# Identity management
As you scale your use of the AWS Cloud, you need robust identity and permission management processes to help ensure that you follow the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Robust identity management helps ensure that the right systems and people have access to the right resources under the right conditions. This also needs to be done while not overburdening operations capabilities with too many, too granular or too complex permission or identity constructs. The M&G Guide includes the recommendations of the [Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/identity-management.html) for managing identities and access permissions across all cloud resources in your multi-account strategy in order to be migration ready, scale ready, and operating efficiently.
The [Security Pillar](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/identity-management.html) describes the difference between human and machine identities. It also shows that centralized administration of human identities and access to your environments with an identity provider is a critical strategy to managing authentication and authorization across your enterprise. This is important for managing and governing, as it makes it easier to manage access across multiple applications and services because you are creating, managing, and revoking access from a single location. For example, if someone joins or leaves your organization, you can add or revoke that individual’s access for all applications and services (including AWS) from one location. This aligns with ITIL best practices, and reduces the need for multiple credentials and provides an opportunity to integrate with existing human resources (HR) processes. In AWS, we consider machine identities distinctly from human identities. Machine identities (like service roles) still reside within AWS IAM and are designed to uphold the principle of least privilege, but are not managed by your identity provider.
Define access policies and mechanisms that include granting least privilege access, sharing resources securely, and reducing permissions continually (including the removal of unused permissions) with AWS IAM Access Analyzer. Review how permissions are actually being authored, validated, and used over time, so that you can remove unnecessary permissions in accordance with the principle of least privilege. This would include adding observability rules for “last accessed” data, such as a timestamp depicting when an identity policy or principal (such as a user or role) last used a service or performed an action from supported services. This enables you to more easily identify unused permissions and improve your security posture by removing the permissions that are not necessary for the user, group, or role to perform a specific task. Both AWS and AWS Partners provide tools for the creation, review, and revoking of permissions in an automated manner throughout your software development lifecycle (SDLC) or development, security and operations (DevSecOps) cycles.
# Interoperable functions
The eight management and governance functions, supported by AWS services and AWS Partner solutions, work together and interoperate to reduce complexity. Outputs from functions are used to inform or integrate with other functions.
For identity management this includes:
+ Specific identity **Controls** included within your preventive and detective mechanisms.
+ **Network connectivity** designed as a complement to identity, forming a least privilege boundary for your environments.
+ **Security management** with specific capabilities to remediate and address identity-related incidents.
+ Using your **Service management** solution as the record of change for your identity constructs.
+ Incorporating all Identity and access management activities across the **Monitoring and observability** functions so that they provide evidentiary findings for audit and compliance needs.
+ Enabling **Cloud Financial Management** with identity management to provide specific cost and usage by defined roles and groups.
+ As cloud assets are **Sourced and distributed**, defining identity and access policies in a manner that restricts controls the range of operations.
# Implementation priorities
Having secure and scalable mechanisms to manage identities is a critical component of a cloud ready environment. As such, the following items should be prioritized.
## Establish a centralized identity provider for human identities
Implementation of a centralized identity provider is a foundational capability for enterprises of all sizes and interwoven across all environments, systems, workloads, and processes. For workforce identities, restrict the use of individual users and instead rely on an identity provider that enables you to manage identities in a centralized place. This makes it easier to manage access across multiple applications and services, because you are creating, managing, and revoking access from a single location. Use existing HR processes to manage creation, update, and removal of access to include your AWS environments. Federate access into your AWS environments by integrating the identity provider with a SAML 2.0 compliant SSO solution. Incorporate multi-factor authentication (MFA) in AWS for the root user, and use your identity provider MFA solution for other privileged roles.
## Define job functions and codify IAM roles
Define the IAM roles to be granted to human and machine identities and strive to follow the principles of least privilege and separation of responsibilities. Verify that runbooks and playbooks reference identity constructs with sufficient permissions to run support activities (for example, emergency access). This might include “break glass” access in the event that your SSO solution becomes inaccessible. Optimizing your IAM permissions is a journey. Refine permissions over time and employ controls as an additional layer of protection while still enabling developer agility.
