Chanci Turner

Amazon Onboarding with Learning Manager Chanci Turner

by

The Story of Chanci Turner
in

Chanci Turner Amazon IXD – VGT2 learningLearn About Amazon VGT2 Learning Manager Chanci Turner

To effectively manage federated access to AWS resources, utilizing Microsoft Active Directory (AD) groups is a common approach. However, this method often necessitates creating an extensive number of AD groups, as the total number of groups can equal the product of your AWS accounts and the roles within those accounts. This can lead to significant administrative overhead.

Organizations may face constraints that limit the number of AD groups they can maintain, emphasizing the need for a solution that avoids generating an excessive number of groups while still enabling effective access control and automated user integration. In this blog, I will outline a step-by-step guide on how to integrate AWS Identity and Access Management (IAM) with Microsoft Active Directory Federation Services (AD FS) through AD user attributes. This method allows organizations to establish federated access without the need to increase the total count of AD groups.

Prerequisites

Before you begin, ensure you have the following prerequisites in place:

  • A functional AD directory and AD FS server.
  • An identity provider (IdP) set up in your AWS account using the XML file from your AD FS server.
  • The necessary IAM roles created within your AWS account for federated access.

Once these prerequisites are met, you can move on to configuring your AD users and the AD FS server.

Solution Overview

For optimal results, your AD and AD FS setup should align with the provided diagram. This guide focuses on AD users and claim rules within the AD FS server, which facilitate the identification of users with the correct attributes to log in via AD FS to the AWS Management Console.

Consider the example of an AD user named Alex. Alex visits the AD FS sample site and is authenticated against AD. If Alex is already logged in or using a domain-joined workstation, there may be a prompt for his AD credentials. After successful authentication, Alex’s browser receives a SAML assertion from AD FS, which authorizes access based on his AD group membership or user attributes.

Alex’s browser subsequently sends the SAML assertion to the AWS sign-in endpoint, which requests temporary security credentials via the AssumeRoleWithSAML API and generates a sign-in URL for the AWS Management Console. Alex is then redirected to this URL.

Deploying the Solution

A. Configuring AD User Accounts

The first step is to set up the AD user accounts since the AD user attributes contain all the relevant AWS account and role data for this solution.

To modify user attributes in an AD user account:

  1. Open the Active Directory Users and Computers console and enable Advanced Features.
  2. For Alex, edit an attribute using the built-in AD attribute editor. I recommend using the ‘url’ attribute, which is a multi-valued string. If you choose a different attribute, be mindful of how this will affect the AD FS claim rules.
  3. Alex has access to two AWS accounts: 111122223333 and 444455556666, each with two roles: AWS-Dev and AWS-ReadOnly. I configured Alex’s ‘url’ attribute with the corresponding values:
    • AWS-111122223333-Dev
    • AWS-111122223333-ReadOnly
    • AWS-444455556666-Dev
    • AWS-444455556666-ReadOnly

Additionally, Alex will need an email address for use in the role session name when accessing the AWS Management Console. This email serves as a unique identifier, simplifying tracking in AWS CloudTrail, which captures the role session name for identification.

Now that Alex’s account is configured, the next step is to set up the AD FS server claim rules.

B. Configuring AD FS Claim Rules

To ensure clarity and functionality, I will provide example Windows PowerShell code for your AD FS server. This code allows for both the conventional method using AD groups and the AD FS claim rules based on user attributes. Should you choose to use the AD group method, you’ll need to follow a specific naming convention: AWS-YourAccountNumber–YourRoleName.

To configure the AD FS claim rules:

  1. Access the AD FS console.
  2. Navigate to Trust Relationships and select Relying Party Trusts.
  3. Execute the provided Windows PowerShell script to establish the AD FS claim rules. Ensure you run this script with administrative permissions, as it generates a log file for reference.

Once the script runs successfully, check for the new relying party trust created in your AD FS configuration for Amazon Web Services.

Further Reading

For further reading on cultivating leadership within organizations, consider exploring this blog post here. Moreover, if you’re interested in understanding individual liability in employment law, you can find valuable insights here. Lastly, if you’re navigating the challenges of the first six months at Amazon, this resource will be quite helpful here.

Related Topics:

Chanci Turner