Centralizing AWS Root access for AWS Organizations customers

Security teams will be able to centrally manage AWS root access for member accounts in AWS Organizations with a new feature being introduced by AWS Identity and Access Management (IAM). Now, managing root credentials and carrying out highly privileged operations is simple.

Managing root user credentials at scale

Historically, accounts on Amazon Web Services (AWS) were created using root user credentials, which granted unfettered access to the account. Despite its strength, this AWS root access presented serious security vulnerabilities.

The root user of every AWS account needed to be protected by implementing additional security measures like multi-factor authentication (MFA). These root credentials had to be manually managed and secured by security teams. Credentials had to be stored safely, rotated on a regular basis, and checked to make sure they adhered to security guidelines.

This manual method became laborious and error-prone as clients’ AWS systems grew. For instance, it was difficult for big businesses with hundreds or thousands of member accounts to uniformly secure AWS root access for every account. In addition to adding operational overhead, the manual intervention delayed account provisioning, hindered complete automation, and raised security threats. Unauthorized access to critical resources and account takeovers may result from improperly secured root access.

Additionally, security teams had to collect and use root credentials if particular root actions were needed, like unlocking an Amazon Simple Storage Service (Amazon S3) bucket policy or an Amazon Simple Queue Service (Amazon SQS) resource policy. This only made the attack surface larger. Maintaining long-term root credentials exposed users to possible mismanagement, compliance issues, and human errors despite strict monitoring and robust security procedures.

Security teams started looking for a scalable, automated solution. They required a method to programmatically control AWS root access without requiring long-term credentials in the first place, in addition to centralizing the administration of root credentials.

Centrally manage root access

AWS solve the long-standing problem of managing root credentials across several accounts with the new capability to centrally control root access. Two crucial features are introduced by this new capability: central control over root credentials and root sessions. When combined, they provide security teams with a safe, scalable, and legal method of controlling AWS root access to all member accounts of AWS Organizations.

First, let’s talk about centrally managing root credentials. You can now centrally manage and safeguard privileged root credentials for all AWS Organizations accounts with this capability. Managing root credentials enables you to:

Eliminate long-term root credentials: To ensure that no long-term privileged credentials are left open to abuse, security teams can now programmatically delete root user credentials from member accounts.

Prevent credential recovery: In addition to deleting the credentials, it also stops them from being recovered, protecting against future unwanted or unauthorized AWS root access.

Establish secure accounts by default: Using extra security measures like MFA after account provisioning is no longer necessary because member accounts can now be created without root credentials right away. Because accounts are protected by default, long-term root access security issues are significantly reduced, and the provisioning process is made simpler overall.

Assist in maintaining compliance: By centrally identifying and tracking the state of root credentials for every member account, root credentials management enables security teams to show compliance. Meeting security rules and legal requirements is made simpler by this automated visibility, which verifies that there are no long-term root credentials.

Aid in maintaining compliance By systematically identifying and tracking the state of root credentials across all member accounts, root credentials management enables security teams to prove compliance. Meeting security rules and legal requirements is made simpler by this automated visibility, which verifies that there are no long-term root credentials. However, how can it ensure that certain root operations on the accounts can still be carried out? Root sessions are the second feature its introducing today. It provides a safe substitute for preserving permanent root access.

Security teams can now obtain temporary, task-scoped root access to member accounts, doing away with the need to manually retrieve root credentials anytime privileged activities are needed. Without requiring permanent root credentials, this feature ensures that operations like unlocking S3 bucket policies or SQS queue policies may be carried out safely.

Key advantages of root sessions include:

Task-scoped root access: In accordance with the best practices of least privilege, AWS permits temporary AWS root access for particular actions. This reduces potential dangers by limiting the breadth of what can be done and shortening the time of access.

Centralized management: Instead of logging into each member account separately, you may now execute privileged root operations from a central account. Security teams can concentrate on higher-level activities as a result of the process being streamlined and their operational burden being lessened.

Conformity to AWS best practices: Organizations that utilize short-term credentials are adhering to AWS security best practices, which prioritize the usage of short-term, temporary access whenever feasible and the principle of least privilege.

Full root access is not granted by this new feature. For carrying out one of these five particular acts, it offers temporary credentials. Central root account management enables the first three tasks. When root sessions are enabled, the final two appear.

