Use IAM Identity Center APIs to audit and manage application assignments

[ad_1]

Now you can use AWS IAM Identification Middle utility project APIs to programmatically handle and audit consumer and group entry to AWS managed purposes. Beforehand, you had to make use of the IAM Identification Middle console to manually assign customers and teams to an utility. Now, you’ll be able to automate this process so that you just scale extra successfully as your group grows.

On this submit, we are going to present you use IAM Identification Middle APIs to programmatically handle and audit consumer and group entry to purposes. The procedures that we share apply to each group cases and account cases of IAM Identification Middle.

Automate administration of consumer and group project to purposes

IAM Identification Middle is the place you create, or join, your workforce customers one time and centrally handle their entry to a number of AWS accounts and purposes. You configure AWS managed purposes to work with IAM Identification Middle instantly from throughout the related utility console, after which handle which customers or teams want permissions to the applying.

You may already use the account project APIs to automate multi-account entry and audit entry assigned to your customers utilizing IAM Identification Middle permission units. In the present day, we expanded this functionality with the brand new utility project APIs. You should utilize these new APIs to programmatically management utility assignments and develop automated workflows for auditing them.

AWS managed purposes entry consumer and group data instantly from IAM Identification Middle. One instance of an AWS managed utility is Amazon Redshift. Whenever you configure Amazon Redshift as an AWS managed utility with IAM Identification Middle, and a consumer out of your group accesses the database, their group memberships outlined in IAM Identification Middle can map to Amazon Redshift database roles that grant them particular permissions. This makes it less complicated so that you can handle customers since you don’t must set database-object permissions for every particular person. For extra data, see The advantages of Redshift integration with AWS IAM Identification Middle.

After you configure the mixing between IAM Identification Middle and Amazon Redshift, you’ll be able to automate the project or elimination of customers and teams through the use of the DeleteApplicationAssignment and CreateApplicationAssignment APIs, as proven in Determine 1.

Figure 1: Use the CreateApplicationAssignment API to assign users and groups to Amazon Redshift

Determine 1: Use the CreateApplicationAssignment API to assign customers and teams to Amazon Redshift

On this part, you’ll discover ways to use Identification Middle APIs to assign a gaggle to your Amazon Redshift utility. Additionally, you will discover ways to delete the group project.

Stipulations

To observe together with this walkthrough, just be sure you’ve accomplished the next stipulations:

Allow IAM Identification Middle, and use the Identification Retailer to handle your identification information. Should you use an exterior identification supplier, then it is best to deal with the consumer creation and deletion processes in these programs.
Configure Amazon Redshift to make use of IAM Identification Middle as its identification supply. Whenever you configure Amazon Redshift to make use of IAM Identification Middle as its identification supply, the applying requires specific project by default. Which means it’s essential to explicitly assign customers to the applying within the Identification Middle console or APIs.
Set up and configure AWS Command Line Interface (AWS CLI) model 2. For this instance, you’ll use AWS CLI v2 to name the IAM Identification Middle utility project APIs. For extra data, see Putting in the AWS CLI and Configuring the AWS CLI.

Step 1: Get your Identification Middle occasion data

Step one is to run the next command to get the Amazon Useful resource Identify (ARN) and Identification Retailer ID for the occasion that you just’re working with:

aws sso-admin list-instances

The output ought to look just like the next:

{
“Situations”: [
{
“InstanceArn”: “arn:aws:sso:::instance/ssoins-****************”,
“IdentityStoreId”: “d-**********”,
“OwnerAccountId”: “************”,
“Name”: “MyInstanceName”,
“CreatedDate”: “2023-10-08T16:45:19.839000-04:00”,
“State”: {
“Name”: “ACTIVE”
},
“Status”: “ACTIVE”
}
],
“NextToken”: <<TOKEN>>
}

Pay attention to the IdentityStoreId and the InstanceArn — you’ll use each within the following steps.

Step 2: Create consumer and group in your Identification Retailer

The subsequent step is to create a consumer and group in your Identification Retailer.

