CyberArk Identity as SSO for AWS Control Tower

Migrating to the AWS cloud has enabled many organizations to reduce costs, innovate faster, and deliver business results more effectively. As you expand your AWS infrastructure, you require multi-account governance strategies as well as implementation of best practices to your expanded environment. AWS Control Tower implements AWS best practices to establish a well-architected, multi-account baseline and enables governance across your AWS accounts. It also integrates with AWS IAM Identity Center (Successor to AWS Single Sign-On) for centralized access management to accounts and resources.

About AWS Control Tower

AWS Control Tower automates new account provisioning in the organization with prescriptive and detective guardrails. AWS Control Tower also centralizes logging from AWS CloudTrail and AWS Config and provides protective and detective guardrails. The guardrails are AWS best-practice settings, and AWS Control Tower is designed to monitor and report the compliance status to a central console dashboard. In addition, AWS Control Tower uses AWS IAM Identity Center (successor to AWS Single Sign-On) to enable you to manage access to multiple AWS accounts. AWS IAM Identity Center integrates with CyberArk Identity Single Sign-On to enable cloud and CyberArk administrators to manage all identities accessing AWS accounts and resources in one place.

About CyberArk

CyberArk Identity Security Platform helps organizations secure access to critical business data and infrastructure, protect a distributed workforce, and accelerate business in the cloud. Combining AWS Control Tower, AWS IAM Identity Center, and CyberArk Identity Security platform helps secure your environment. In this blog post, Edward Nunez, Welly Siauw and I will give show you how to subscribe to, deploy, configure, and test CyberArk Identity Single Sign-On in AWS Control Tower.

Solution overview: CyberArk Identity as SSO for AWS Control Tower

The following diagram provides an architecture overview for AWS Control Tower and CyberArk integration. CyberArk acts as the external Identity Provider (IdP) to IAM Identity Center. IAM Identity Center is centralizing role-based permissions management to resources across AWS. CyberArk is managing user information, credentials, authentication, and role access in a single place. AWS Control Tower creates some permission sets in IAM Identity Center that are assigned to CyberArk users via IAM Identity Center.

CyberArk manages all users, groups, and roles. They are synchronized with the IAM Identity Center directory using System for Cross-domain Identity Management (SCIM). User attributes such as first name, last name, email, and display name can be synchronized as well. Roles from CyberArk are synchronized as a group in the Identity Center directory. Administrators can select a combination of users or groups and IAM Identity Center Permission sets and then assign it to the relevant AWS accounts. Refer to the following diagram.

Users only need to authenticate to the CyberArk User Portal to access AWS resources. The relevant CyberArk policies and access controls are applied during the authentication process. For example, you can implement risk-based access rules or create access policies based on contextual factors such as IP address, day or time range, device OS, browser, or device security posture. Authenticated users will see IAM Identity Center in the list of their assigned applications. Once in IAM Identity Center, users can select the target AWS account using the available permission sets.  More than one group/user-permission set-AWS account assignment is possible for a given group/user and AWS account. So different privilege levels or task centric permission sets are possible, hence reducing the number of unique permission set that need to be maintained.

Prerequisites

For this walkthrough, you must already have AWS Control Tower deployed. You can refer to Getting started with AWS Control Tower for more information.

CyberArk provides detailed instructions for this solution; refer to it for step-by-step instructions and technical support.

Solution walkthrough: CyberArk Identity as SSO for AWS Control Tower

To integrate CyberArk identity as SSO for AWS Control Tower, do the following:

1. Subscribe to CyberArk in AWS Marketplace.
   1. Subscribe to CyberArk by opening CyberArk Workforce Identity in AWS Marketplace.
   2. Choose the View purchase options button. Configure your contract choosing appropriate options.
   3. Once you have configured your contract, you can select the Create contract button. Once you agree to Pay Now, follow the instruction to complete the sign up.

