AWS Marketplace

Automate multi account permissions management in AWS using CloudKnox and AWS Control Tower

This blog post was written by Kanishk Mahajan, ISV Solutions Architecture Lead at AWS and guest author Maya Neelakandhan, Head of Customer Success at CloudKnox.

Introduction

Permissions management in AWS empowers security and cloud infrastructure teams to protect your cloud resources from misuse of identity permissions. Cloud security requires continuous enforcement of least-privilege policies across all AWS accounts in the AWS organization.

Having a multi-account strategy is a best practice to achieve higher isolation of resources. It also helps to meet regulatory and compliance needs, track operational costs, and add an extra layer of security. AWS Control Tower uses AWS best practices to establish a well-architected, multi-account baseline. It also enables governance across your AWS accounts. Many customers use AWS Control Tower to manage and govern multi-account AWS environments. For more information about managing multi-account AWS environments with AWS Control Tower, see Getting Started with AWS Control Tower.

CloudKnox is an APN Advanced partner. The CloudKnox SaaS solution available in AWS Marketplace provides continuous monitoring and profiling of permissions granted to AWS Identity and Access Management (IAM) users and roles. CloudKnox enables security operations and cloud infrastructure teams to continuously create, monitor, and enforce least privilege policies across all AWS accounts from a single dashboard. This ensures that every identity that can access cloud infrastructure only have the permissions needed to perform their specific required tasks. This may include employees, third-party contractors, service accounts, applications, and cloud resources such as Amazon Elastic Compute Cloud (Amazon EC2) instances.

In this blog post, Maya and I share a new solution that integrates CloudKnox with AWS Control Tower. This enables all newly added AWS accounts in an AWS Control Tower environment to be automatically enrolled with CloudKnox using Account Factory. The integration facilitates CloudKnox-based permissions management to be automatically enabled for all newly added AWS accounts. This includes detection and enforcement of least privileges and rightsizing of IAM permissions.

Prerequisites

You must complete the following prerequisites before implementing the CloudKnox and AWS Control Tower integration solution:

  1. Sign up for a CloudKnox account from the CloudKnox console.
  2. Create a CloudKnox subscription in AWS Marketplace and obtain credentials to access CloudKnox:
    • Navigate to the AWS Marketplace listing for CloudKnox and choose Continue to Subscribe. Select contract duration (12 months or 36 months), auto renew settings, and choose Create Contract. To complete the subscription, review the options selected and choose Pay now.
    • You will be redirected back to the CloudKnox console. Log in using the account you registered in step 1. On the main page, choose Deploy and follow the instructions there to install the CloudKnox-provided AWS CloudFormation template that provisions the CloudKnox Sentry appliance in your AWS account.
    • Log in to the CloudKnox API Integrations console and choose Generate New Key. Make a note of the generated Access Key, Secret Key, and Service Account ID as well as the AWS account ID where the Sentry appliance was deployed. You will use it in the following integration.

Solution overview

The AWS Control Tower integration with CloudKnox is based on automation of AWS Control Tower lifecycle events via AWS CloudWatch events and AWS CloudFormation StackSets. It consists of one AWS CloudFormation template that fully automates the provisioning, setup, and integration of all the components necessary for this solution.

The AWS CloudFormation template and a detailed README for this solution is available here. This template is deployed in the AWS Control Tower management account, and it creates the following components:

  1. A CloudKnox AWS CloudFormation StackSet in the AWS Control Tower management account. This incorporates the CloudKnox components for setting up a CloudKnox integration role. All parameters needed for the CloudKnox components, such as the API key and secret, are stored in AWS Secrets Manager.
    • An Amazon CloudWatch Events rule: Triggered based on an AWS Control Tower lifecycle event.
    • An AWS Lambda lifecycle function: The target for the CloudWatch Events rule.
  2. CloudKnox AWS CloudFormation stack instance in the AWS Control Tower managed account. When a new account is added from the AWS Control Tower management account, the Lambda function creates a stack instance in the managed account. This stack instance is based on the CloudKnox StackSet deployed in the management account. The stack instance:
    • Provisions the CloudKnox integration IAM role in the managed account.
    • Invokes the CloudKnox Add Account API  that registers the newly added AWS account in CloudKnox.