Notice: If you have already got a gaggle in your Identification Middle occasion, get its GroupId after which proceed to Step 3. To get your GroupId, run the next command:

aws identitystore get-group-id –identity-store-id “d-********” –alternate-identifier “GroupName” ,

Create a brand new consumer through the use of the IdentityStoreId that you just famous within the earlier step.

aws identitystore create-user –identity-store-id “d-**********” –user-name “MyUser” –emails Worth=”MyUser@instance.com”,Kind=”Work”,Major=true —display-name “My Consumer” —title FamilyName=”Consumer”,GivenName=”My”

The output ought to look just like the next:

{
“UserId”: “********-****-****-****-************”,
“IdentityStoreId”: “d–********** ”
}

Create a gaggle in your Identification Retailer:

aws identitystore create-group –identity-store-id d-********** –display-name engineering

Within the output, make notice of the GroupId — you will want it later whenever you create the applying project in Step 4:

{
“GroupId”: “********-****-****-****-************”,
“IdentityStoreId”: “d-**********”
}

Run the next command so as to add the consumer to the group:

aws identitystore create-group-membership –identity-store-id d-********** –group-id ********-****-****-****-************ –member-id UserId=********-****-****-****-************

The consequence will look just like the next:

{
“MembershipId”: “********-****-****-****-************”,
“IdentityStoreId”: “d-**********”
}

Step 3: Get your Amazon Redshift utility ARN occasion

The subsequent step is to find out the applying ARN. To get the ARN, run the next command.

aws sso-admin list-applications –instance-arn “arn:aws:sso:::occasion/ssoins-****************”

When you have multiple utility in your setting, use the filter flag to specify the applying account or the applying supplier. To be taught extra concerning the filter choice, see the ListApplications API documentation.

On this case, we’ve got just one utility: Amazon Redshift. The response ought to look just like the next. Pay attention to the ApplicationArn — you will want it within the subsequent step.

{

“ApplicationArn”: “arn:aws:sso:::occasion/ssoins-****************/apl-***************”,
“ApplicationProviderArn”: “arn:aws:sso::aws:applicationProvider/Redshift”,
“Identify”: “Amazon Redshift”,
“InstanceArn”: “arn:aws:sso:::occasion/ssoins-****************”,
“Standing”: “DISABLED”,
“PortalOptions”: {
“Seen”: true,
“Visibility”: “ENABLED”,
“SignInOptions”: {
“Origin”: “IDENTITY_CENTER”
}
},
“AssignmentConfig”: {
“AssignmentRequired”: true
},
“Description”: “Amazon Redshift”,
“CreatedDate”: “2023-10-09T10:48:44.496000-07:00”
}

Step 4: Add your group to the Amazon Redshift utility

Now you’ll be able to add your new group to the Amazon Redshift utility managed by IAM Identification Middle. The principal-id is the GroupId that you just created in Step 2.

aws sso-admin create-application-assignment –application-arn “arn:aws:sso:::occasion/ssoins-****************/apl-***************” –principal-id “********-****-****-****-************” –principal-type “GROUP”

The group now has entry to Amazon Redshift, however with the default permissions in Amazon Redshift. To grant entry to databases, you’ll be able to create roles that management the permissions out there on a set of tables or views.

To create these roles in Amazon Redshift, you could connect with your cluster and run SQL instructions. To connect with your cluster, use one of many following choices:

Determine 2 exhibits a connection to Amazon Redshift via the question editor v2.

Determine 2: Question editor v2

By default, all customers have CREATE and USAGE permissions on the PUBLIC schema of a database. To disallow customers from creating objects within the PUBLIC schema of a database, use the REVOKE command to take away that permission. For extra data, see Default database consumer permissions.

Because the Amazon Redshift database administrator, you’ll be able to create roles the place the position title accommodates the identification supplier namespace prefix and the group or consumer title. To do that, use the next syntax:

CREATE ROLE <identitycenternamespace:rolename>;

The rolename must match the group title in IAM Identification Middle. Amazon Redshift robotically maps the IAM Identification Middle group or consumer to the position created beforehand. To increase the permissions of a consumer, use the GRANT command.