Consider that permissions will be variable by environment type. For instance, permissions defined for production accounts should be more restrictive than those defined in development or sandbox accounts. Use resource tags and IAM conditional statements to create more fine-grained access policies and apply permissions boundaries to allow safe delegation of administrative functions while protecting against privilege escalation. Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. For AWS services that support tagging, ABAC policies can be designed to allow operations when the principal's tag matches the resource tag. ABAC is helpful in environments that are growing rapidly because it helps scale policy management with reusable attributes from your identity provider.
## Continually collect, review, and refine permissions
Changes to identity roles and permissions are recorded in CloudTrail and detective guardrails should alert on deviations from your expected configuration state. With the centralized collection of events, you can use aggregated and pattern identification tools to review and refine permissions as required.
AWS Identity and Access Management (IAM) [access advisor](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html) uses data analysis to help you set permission guardrails confidently by providing service last accessed information for your accounts, organizational units (OUs), and your organization managed by AWS Organizations. Use this feature to analyze service last accessed information and determine services not used and reduce permissions where appropriate.
Use [IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) to guide you to least privilege by helping you set, verify, and refine permissions. This includes identifying S3 buckets or IAM roles that are shared with an external entity outside of your organization or account. Establish a regular attestation process to help ensure permissions are still appropriate as personnel change roles within your organization. Review the IAM credential report for stale or unused account users and credentials.
## Manage credential use
The M&G Guide recommends the use of IAM roles and temporary credentials. Use AWS Systems Manager to manage remote access to instances or on-premises systems using a pre-installed agent without the need for stored secrets. Reduce reliance on long-term credentials, and scan for hardcoded credentials in your infrastructure as code templates. In situations where you cannot use temporary credentials, use programmatic tools such as AWS Secrets Manager to automate credential rotation and management, such as application tokens and database passwords.
## Source and distribute identity constructs with automation
Codify and version identity constructs such as roles, policies, and templates with infrastructure as code. Employ testing and linting to ensure coding standards are met within your continuous integration and continuous delivery (CI/CD) pipelines with tools like [cfn-guard](https://aws.amazon.com/blogs/mt/introducing-aws-cloudformation-guard-2-0/). Use [IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) policy validation to check for findings that include security warnings, errors, general warnings, and suggested changes to your IAM policies. Where appropriate, deploy and remove identity constructs for temporary access to the environment in an automated manner and prohibit deployment by individuals using the console.
# AWS identity services
Effective identity management is provided by AWS services, solutions, and AWS Partners that permit you to securely manage identities, resources, and permissions at scale. AWS identity services provide flexible options for where and how you manage your employee, partner, and customer identities. The following AWS services can be used to help you meet the prescribed benefits of the M&G Guide:
[AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/) provides fine-grained access control across all of AWS. Using IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least privilege permissions.
[AWS IAM Access Analyzer](https://aws.amazon.com/iam/features/analyze-access/) guides you toward least privilege by helping you set, verify, and refine permissions. Policy validation with Access Analyzer helps you author secure and functional permissions with more than 100 policy checks. Policy generation with Access Analyzer makes it easier to apply fine-grained permissions by generating policies based on your access activity in AWS CloudTrail. Access Analyzer also continually monitors resources and generates public and cross-account findings to help you verify that existing access meets your intent.
[AWS IAM Identity Center (IAM Identity Center)](https://aws.amazon.com/single-sign-on/) helps you centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place. With IAM Identity Center, you can manage access and user permissions to all of your accounts in AWS Organizations centrally. IAM Identity Center configures and maintains all the necessary permissions for your accounts automatically, without requiring any additional setup in the individual accounts. IAM Identity Center also includes built-in integrations to many business applications, such as Salesforce, Box, and Office 365.
[AWS Directory Service for Microsoft Active Directory](https://aws.amazon.com/directoryservice/), also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in AWS. [AWS Managed Microsoft AD](https://aws.amazon.com/directoryservice/active-directory/) is built on Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud. You can use the standard Active Directory administration tools and take advantage of the built-in Active Directory features, such as group policy and single sign-on.
[AD Connector](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html) is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in AWS. AD Connector comes in two sizes, small and large. You can spread application loads across multiple Active Directory connectors to scale to your performance needs.