The following architecture diagram illustrates the components of AWS Control Tower and the CloudKnox integration.

  • In the AWS Control Tower management account:
    • A new AWS Control Tower account is provisioned via the Account Factory console that is part of AWS Service Catalog.
    • When a new account is provisioned, an AWS Control Tower lifecycle event triggers a CloudWatch Events rule.
    • The AWS CloudWatch Events rule triggers a Lambda function.
    • An AWS CloudFormation StackSet launches the CloudKnox stack instance in the AWS Control Tower managed account.

CloudKnox AWS Control Tower integration diagram 1

 

  • In the AWS Control Tower managed account:
    • A new AWS Control Tower account is provisioned via the Account Factory console that is part of AWS Service Catalog.
    • When a new account is provisioned, an AWS Control Tower lifecycle event triggers a CloudWatch Events rule.
    • The AWS CloudWatch Events rule triggers a Lambda function.
    • An AWS CloudFormation StackSet launches the CloudKnox stack instance in the AWS Control Tower managed account.

CloudKnox AWS Control Tower integration diagram managed account

 

 

Step-by-step walkthrough

Follow these steps to set up the CloudKnox integration with AWS Control Tower.

Set up CloudKnox integration with AWS Control Tower

  1. Log in to the AWS CloudFormation console of your management account.
  2. Launch the aws-cloudknox-controltower.yaml template from the AWS CloudFormation console. To launch a AWS CloudFormation template from the console, follow the steps outlined here.
    • To enter parameters in step 2 , enter the Access Key, Secret Key, and Service Account ID and the AWS Account ID where the Sentry appliance was deployed as parameters. These are the parameters that you noted down in Step 2c in the prerequisites section of this blog post.

Test your integration

Test the integration by adding a managed account and creating a lifecycle event.

Add the managed account
  1. Log in to the AWS Control Tower management account and open the AWS Control Tower console.
  2. To enroll a new managed account in the AWS Control Tower organization, in the navigation pane, choose Account Factory.
  3. Enter values for Account email, Display name, AWS SSO email, AWS SSO user name, and Organizational unit.
  4. Choose Enroll account.

It can take up to 30 minutes for the account to be created and the AWS Control Tower lifecycle event to trigger.

Test your integration

To check that the integration is working, do the following:

  1. Log into the AWS Control Tower managed account.
    • Validate that a CloudKnox Integration Role (IAM_R_KNOX_SECURITY_XA IAM role) has been created in the managed account.
  2. View the CloudKnox AWS (Overview) Dashboard.
    • Log into your CloudKnox account.
    • Navigate to the Data Collectors tab from the dashboard by choosing the gear icon. Verify that the CloudKnox data collector is in the Collecting state for this managed account.
    • It may take up to an hour for the data collection to complete on this new AWS account.
    • Navigate back to the CloudKnox console by choosing the Dashboard tab. To view the permissions analytics of this newly created AWS managed account, select the specific AWS Account ID. The following screenshot shows my aws-jn-sandbox account with a diagram on the left and bar chart on the right showing a low Privilege Creep Index of 11. Refer to the following screenshot.

CloudKnox console screenshot showing privilege creep index

 

Conclusion

In this blog post, we have described our new marketplace solution to automatically enroll AWS Control Tower accounts with CloudKnox. CloudKnox’s integration with AWS Control Tower enables you to automatically extend the permissions management capabilities of CloudKnox to enforce the principle of least privileges in a multi-account AWS environment. For more information about this solution, see Solutions for AWS Control Tower in AWS Marketplace.

About the Authors

Kanishk is an ISV Solutions Architecture Lead at AWS. In this role, he leads cloud transformation and solution architecture for our Independent Software Vendor partners and mutual customers in all areas that relate to management and governance, security and compliance, and migrations and modernizations in AWS.

 

 

Maya is one of the founding engineers at CloudKnox, involved in building the patented CloudKnox activity-based authorization platform which helps enterprises manage entitlements. In her current role as Head of Customer Success, she works with customers to identify and solve their challenges with IAM permission management.