Just-in-Time Least Privileged Access to AWS Administrative Roles with Okta and AWS Identity Center  

By Walter Goulet, Sr. Product Manager – Okta
By Grey Thrasher, Sr. Technical Marketing Manager – Okta
By Nitin Kulkarni, Sr. Identity Solutions Architect – AWS
By Laura Reith, Identity Solutions Architect – AWS

Okta

Limiting human access to cloud resources is a key element of an effective security strategy. Although modern cloud architectures strive to eliminate the necessity for human access, there are still some scenarios where it is essential.

For example, developers may need to troubleshoot application latency within a production environment. Amazon Web Services (AWS) provides a rich set of tools and capabilities for managing access, including AWS Identity and Access Management (IAM), which provides fine-grained access control, and AWS IAM Identity Center, which makes it easy to manage access across your entire organization.

However, in some sensitive environments organizations may want to reduce persistent human access and instead use just-in-time (JIT) access, where users are granted temporary access to resources to perform a specific task, after which access is revoked.

In this post, we will show how AWS customers can leverage Okta Access Requests and AWS IAM Identity Center to provide just-in-time access to cloud resources.

Okta is an AWS Partner and leading independent provider of identity for the enterprise. Okta hold AWS Competencies in Security, Digital Workplace, and Government, and is an AWS Marketplace Seller.

Just-in-Time Model as a Layer of Defense

Granting just-in-time access to developers for a limited time based on approval is an effective way to limit the active time frame for assignments to your AWS resources. This access pattern acts as an additional layer of defense for sensitive production environments.

Okta’s integration with IAM Identity Center enables customers to use their Okta identities to access AWS by provisioning Okta users and groups which are assigned to AWS accounts via permission sets. Okta Access Requests are used to assign membership to these groups for a limited time only after an approval.

Figure 1 – Just-in-time solution powered by Okta Access Requests.

Prerequisites

• Okta account with Okta’s IAM Identity Center application.
• AWS IAM Identity Center-enabled account. For more information, see how to enable IAM Identity Center.
• Okta as an identity provider (IdP) for IAM Identity Center as described in How to Configure SAML 2.0 for IAM Identity Center.
• Test person (user) in Okta as described in Add Users Manually.

Step-by-Step Configuration

In the steps below, you will create configurations to enable Okta Access Requests for automatic assignment of users to groups based on approval.

In the example scenario, the roles could correspond to different job functions within your organization. For example, the “AWS EC2 Admin” role could correspond to a DevOps on-call site reliability engineer (SRE) lead, whereas the “AWS EC2 Read Only” role may apply to members of your development team.

Step 1: Set Up Groups Representing Different Privilege Levels

Create four groups in Okta which represent privilege levels your employees can request for access to AWS console.

1. Sign in to the Okta Administration console.
2. Click on Directory > Groups.
3. Select Add group:
   • In the Name field, enter AWS Users.
   • In the Description field, enter Users assigned to AWS.

Note that using the same Okta group for both assignments and group push is not supported currently. This is done to maintain consistent group memberships between Okta and AWS IAM Identity Center.

4. Repeat Steps 1-3 to create three more groups, replacing the Name and Description field with the following:
   • Group 1:
     • Name: AWS Admin All
     • Description: AWS administrators
   • Group 2:
     • Name: AWS EC2 Admin
     • Description: AWS EC2 administrator permissions
   • Group 3:
     • Name: AWS EC2 Read Only
     • Description: AWS EC2 read-only permissions

Step 2: Enable Automatic Provisioning of Groups Using SCIM Protocol

To enable automatic provisioning of the groups you created from Okta to IAM Identity Center, follow Steps 1-2 described in this documentation.

Step 3: Assign Access for Groups in Okta

1. Configure the assignments of groups you created:
   • Select the Assignments tab.
   • Click the Assign button and select Assign to Groups.
   • Click Assign next to the AWS Users group you created previously.
   • Select Save and Go Back, and then choose Done. This starts the process of provisioning the users in the group into IAM Identity Center.
   • Choose the Push Groups tab and select Find groups by name.
   • Enter AWS in the text field, and select AWS EC2 Admin.
   • Choose Save & Add Another.
   • Repeat the process to add the AWS EC2 Read Only, AWS Admin All, and AWS EC2 Admin groups. Choose Save when adding the last group.

At this point, the Okta Push Groups (AWS Admin All, AWS EC2 Admin and AWS EC2 Read Only) will exist in IAM Identity Center.

Step 4: Create Permission Sets in IAM Identity Center

1. Open the IAM Identity Center console.
2. Under Multi-account permissions, choose Permission sets.
3. Choose Create permission set.
4. On the Select permission set type page, under Permission set type, select Custom permission set, and then click Next.
5. On the Specify policies page, expand AWS managed policies.
6. Search for and choose AmazonEC2FullAccess policy, and then click Next.
7. On the Specify permission set details page, do the following:
   • Under Permission set name, type EC2AdminAccess.
8. Click Next.
9. On the Review and create page, review the selections, and choose Create.

Step 5: Assign Group Access in Your AWS Organization

1. In the navigation pane, under Multi-account permissions, choose AWS accounts.
2. On the AWS accounts page, select the check box next to one or more AWS accounts to which you want to assign access.
3. Choose Assign users or groups.
4. On the Groups tab, select AWS EC2 Admin and click Next
5. On the Assign permission sets to “AWS-account-name” page, select the EC2AdminAccess permission set.
6. Check that the correct permission set was selected, and choose Next.
7. On the Review and submit assignments to “AWS-account-name” page, check that the correct group and permission set are selected, and choose Submit.

