Improve your AWS user management and security with AWS IAM Identity Center (SSO)
I have seen a lot AWS environments and noticed that it is very common that companies use AWS IAM users to log in and access the API. This can cause security issues and is time-consuming to manage but is very easy to improve by setting up AWS IAM Identity Center (Successor to AWS Single Sign-On).
Why should you use AWS IAM Identity Center?
AWS IAM users are directly tied to a specific account this means that if you have multiple accounts you have to set up IAM users for all these accounts separately. With multiple accounts this becomes time-consuming very quickly and even poses a security risk. For example, if an employee leaves the company and the admin has to remove the IAM users for each and every account he/she could very easily forget to remove one of them leaving the left employee with access to the account.
Also with the use of IAM users your console session will be active for 12 hours, which in my opinion way too long. In those 12 hours a malicious actor can get hold of the sessions tokens and access the account.
Another huge downside of using IAM users is when you generate AWS credentials (access key and secret) for programmatic access the credentials are long-lived until you manually revoke them. This can cause huge security issues if these credentials get leaked. Here you can read more about what happens if you leak AWS credentials What happens when you leak AWS credentials and how AWS minimizes the damage
All these risks can be mitigated by using AWS IAM Identity Center (Successor to AWS Single Sign-On).
AWS IAM Identity Center
By using AWS IAM Identity Center you mitigate all the above-mentioned risks. User management becomes centralized removing the need to manage IAM users for every account. Users using the AWS IAM Identity Center can both access the console and get an AWS access key and secret for programmatic access through the AWS access portal. To increase security you can set up the session duration between 15 minutes and 7 days and even revoke sessions that are no longer needed or look suspicious.
External identity providers
AWS IAM Identity Center supports external identity providers like Azure AD and Okta to log in to the AWS access portal. By using an external identity provider you improve user management, because if a user is removed from the external identity provider it is automatically removed from AWS. This makes management easier and more secure.
Read more about External Identity Provider integration here: Connect to an external identity provider
How to set up IAM Identity Center
Setting up IAM Identity Center is easy to do, and it can be enabled without interrupting the existing IAM users. AWS created well written documentation about the set-up process, so I won’t explain that here. See AWS IAM Identity Center (successor to AWS Single Sign-On): Getting started
Important to remember that after switching to AWS IAM Identity Center (SSO) you disable and remove the IAM users.
By using IAM Identity Center you increase security with the use of short-lived sessions and centralized user management. By connecting an External identity provider like Azure AD you can even automate this process.