https://www.youtube.com/watch?v=-XARG9W2bGc
- SAML federation at scale
- Automate onboarding
- Allow a cross-account trust to create SAML providers w/ MFA from master/payer acct (15:47)
- This allows bootstrapping new accounts by a small group of admins w/ real IAM accts or root acct
- automate integrating each subaccount's SAML ID provider
- automate deployment of subaccount IAM role & policies
- automate deployment of central directory groups/structure
- keep role definitions consistent across subaccounts
- Allow a cross-account trust to create SAML providers w/ MFA from master/payer acct (15:47)
- Recommendation is to name central directory groups AWS-aws-account-num-aws-iam-role in central directory
- this allows smooth integration from SAML <-> IAM Roles across many accounts (explanation @ 26:00)
- you can auto-generate a post-login page & embed URLs for assume role using this (23:51)
- Use sts:assumeRole(+MFA) for CLI/API access (24:30)
- Auditing federated accounts in CloudTrail for compliance (27:11)
- Key Takeaways
- Naming conventions are critical
- Configuration should rely on patterns, not values
- Think about traceability now
- Tighter policies help reduce AWS account sprawl
- Focus on workflow
- Automate onboarding
- For more advanced integrations, use a custom identity broker (30:00)
- Keep in mind Dow Jones' Nova service was created Pre-SAML
- Probably not necessary today
- Possibilities for Dynamic Policy Generation per project/env (44:00)
- Keep in mind Dow Jones' Nova service was created Pre-SAML
- Rationalizing SAML v. Custom ID broker (46:00)
- Existing Federation investments?
- What exists outside AWS?
- Desired level of control v. involvement?
- Competency & bandwidth for custom ops development?
- SAML
- Pro
- Low barrier to entry
- Federation beyond AWS
- Con
- Number of roles, groups
- Additional automation to scale
- Best for a balanced federation approach
- Pro
- Custom ID broker
- Pro
- Granular & contextual policies
- Complete control
- Con
- Dev effort
- Complex evaluations
- Best for increased involvement, ultimate control, least privilege
- Pro
- Don't overanalyze, experiment & iterate.
- Federation options aren't mutually exlusive
- Evolve as needs evolve, use the simplest approach that fits your needs
- Resources, tools, code, slide deck (51:30)