Repeat these steps for the other groups: AWS Admin All and AWS EC2 Read Only.

Note that for AWS Admin All, you can use a Predefined permission set and select AdministratorAccess. For AWS EC2 Read Only, use a Custom permission set and select AmazonEC2ReadOnlyAccess.

Step 6: Configure Okta Identity Governance Access Requests

Now, let’s configure Okta Identity Governance Access Requests to allow users to request access to these groups and permission sets.

1. Sign in to the Okta Admin console.
2. Navigate to Applications > Applications and choose Okta Access Requests.
3. In the Push Groups tab, click the Push Groups button and select Find groups by name.
4. Enter AWS and select AWS Users, and then click Save.

In the following steps, you’ll configure the Access Request workflow for your AWS application in Okta.

Before creating this workflow in Okta Access Requests, you need to first configure an Okta resource list. This allows your team to control the specific options available to users as a request gets processed. After that, you can configure the Access Request, including the resource list as an option.

1. Navigate to Identity Governance > Access Requests, and select Settings.
2. In the Configuration lists tab, select the Create a new list button, and enter the following:
   • List Name: AWS Accesses
   • Teams: Select Access Request Team for your User (example: select the default IT Team, or create a new Team)
   • List Type: Resource list
   • Resource type: Okta Groups
3. Click Add item.
4. Type AWS in the search field, and select AWS Admins, AWS EC2 Admin, and AWS EC2 Read Only.
5. Click Create list.

Figure 2 – Create new list window.

In the following steps, you’ll create the Access Request type/flow and specify which users are allowed to request access, what input they will need to provide, and the logic to route the Request.

In this specific Access Request, users in the AWS Users Group will be able to submit their requests, which will ask the user to select the AWS permission set they need. Access will be granted for a limited timeslot.

1. On the left hand-side navigation panel, select Access Requests.
2. Click Create request type.
3. Enter the following on the Request Type Details form:
   • Name: AWS Access
   • Description: Request privileged access to AWS
   • Team: Select the Access Request Team you’d like to have administered these requests. For this example, you can use the default team: IT.
   • Audience: Select an Okta group > AWS Users
4. Click Continue.

Figure 3 – Request Type Details form.

5. In the Question step, click the Add to request type button:
   • In the Text field, type Which Access do you need?
   • In the Type drop-down, select Dropdown.
   • Select Configuration items > AWS Accesses.
   • Ensure Assigned to is set to Requester.

Figure 4 – Question window.

6. Select Task in the toolbar at the bottom of the request designer:
   • In the Text field, enter Assign AWS Permission.
   • In the Type drop-down, select Add user to a group.
   • Enable Run automatically.
   • In the Email address field, select Requester email.
   • In the Select the group field, select Which Access do you need? This will use the group selected from the first field.
7. Click Add a time limit:
   • Leave the Timer type set to End after duration.
   • Select minutes from the How long drop-down and enter 30. Note that you can reduce the duration here for faster testing scenarios.
8. Click Continue, and then select Edit logic. This brings you to the Logic tab. Logic is used to determine when/where to route the request in the flow.

Figure 5 – Request designer window toolbar.

9. In the drop-down, select Only show this task if.
10. SelectWhich Access do you need, and in the next drop-down select is not empty.

Figure 6 – Logic tab.

11. On the upper right menu, click Publish. Note that this may say Update if a copy has already been published.

Figure 7 – Request designer window.

Test the Configuration

Now, assign the user to a group:

1. Sign into the Okta Admin console.
2. Navigate to Directory > Groups, and select AWS Users.
3. Click on Assign people, and then click the plus (+) sign next to your test user.

To test with the assigned user, use either a different browser or a private window:

1. Use the user from Step 3 to sign into the Okta dashboard.
2. Select the Okta Access Requests app.
3. Choose Request access for AWS Access.
4. On the Which Access do you need? drop-down, select AWS EC2 Read Only.
5. Click Submit new request.

Once the Assign AWS Permission step completes, you’ll see the status changed to Completed: Assign AWS Permission.

In this walkthrough, the approval is set to be automatic. However, you can configure it so specific members of your company need to first approve the request before the access takes effect. To learn more about this configuration, check the Okta help site.

Now, you can go back to the Okta dashboard:

1. Select the AWS IAM Identity Center app.
2. Click the AWS Account tile in the IAM Identity Center page.
3. Expand the associated AWS Account and confirm the EC2ReadOnly permission set has been granted.

Figure 8 – AWS IAM Identity Center dashboard.

4. Close the AWS tab. Wait for the access to be revoked which we’ve set to 30 minutes in this example. Note that as a member of the Access Request Team, the time out can be forced to end.
5. Click on the AWS IAM Identity Center app in the Okta dashboard and notice the EC2ReadOnly permission set has been revoked.

Conclusion

Leveraging Okta’s integration with AWS reduces the need for persistent access assignments and ensures access is granted just in time to perform specific operational function and is then automatically revoked.

With this solution, you can have empty user groups assigned to highly-privileged AWS permissions, so there are no standing permissions associated with the users that belong to these groups.

Okta Access Requests, using an approval workflow, controls when users are added to these privileged user groups and how long they are members of the group, once added.

To learn more, visit AWS IAM Identity Center or Okta’s documentation. You can also learn more about Okta on AWS Marketplace. If you have any questions, contact AWS Support or start a new thread on the IAM forum.

.

.

Okta – AWS Partner Spotlight

Okta is an AWS Partner and leading independent provider of identity for the enterprise. Okta hold AWS Competencies in Security, Digital Workplace, and Government, and is an AWS Marketplace Seller.

Contact Okta | Partner Overview | AWS Marketplace | Case Studies