2. In the CyberArk Admin Portal, add the AWS Single Sign-On application.
   1. Log in to CyberArk admin portal using the URL in the email you received after subscription. In the Admin Portal left navigation bar, select Apps and then Web Apps. Choose Add Web Apps.
   2. In the content section, on the Search tab search field, enter IAM Identity Center and choose the search icon.
   3. Next to the IAM Identity Center application, choose the Add To confirm, choose Yes. To exit the Application Catalog, choose Close.

3. In Identity Center, set up CyberArk as an external identity provider. To do this, follow the steps 3 to 7 from Deployment and Configuration Steps section provided in the AWS CyberArk implementation guide.

4. Assign Identity Center Permission Sets.

A permission set is an IAM role template that you create and maintain that specifies, among other things, the IAM policies to use. When you assign a permission set in an account, IAM Identity Center creates a role from the template, controls access to the role, and keeps the role current with any changes you make over time. Permission sets simplify the assignment of AWS account access for users and groups in your AWS Organization. To assign IAM Identity Center Permission Sets, do the following:

1. 1. In the AWS Management Console, navigate to IAM Identity Center.
   2. From the left navigation pane, select AWS Accounts, and then select the AWS organization.
      
   3. Select the AWS account you want to assign to the group. Then choose Assign users.
   4. On the Assign Users page, select the group from the CyberArk role mapping step 3. If you can’t find the group, refresh the IAM Identity Center page and re-run synchronization by following the CyberArk guideline provisioned account synchronization options.
   5. Choose Next: Permission sets.
   6. Under the Select Permission Sets section, select the permission set you want to assign to the group. If you don’t have an existing permission set, choose Create New Permission.
   7. Choose Finish.

5. Test CyberArk integration with AWS Control Tower and IAM Identity Center.

To test the integration, do the following:

1. 1. Log in to CyberArk user portal by using the URL in the email you received after adding a user in step 3 and select user member of the role that you assigned in step 3. From the application list, select IAM Identity Center.
   2. Upon successful authentication, you will be prompted to IAM Identity Center landing page.

Next steps

In addition to using CyberArk Identity Single Sign-On (SSO) in the AWS Control Tower environment, you can also use CyberArk Identity to further secure access to your AWS environments.

• Try CyberArk Identity Secure Web Sessions. This add-on to CyberArk Identity SSO records, audits, and protects end-user activity within designated web applications, including AWS Control Tower.
• Try CyberArk Identity Adaptive Multi-Factor Authentication to enforce strong identity assurance controls to validate users accessing your AWS accounts.
• Try provide risk-based authentication by integrating CyberArk Identity MFA with CyberArk Identity User Behavior Analytics service. CyberArk Identity UBA uses AI and machine learning to develop profiles for each of the users and can spot behavior that does not match historical activities. 

Conclusion

In this blog post, Edward Nunez, Welly Siauw and I showed you how to deploy, and configure the CyberArk Identity’s Single Sign-On in the AWS Control Tower environment. For more information about this solution, see Solutions for AWS Control Tower in AWS Marketplace.

Contents of this post were validated to work on the publishing date. The code and templates in this post are those of the third-party author, and AWS is not responsible for the content or accuracy of this post.

About the authors

Dathu Patil

Dathu is a Solutions Architect based out of Boston, MA. He helps customers architect scalable, highly available applications that leverage AWS services. He works as a technical leader alongside customer business, development and infrastructure teams providing deep software knowledge with respect to cloud architecture, design patterns and programming.

.

.

Welly Siauw

Welly Siauw is a Sr. Partner Solution Architect at Amazon Web Services (AWS). He is passionate about service integration, orchestration, serverless and AI/ML. He authored several AWS blogs, workshops, and actively leading AWS Immersion Days and Activation Days. Welly spends his free time tinkering with espresso machine and outdoor hiking.

.

.

Edward Nunez

Edward is Director of Business Development Technology at CyberArk. He has more than 13 years of CyberArk tenure, with experience ranging from delivering professional services, architecting and performing deployments as well as consulting for high profile customers. He provides team leadership and acts as technical liaison for technology vendors bringing CyberArk knowledge and experience to find points of integration, and lead efforts to development of such integrations, providing guidance to the different teams involved. Before CyberArk, he has decades of experience as core developer and consultant for Symantec and Oracle Corp.