AWS Architecture Blog
Field Notes: Clear Unused AWS SSO Mappings Automatically During AWS Control Tower Upgrades
Increasingly organizations are using AWS Control Tower to manage their multiple accounts as well as an external third-party identity source for their federation needs. Cloud architects who use these external identity sources, needed an automated way to clear the unused maps created by AWS Control Tower landing zone as part of the launch, or during update and repair operations. Though the AWS SSO mappings are inaccessible once the external identity source is configured, customers prefer to clear any unused mappings in the directory.
You can remove the permissions sets and mappings that AWS Control Tower deployment creates in AWS SSO. However, when the landing zone is updated or repaired, the default permission sets and mappings are recreated in AWS SSO. In this blog post, we show you how to use AWS Control Tower Lifecycle events to automatically remove these permission sets and mappings when AWS Control Tower is upgraded or repaired. An AWS Lambda function runs on every upgrade and automatically removes the permission sets and mappings.
Overview of solution
Using this CloudFormation template, you can deploy the solution that automatically removes the AWS SSO permission sets and mappings when you upgrade your AWS Control Tower environment. We use AWS CloudFormation, AWS Lambda, AWS SSO and Amazon CloudWatch services to implement this solution.
To clear the AWS SSO entities and leave the service enabled with no active mappings, we recommend the following steps. This is mainly for those who do not want to use the default AWS SSO deployed by AWS Control Tower.
- Log in to the AWS Control Tower Management Account and make sure you are in the AWS Control Tower Home Region.
- Launch AWS CloudFormation stack, which creates:
- An AWS Lambda function that:
- Checks/Delete(s) the permission sets mappings created by AWS Control Tower, and
- Deletes the permission sets created by AWS Control Tower.
- An AWS Lambda function that:
- An AWS IAM role that is assigned to the preceding AWS Lambda Function with minimum required permissions.
- An Amazon CloudWatch Event Rule that is invoked upon UpdateLandingZone API and triggers the ClearMappingsLambda Lambda function
Prerequisites
For this walkthrough, you should have the following prerequisites:
- Administrator access to AWS Control Tower management account
Walkthrough
- Log in to the AWS account where AWS Control Tower is deployed.
- Make sure you are in the home Region of AWS Control Tower.
- Deploy the provided CloudFormation template.
- Download the CloudFormation template.
- Select AWS CloudFormation service in the AWS Console
- Select Create Stack and select With new resources (standard)
- Upload the template file downloaded in Step 1
- Enter the stack name and choose Next
- Use the default values in the next page and choose Next
- Choose Create Stack
By default, in your AWS Control Tower Landing Zone you will see the permission sets and mappings in your AWS SSO service page as shown in the following screenshots:
Figure 3 – Account to Permission set mapping created by AWS Control Tower
Now, you can update the AWS Control Tower Landing Zone which will invoke the Lambda function deployed using the CloudFormation template.
Steps to update/repair Control Tower:
- Log in to the AWS account where AWS Control Tower is deployed.
- Select Landing zone settings from the left-hand pane of the Control Tower dashboard
- Select the latest version as seen in the screenshot below.
- Select Repair or Update, whichever option is available.
- Select Update Landing Zone.
Once the update is complete, you can go to AWS SSO service page and check that the permission sets and the mappings have been removed as shown in the following screenshots:
Cleaning up
If you are only testing this solution, make sure to delete the CloudFormation template, which will remove the relevant resources to stop incurring charges.
Conclusion
In this post, we provided a solution to clear AWS SSO Permission Sets and Mappings when you upgrade your AWS Control Tower Landing Zone. Remember, AWS SSO permission sets are added every time you upgrade AWS Control Tower Landing Zone. With this this solution you don’t have to manage any settings since the AWS Lambda function runs on every upgrade and removes the permission sets and mappings.
Give it a try and let us know your thoughts in the comments!