierarchy and managed centrally. Organizations help to programmatically create new accounts and allocate resources, and simplify billing by setting up a single payment method for all accounts. In addition, AWS Organizations is integrated with other AWS services so admins can define central configurations, security mechanisms, and resource sharing across accounts.

User

An AWS user is an AWS identity created directly in the AWS IAM or AWS IAM Identity Center admin console that consists of a name and credentials.

Federated User

A federated user is a user identity that is created in and centrally managed and authenticated by an external identity provider. Federated users assume a role when accessing AWS accounts.

Group

A group is a collection of users. Groups let admins specify permissions for multiple users, which can make it easier to manage the permissions. Any user in that group automatically has the permissions that are assigned to the group. Any user removed from the group will lose those permissions. For instance, if Bob places a new employee into the Engineering group, which has access to the Lambda and DynamoDB production account, then the new employee will also be granted access to the resources in that account.

Role

A role is similar to a user in that it is an AWS identity with permissions and policies that determine what the identity can and cannot do in an AWS account. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when a user assumes a role, it provides them with a set of temporary security credentials for that session. Admins can use roles to delegate access to users, applications, or services that don’t normally have access to those AWS resources.

AWS IAM Identity Center Permission Set

A permission set defines the level of access a user has to AWS resources within an AWS account. For Bob, once he provides access to the necessary accounts in AWS IAM Identity Center, he can use predefined or custom permission sets to control the level of access.

What Is AWS IAM?

AWS Identity and Access Management enables admins to manage access to AWS services and resources within an AWS account securely for what it calls “entities” — IAM users created from the AWS IAM admin console, federated users, application code, or another AWS service. Admins can create and manage AWS users and groups directly, and use permissions to allow and deny their access to AWS resources. Admins create roles to manage access for all other entities.

What Is AWS IAM Identity Center?

AWS IAM Identity Center also manages access to AWS services and resources. The difference between AWS IAM and AWS IAM Identity Center is that the latter manages access for all AWS accounts within an AWS Organization, as well as access to other cloud applications, e.g., Salesforce. AWS IAM Identity Center includes a user portal where end users can find and access their assigned AWS accounts, cloud applications, and custom applications in one place.

AWS IAM Identity Center is a cloud service that allows you to grant your users access to AWS resources, such as Amazon EC2 instances, across multiple AWS accounts. By default, AWS IAM Identity Center now provides a directory that you can use to create users, organize them in groups, and set permissions across those groups. You can also grant the users that you create in AWS IAM Identity Center permissions to applications such Salesforce, Box, and Office 365. AWS IAM Identity Center and its directory are available at no additional cost to you.

If you follow the best practices, you are not managing IAM users and groups. Instead, your users and groups are managed outside of AWS and are able to access AWS resources as a federated identity. A federated identity is a user from your enterprise user directory, a web identity provider, the AWS Directory Service, the Identity Center directory, or any user that accesses AWS services by using credentials provided through an identity source. Federated identities use the groups defined by their identity provider and to access an account, they have to assume a role by

A directory is a key building block that allows you to manage the users to whom you want to grant access to AWS resources and applications. AWS Identity and Access Management (IAM) provides a way to create users that can be used to access AWS resources within one AWS account. However, many businesses prefer an approach that enables users to sign in once with a single credential and access multiple AWS accounts and applications. You can now create your users centrally in AWS IAM Identity Center and manage user access to all your AWS accounts and applications. Your users sign in to a user portal with a single set of credentials configured in AWS IAM Identity Center, allowing them to access all of their assigned accounts and applications in a single place.

Walk-through prerequisites

To follow-up with the Walk-through, make sure the following are in place

• If you don’t have an AWS account,Sign up for one.
• IAM Identity Center is set up differently in different environments. e.g Active Directory or an external IdP, AWS Organizations, IAM roles, Next-generation firewalls and secure web gateways etc. Base on our case, we will set up IAM Identity Center for AWS Organization.

  Note:Your AWS account must be managed by AWS Organizations. If you haven't set up an organization, you don't have to. When you enable IAM Identity Center, you will choose whether to have AWS create an organization for you. If you've already set up AWS Organizations, make sure that all features are enabled.

• Enabled AWS IAM Identity Center for your AWS Organization. To learn more, see Enable AWS IAM Identity Center.
• Added the AWS accounts to which you want to grant AWS IAM Identity Center access to your organization. To learn more, see Managing the AWS Accounts in Your Organization.
• Signed into the AWS Management Console with your AWS Organizations master account credentials. To learn more about AWS Organizations and master accounts, see AWS Organizations FAQs.
• make sur you have required permissions to use the AWS IAM Identity Center Console. To learn more, see Permissions Required to Use the AWS IAM Identity Center Console.

Overview

To make it easy for the organization workforce to access resources in multiple AWS accounts or in order word, to define federated access permissions for their users based on their group memberships in a single centralized directory, we will Use AWS IAM Identity Center (successor to AWS Single Sign-On) which is one of AWS tools to manage access to the accounts and permissions within Organizations.

