Automate multi account identity governance in AWS using Ermetic and AWS Control Tower
Having a multi-account strategy is a best practice for achieving higher isolation of resources in AWS. It helps you to meet regulatory and compliance needs, track operational costs, and add an extra layer of security. AWS Control Tower uses AWS best practices to establish a well-architected, multi-account baseline across your AWS accounts. For more information about managing multi-account AWS environments with AWS Control Tower, see Getting Started with AWS Control Tower.
Ermetic is a member of the AWS Partner Network (APN) and is available in AWS Marketplace. Managing access entitlements is a critical challenge that enterprises face as they work to protect applications and data in AWS. Ermetic helps you to govern entitlements and eliminate access risks in AWS by continuously analyzing permissions, configurations, and behavior. It does this across the full stack of identities (human and service), entitlements, data, network, and compute resources.
In this post, Or and I share a new solution that integrates Ermetic with AWS Control Tower. You can use this solution to automatically enroll newly added AWS accounts in an AWS Control Tower environment with Ermetic using Account Factory. The integration automates the ability of Ermetic to govern identities, manage their access entitlements, and enforce least privileges for all newly added accounts in your multi-account AWS environment.
The solution is deployed using AWS CloudFormation templates and integrates with AWS Control Tower lifecycle events. When a new account is created, or an existing one is enrolled using the AWS Control Tower Account Factory, the lifecycle event triggers an AWS Lambda function. The Lambda function creates a new CloudFormation stack instance in the vended account, creating the required AWS Identity and Access Management (IAM) role in the newly vended account.
The stack instance configures Ermetic with an IAM role (Ermetic IAM integration role). This role enables the Ermetic SaaS solution to collect account data from AWS CloudTrail logs from the new account.
The AWS CloudFormation template and a detailed README for this solution are available here. This template is deployed in the AWS Control Tower management account and creates the following components:
- An Ermetic AWS CloudFormation StackSet in the AWS Control Tower management account. This incorporates the following Ermetic components for setting up the Ermetic IAM integration role:
- An Amazon CloudWatch Events rule that is triggered based on an AWS Control Tower lifecycle event
- An AWS Lambda lifecycle function that is the target for the CloudWatch Events rule
- An Ermetic AWS CloudFormation stack instance in the AWS Control Tower managed account. When a new account is added from the AWS Control Tower management account, the Lambda function creates a stack instance in the managed account. The stack instance is based on the Ermetic StackSet deployed in the management account and provisions the new account with the Ermetic IAM integration role.
The following architecture diagram illustrates the components of AWS Control Tower and Ermetic integration.
The AWS Control Tower management account contains the following components:
- In the AWS Service Catalog via the Account Factory, an administrator provisions a new AWS Control Tower account.
- After the administrator successfully provisions a new account, an AWS Control Tower lifecycle event triggers a CloudWatch Events rule.
- The AWS CloudWatch Events rule triggers a Lambda function.
- An AWS CloudFormation StackSet launches the Ermetic stack instance in the AWS Control Tower managed account. Refer to the following diagram.
The AWS Control Tower managed account contains the following components:
- The Ermetic template that provisions the Ermetic IAM integration role in the managed account. Refer to the following architecture diagram.
You must complete the following prerequisites before implementing the Ermetic and AWS Control Tower integration solution:
A. Subscribe to Ermetic via AWS Marketplace
Subscribe to Ermetic in AWS Marketplace. In the upper right, choose Continue to Subscribe.
B. Onboard the AWS management account
In order to onboard subsequent managed AWS accounts via AWS Control Tower, you must first onboard the Control Tower management account. To do so, follow these instructions:
- Sign in to your Ermetic account.
- From the left panel, select Accounts.
- Select Add a new AWS account.
- To provide Ermetic with access to your organizational trail, follow the onboarding wizard. Complete the onboarding process by providing details for your AWS Control Tower Log Archive account.
- Copy the value of the External ID. You will be required to use it as an input parameter for the Solution walkthrough.
C. Create an API key
To generate an API key, in your Ermetic console, follow these steps:
- From the left panel, navigate to Settings and choose API.
- Choose Create Token.
- Assign the token an appropriate name (for example, ControlTower) and select Administrator for a role.
- Copy the generated token. This is important, as it is not recoverable. You will need the token for the Solution walkthrough.
Solution walkthrough: Automate multi account identity governance in AWS using Ermetic and AWS Control Tower
The Ermetic integration with AWS Control Tower is set up in one step with single-click automation.
Deploy the aws-ermetic-controltower.yaml template in the AWS Control Tower managed account. Provide the following parameters:
- ErmeticExternalId – This is the External ID from Prerequisites step B.5.
- ErmeticApiKeyToken – This is the API token from Prerequisites step C.4.
From the AWS Management Console in the management account, do the following:
- Ensure that an AWS CloudFormation StackSet is successfully created.
- Ensure that an Amazon CloudWatch Events rule is successfully created with an AWS Lambda target to handle AWS Control Tower lifecycle events.
Test and Validate
Test—Create a Lifecycle Event—Add a managed account
- Log in to the AWS Control Tower management account and navigate to the AWS Control Tower console. Then do the following:
- To enroll a new managed account in the AWS Control Tower organization, in the navigation pane, choose Account Factory.
- Enter values for Account email, Display name, AWS SSO email, AWS SSO user name, and Organizational unit.
- Choose Enroll account.
- Log in to the newly added AWS Control Tower managed account. Navigate to the AWS CloudFormation console. Check that there is an AWS CloudFormation stack instance in this account that launches the Ermetic IAM integration role in the managed account. From the navigation pane, select this stack instance and choose Stack info. The status field should display a value of CREATE_COMPLETE.
Sign in to your Ermetic account and validate that identity intelligence data for the new account is being collected and displayed on the Ermetic dashboard. The following screenshot shows the Ermetic identity intelligence dashboard, showing 44 identities with a combination of critical, high, medium, and low risk.
In this post, we showed you how to automatically enroll new AWS Control Tower accounts with Ermetic. Ermetic’s integration with AWS Control Tower enables you to automatically extend Ermetic’s capabilities to all newly added AWS accounts in your multi-account AWS environment. This integration enables Ermetic to manage access entitlements and enforce least privileges automatically across all newly added AWS accounts in your multi-account AWS environment. For more information about this solution, see Solutions for AWS Control Tower in AWS Marketplace.
About the Authors
Kanishk Mahajan is an Independent Software Vendor (ISV) Solutions Architecture Lead at AWS. In this role, he leads cloud transformation and solution architecture for AWS partners and mutual customers in all areas that relate to management and governance, security and compliance, and migrations and modernizations in AWS.
Or Priel is the VP of Product Management at Ermetic. Prior to joining Ermetic, Or worked for Palo Alto networks for over six years, leading projects in various roles. Prior to his tenure there, he worked for CyVera, a cybersecurity company later acquired by Palo Alto Networks. During his military service, Or served as a captain in a special ops unit of the Israel Defense Forces Intelligence Corps.