The identityprovidernamespace is assigned whenever you create the mixing between Amazon Redshift and IAM Identification Middle. It represents your group’s title and is added as a prefix to your IAM Identification Middle managed customers and roles within the Redshift database.

Your syntax ought to seem like the next:

CREATE ROLE <AWSIdentityCenter:MyGroup>;

Step 5: Take away utility project

Should you determine that the brand new group now not wants entry to the Amazon Redshift utility however ought to stay throughout the IAM Identification Middle occasion, run the next command:

aws sso-admin delete-application-assignment –application-arn “arn:aws:sso:::occasion/ssoins-****************/apl-***************” –principal-id “********-****-****-****-************” –principal-type “GROUP”

Notice: Eradicating an utility project for a gaggle doesn’t take away the group out of your Identification Middle occasion.

Whenever you take away or add consumer assignments, we advocate that you just evaluation the applying’s documentation since you would possibly must take further steps to utterly onboard or offboard a given consumer or group. For instance, whenever you take away a consumer or group project, it’s essential to additionally take away the corresponding roles in Amazon Redshift. You are able to do this through the use of the DROP ROLE command. For extra data, see Managing database safety.

Audit consumer and group entry to purposes

Let’s take into account how you should use the brand new APIs that can assist you audit utility assignments. Within the previous instance, you used the AWS CLI to create and delete assignments to Amazon Redshift. Now, we are going to present you use the brand new ListApplicationAssignments API to listing the teams which are at present assigned to your Amazon Redshift utility.

aws sso-admin list-application-assignments –application-arn arn:aws:sso::****************:utility/ssoins-****************/apl-****************

The output ought to look just like the next — on this case, you could have a single group assigned to the applying.

{
“ApplicationAssignments”: [
{
“ApplicationArn”: “arn:aws:sso::****************:application/ssoins-****************/apl-****************”,
“PrincipalId”: “********-****-****-****-************”,
“PrincipalType”: “GROUP”
}
]
}

To see the group membership, use the PrincipalId data to question Identification Retailer and get data on the customers assigned to the group with a mix of the ListGroupMemberships and DescribeGroupMembership APIs.

When you have a number of purposes that IAM Identification Middle manages, you may as well create a script to robotically audit these purposes. You may run this script periodically in an AWS Lambda operate in your setting to take care of oversight of the members which are added to every utility.

To get the script for this use case, see the multiple-instance-management-iam-identity-center GitHub repository. The repository contains directions to deploy the script utilizing Lambda throughout the AWS Organizations delegated administrator account. After deployment, you’ll be able to invoke the Lambda operate to get .csv information of each IAM Identification Middle occasion in your group, the purposes assigned to every occasion, and the customers which have entry to these purposes.

Conclusion

On this submit, you realized use the IAM Identification Middle utility project APIs to assign customers to Amazon Redshift and take away them from the applying when they’re now not a part of the group. You additionally realized to listing which purposes are deployed in every account, and which customers are assigned to every of these purposes.

To be taught extra about IAM Identification Middle, see the AWS IAM Identification Middle consumer information. To check the applying project APIs, see the SSO-admin API reference information.

When you have suggestions about this submit, submit feedback within the Feedback part under. When you have questions on this submit, begin a brand new thread on AWS IAM Identification Middle re:Submit or contact AWS Help.

Need extra AWS Safety information? Comply with us on Twitter.

Laura Reith

Laura is an Identification Options Architect at AWS, the place she thrives on serving to prospects overcome safety and identification challenges. In her free time, she enjoys wreck diving and touring world wide.

Steve Pascoe

Steve is a Senior Technical Product Supervisor with the AWS Identification group. He delights in empowering prospects with inventive and distinctive options to on a regular basis issues. Outdoors of that, he likes to construct issues together with his household via Lego, woodworking, and not too long ago, 3D printing.

Sowjanya Rajavaram

Sowjanya is a Sr Answer Architect who makes a speciality of Identification and Safety in AWS. Her total profession has been centered on serving to prospects of all sizes clear up their Identification and Entry Administration issues. She enjoys touring and experiencing new cultures and meals.

[ad_2]

Source link