To illustrate how to handle this, we are going to do the following

1. Add users and groups in AWS IAM Identity Center by configuring their email address and name. When you create a user, AWS IAM Identity Center sends an email to the user by default so that they can set their own password. Your user will use their email address and a password they configure in AWS IAM Identity Center to sign into the user portal and access all of their assigned accounts and applications in a single place. Base on our example; we will Add users Asya and Rayan in AWS IAM Identity Center by configuring their names and email addresses. Add a group called Developers in AWS IAM Identity Center and add Asya and Rayan to the Developers group.
2. Create permission sets: Create two permission sets. In the first permission set, include policies that give full access to Amazon EC2 and Amazon S3. In second permission set, include policies that give read-only access to Amazon EC2 and Amazon S3.
3. Assign groups to accounts and permission sets: Assign the Developers group to the developer accounts and assign the permission set that gives full access to Amazon EC2 and Amazon S3. Assign the Developers group to the production accounts, too, and assign the permission set that gives read-only access to Amazon EC2 and Amazon S3. Asya and Rayan now have full access to Amazon EC2 and Amazon S3 in the developer accounts and read-only access in the production accounts.
4. Users sign into the User Portal to access accounts: Martha and Richard receive email from AWS to set their passwords with AWS IAM Identity Center. Martha and Richard can now sign into the AWS IAM Identity Center User Portal using their email addresses and the passwords they set with AWS IAM Identity Center, allowing them to access their assigned AWS accounts.

Step 1: Add users and groups in AWS IAM Identity Center

To add users in AWS IAM Identity Center, navigate to the AWS IAM Identity Center Console. Then, follow the steps below to choose an identity source, add Asya as a user, create a group called Developers and add Asya to the Developers group in AWS IAM Identity Center.

1. In the AWS IAM Identity Center Dashboard, click on Choose your identity source (Step 1)
   
   

   Figure 1: choose your Identity

   On the new console that open, click on Action then on change change identity source
   

   Figure 2: change identity source

   
   Finally Check the Identity Center directory if not check yet. if you want to use Active Directory as you source, go ahead and check the box.
   

   Figure 3: select identity source

2. By default, AWS IAM Identity Center provides you a directory that you can use to manage users and groups in AWS IAM Identity Center. To add a user in AWS IAM Identity Center, go back the IAM Identity center and click on Users which found directly under Dashbord at the upper far left, then go to the far Right-side and click on Add user .
   On the Add User page, enter an email address, first name, and last name for the user, then create a display name. In this example, you’re adding “Asya Alexa” as a user. For the password, choose Send an email to the user with password instructions. This allows users to set their own passwords.
   
   Optionally, you can also set a mobile phone number and add additional user attributes.
   

   Figure 4: Add user

3. Next, you’re ready to add the user to groups. First, you need to create a group. Later, in Step 3, you can grant your group permissions to an AWS account so that any users added to the group will inherit the group’s permissions automatically. In this example, you will create a group called Developers and add Asya to the group. To do so, from the Add user to groups page, choose Create group.
   In the Create group window, title your group by filling out the Group name field. For this example, enter Developers. Optionally, you can also enter a description of the group in the Description field. Choose Create to create the group.
   On the Add users to group page, check the box next to the group you just created, and then choose Add user. Following this process will allow you to add Martha to the Developers group.
   

   Figure 4: Add user

4. Note: When you add a user, they receive an email with a link to set up a password and instructions to connect to the AWS access portal. The link will be valid for up to 7 days. You can grant this user permissions to accounts or applications so that they can access their assigned AWS accounts and cloud applications when they sign in to the AWS access portal.

You’ve successfully created the user Martha and added her to the Developers group. You can repeat sub-steps 2, 3, and 6 above to create more users and add them to the group. This is the process you should follow to create the user Rayan and add him to the Developers group.

Next, you’ll grant the Developers group permissions to AWS resources within multiple AWS accounts. To follow along, you’ll first need to create permission sets.

Step 2: Create permission sets

To grant user permissions to AWS resources, you must create permission sets. A permission set is a collection of administrator-defined policies that AWS IAM Identity Center uses to determine a user’s permissions for any given AWS account. Permission sets can contain either AWS managed policies or custom policies that are stored in AWS IAM Identity Center. Policies contain statements that represent individual access controls (allow or deny) for various tasks. This determines what tasks users can or cannot perform within the AWS account. To learn more about permission sets, see Permission Sets.

For this use case, you’ll create two permissions sets:

1. EC2AndS3FullAccess, which has AmazonEC2FullAccess and AmazonS3FullAccess managed policies attached and
2. EC2AndS3ReadAccess, which has AmazonEC2ReadOnlyAccess and AmazonS3ReadOnlyAccess managed policies attached.

Later, in Step 3, you can assign groups to these permissions sets and AWS accounts, so that your users have access to these resources. To learn more about creating permission sets with different levels of access, see Create Permission Sets.

Follow the steps below to create permission sets:

1. Navigate to the AWS IAM Identity Center Console and under Multi-account permission on the left-hand navigation menu, click on Permission Sets.

2. On the new tab that open, click on Create permissions set. Picture below

   

   Creating a permission set