If you would like support implementing this guidance, or assisting you with building the foundational elements prescribed by the M&G Guide, we recommend you review the offerings provided by [AWS Professional Services](https://aws.amazon.com/professional-services/) or the AWS Partners in the [Built on Control Tower program](https://aws.amazon.com/controltower/partners/).
If you are seeking help to operate your workloads in AWS following this guidance, [AWS Managed Services (AMS)](https://aws.amazon.com/managed-services/) can augment your operational capabilities as a short-term accelerator or a long-term solution, letting you focus on transforming your applications and businesses in the cloud.
# Integrated identity partners
The M&G Guide recommends you consider at a minimum the following questions when choosing an AWS Partner solution for identity management:
+ Does it integrate with a single sign-on provider such as AWS SSO?
+ Does it support the System for Cross-domain Identity Management (SCIM) v2.0 standard for automating the exchange of user identity information?
+ Does it support federated user and group mapping?
+ Does it include a method for managing predefined permissions at scale such as AWS permission sets in IAM Identity Center?
Optimize identity management in a multi-account environment with a simplified single sign-on experience, user provisioning, and password management for your AWS environments. The following integrated identity AWS Partners have provided integrations that align to the M&G Guide, and are available for deployment from AWS Marketplace.
[CyberArk](https://aws.amazon.com/marketplace/solutions/control-tower/identity-management/#CyberArk) helps organizations secure access to critical business applications and infrastructure, protect a distributed workforce, and accelerate business in the cloud. With CyberArk Identity Security Platform, enterprises can streamline access provisioning to AWS and give workers secure and frictionless access to all authorized AWS resources from any location, using any device. In addition to centralized management of end-user access to AWS environments, CyberArk provides comprehensive auditing and reporting capabilities to simplify access compliance.
[Kion](https://aws.amazon.com/marketplace/solutions/control-tower/cost-management-and-governance/#cloudtamer.io) is a comprehensive enablement software solution that delivers visibility and control of cloud workloads. [Kion](https://aws.amazon.com/marketplace/solutions/control-tower/cost-management-and-governance/#cloudtamer.io) provides integrations with identity providers to allow control over cloud federation and policy controls at an account and an organization level. [Kion](https://aws.amazon.com/marketplace/solutions/control-tower/cost-management-and-governance/#cloudtamer.io) allows enterprises to manage their cloud presence at scale with automation and orchestration, financial management, and compliance.
[Okta](https://aws.amazon.com/marketplace/solutions/control-tower/identity-management/#Okta) enables teams to securely and seamlessly manage AWS IAM Identity Center (IAM Identity Center) entitlements at scale. After connecting Okta Identity Cloud to IAM Identity Center once, you can manage access to AWS centrally in IAM Identity Center, and enable end users to sign in using Okta to access all their assigned AWS accounts through AWS Organizations. This includes centralized reporting and auditing of end-user access across all apps and systems.
[OneLogin](https://aws.amazon.com/marketplace/solutions/control-tower/identity-management/#OneLogin) cloud-based identity and access management enables IT teams to manage and provision access to AWS resources centrally. Whether you’re newly migrating to AWS or an enterprise user, integrating Control Tower with OneLogin helps ensure you can easily and securely scale your enterprise-wide environments and IAM permissions.
[Ping Identity's](https://aws.amazon.com/marketplace/solutions/control-tower/identity-management/#PingIdentity) PingOne Cloud Platform solution provides central authentication services to connect employees across any application, directory, and situation. By providing authentication for all end users and identities in customer environments, Ping can reduce authentication silos, and help your business increase agility. The result is a centrally-managed authentication hub that provides a highly-configurable, secure, and consistent experience for your workforce.
[Sonrai Dig](https://aws.amazon.com/marketplace/solutions/control-tower/security/#Sonrai_Security) is an enterprise cloud security platform providing complete visibility across all multi-account AWS environments. Using Dig’s Cloud Identity Entitlement Management (CIEM) capabilities, you can continually inventory your identities (people and non-people), compute their effective (end-to-end) permissions, enforce least privilege, and alert on any deviations as soon as they are detected.