Simplifying Fine-Grained Access to AWS Resources with Ping Identity
By Donna Shawhan, Technology Alliances Manager at Ping Identity
By Peter Holko, Technology Alliances Solution Architect at Ping Identity
In a world where data is king and cybersecurity attacks are on the rise, enterprises are increasingly looking to manage and control who has access to their data in the most secure, efficient way possible.
With the recent launch of AWS Identity and Access Management (IAM) session tags, customers can simplify fine-grained access to Amazon Web Services (AWS) resources by using attributes from their own corporate directories in permissions rules.
Enterprise customers frequently manage their workforce identities (the “who”) using an identity provider (IdP) such as PingFederate or PingOne for Enterprise by Ping Identity.
Enterprises can federate from Ping Identity’s single sign-on (SSO) solutions (i.e. PingFederate and PingOne for Enterprise) into AWS using industry standards such as SAML and OIDC.
Now, with AWS session tags, you can configure PingFederate or PingOne for Enterprise to send attributes in the AWS sessions when users federate into AWS and use these attributes in IAM policies for controlling access to AWS resources.
In this post, you will learn how to configure Ping Identity’s single sign-on solutions to use the new AWS session tags feature. This enables you to send attributes in the AWS sessions when users federate into AWS, and then use these attributes in IAM policies for controlling access to AWS resources.
Ping Identity is an AWS Partner Network (APN) Advanced Technology Partner with the AWS Security Competency. We provide customers, employees, and partners with secure access to cloud, mobile, software-as-a-service (SaaS), and on-premises applications and APIs, while also managing identity and profile data at scale.
Ping Identity supports AWS session tags, which simplifies fine-grained access control for IAM administrators, and we have teamed up with AWS to allow you to rely on the attributes from your corporate directory to ensure each employee has unique permissions based on those attributes during an AWS session.
The use of session tags can reduce the number of AWS roles and permissions policies you have to manage. Plus, you can save time by automating updates when an employee’s responsibilities change.
Real World Use Case
When an employee federates into AWS from a standards-compliant IdP such as PingFederate or PingOne for Enterprise, the administrator can include attributes like cost center, job title, and email address in the AWS session.
These attributes work as tags in session and can be matched to tags on AWS resources so the employee only has access to the right resources during her AWS session.
For example, an employee with job title “database administrator” and cost center “1234” may be granted write access to an Amazon Relational Database Service (Amazon RDS) table also tagged with cost center “1234.”
As you prepare to set up your environment to support AWS session tags, here are a couple of items to keep in mind.
Ping supports multiple configuration options:
- PingFederate SAML
- PingFederate OIDC
- PingOne for Enterprise SAML
- PingOne for Enterprise OIDC
PingFederate and PingOne for Enterprise both support SAML and OIDC configurations. For brevity of this post, we will only highlight PingFederate using SAML and PingOne for Enterprise using OIDC.
For more details and additional configuration options, see the documentation.
AWS session tag key definitions:
- PrincipalTag: This is used in SAML configurations and is a prefix to an attribute in an assertion. Examples include team, project, and cost center.
- TransitiveTagKeys: This an optional attribute customers can specify only for the attributes they want to persist from session to session. For example, in a role chaining scenario when moving across AWS accounts. Additionally, only tags included as PrincipalTags in the assertion can be set transitive.
Configuring PingFederate Using SAML
Configuring AWS session tag support in PingFederate is straightforward and simple. For SAML connections, the AWS service provider (SP) connection merely has to be expanded to include the session tag attributes.
A configured PingFederate SP connection using the AWS Integration Kit.
Extend the Contract of the SP connection to include the necessary AWS principal tags and, if necessary, TransitiveTagKeys as shown below.
Figure 1 – Assertion creation.
Note the PrincipalTag attributes must be defined in the PrincipalTag:<attribute name> format. The TransitiveTagKeys attribute references PrincipalTag attributes to indicate to AWS to persist them through the entire user session.
Next, configure the Attribute Contract Fulfillment for the AWS attributes. Note that the attribute values can be retrieved from a data source such as LDAP Directory and manipulated by the OGNL expression language available in PingFederate, as illustrated in the use case below.
Figure 2 – Attribute sources and user lookup.
Once complete with the above steps, the session tags will now be included in the SAML assertion created by PingFederate.
Configuring PingOne for Enterprise Using OIDC
Supporting AWS session tags in a PingOne OIDC application requires a simple change to your OIDC application.
- You have a PingOne for Enterprise account.
- External IdP with a Tags attribute in required session tag JSON format.
Edit the OIDC application and add the https://aws.amazon.com/tags attribute to the Default User Profile Attribute Contract, as shown below.
Figure 3 – Default User Profile Attribute Contract.
Map the https://aws.amazon.com/tags attribute to the External Identity Provider attribute which contains the JSON formatted session tags data.
Figure 4 – Attribute mapping.
Once complete with the above steps, PingOne for Enterprise will include the AWS session tags attribute in the ID token included in the OIDC JWT.
Whether you are configuring PingFederate or PingOne for Enterprise for AWS session tags, you will be able to implement an IAM policy that evaluates the attributes from PingFederate or PingOne for Enterprise to control access to AWS resources.
AWS permissions management just got easier for your enterprise. You can now utilize PingFederate and PingOne for Enterprise to simplify fine-grained access to AWS resources.
With AWS session tags and Ping Identity, you can send attributes in the AWS sessions when your users federate into AWS and use these attributes in IAM policies for controlling access to AWS resources.
To recap, the benefits of AWS session tags include:
- Rely on attributes from your own corporate directory.
- Reduce the number of AWS roles and permissions policies you have to manage.
- Save time by automating updates when an employee’s responsibilities change.
- Administrators can rely on PingFederate and PingOne for Enterprise as the single source of truth. Whenever user attributes change in the corporate directory, permissions on the AWS side would dynamically apply.
The content and opinions in this blog are those of the third party author and AWS is not responsible for the content or accuracy of this post.
Ping Identity – APN Partner Spotlight
Ping Identity is an AWS Competency Partner. They provide customers, employees, and partners with access to cloud, mobile, SaaS, and on-premises applications and APIs, while also managing identity and profile data at scale.
*Already worked with Ping Identity? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.