Auditing root user credentials: examining root user data with read-only access

Reactivating account recovery without root credentials is known as “re-enabling account recovery.”

deleting the credentials for the root user Eliminating MFA devices, access keys, signing certificates, and console passwords

Modifying or removing an S3 bucket policy that rejects all principals is known as “unlocking” the policy.

Modifying or removing an Amazon SQS resource policy that rejects all principals is known as “unlocking a SQS queue policy.”

Accessibility

With the exception of AWS GovCloud (US) and AWS China Regions, which do not have root accounts, all AWS Regions offer free central management of root access. You can access root sessions anywhere.

It can be used via the AWS SDK, AWS CLI, or IAM console.

What is a root access?

The root user, who has full access to all AWS resources and services, is the first identity formed when you create an account with Amazon Web Services (AWS). By using the email address and password you used to establish the account, you can log in as the root user.

Read more on Govindhtech.com

via Twitter https://twitter.com/releaseteam

IaC Generator To Import SCPs And RCPs Into CloudFormation

Import SCPs and RCPs from current AWS organisations into Cloud Formation architecture as a code generator. AWS Organisations customers often manually set up resource control policies (RCPs) and service control policies (SCPs) using the AWS Management Console or AWS CLI.

This manual process may become onerous as the company grows and adds policies. It may limit visibility into all SCPs and RCPs, their targets, and update efficiency. Without visibility and access limits, it's hard to track who's making changes and how. CloudFormation can simplify rule management with rollback, policy validation via Hooks, and history preserving. Git sync may also synchronise stacks with Git repository source code. Git sync lets you deploy, configure, and update CloudFormation stacks using pull requests and version tracking. When you alter the deployment file or template, CloudFormation updates the stack.

CloudFormation IaC generator

This article shows how to import SCPs and RCPs into AWS CloudFormation templates using the CloudFormation infrastructure as a code generator (IaC generator). The IaC generator automates SCP and RCP administration at scale. Important: CloudFormation imports current policies, not recreates them.

Solution overview This article provides a command-line tool to locate SCPs and RCPs in your firm and automate policy import into CloudFormation templates.

The end-to-end flow is shown in the previous graphic:

Start the tool: Both the management account and the administrator account can run the software, automating following steps. Determine corporate SCPs and RCPs: The tool initially requests policies from the Organisations service via API. Total SCPs and RCPs are tallied. Determine AWS Control Tower RCPs, SCPs, and targetless policies: The utility finds AWS Control Tower SCPs and RCPs and outputs a list. Their policy titles begin with “aws-guardrails-” to identify SCPs. AWS Control Tower-Controls- prefixes RCP policy names identify them. Policies without targets: The tool lists SCPs and RCPs without accounts, roots, or OUs. These policies may be duplicates or reallocated. IaC generator scan: You will be asked if you want to import policies into CloudFormation templates using the resource scan. If you click “yes,” the tool will utilise the IaC generator to launch a CloudFormation resource scan to retrieve policy name, targets, tags, etc. Use scanned policy resources to construct a template: The program creates CloudFormation templates from policy resources. Any policies without objectives will be in the template. Review procedure: Use the CloudFormation IaC generator to preview the template after generation. Create CloudFormation stacks using templates: After reviewing templates, import them into CloudFormation stacks to deploy. Remember that CloudFormation policies are imported, not rebuilt. Templates reflect current policies and qualities.

Thinking before applying the solution

Consider these factors before applying the solution.

If you have enabled policy management delegation for AWS Organisations, execute this solution with the delegated administrator account. If not, execute the solution using the management account. Note: Delegated administrator member accounts should handle organisation policies. The CloudFormation templates will not import SCPs and RCPs (with or without targets) since they should be managed by AWS Control Tower. Changes to AWS Control Tower resources outside of AWS Control Tower might cause drift and unanticipated effects. Fully access SCP and RCP on AWSCloudFormation stacks cannot import AWS managed policies like FullAWSAccess RCP. If you surpass CloudFormation template size limitations, several templates may be produced. The program automatically divides material into many templates as needed, making it easy to meet quotas and import content. Note that templates automatically set the following properties. Maintain deletion policy. This allows policies to remain even if the stack is deleted. Change Replace to Delete. Revisions to the policy allow removal of the physical ID.

Recommended next steps

The figure shows two possible future steps.

After integrating rules into a CloudFormation stack, experts recommend retaining templates in a private Git repository. Manage imported policies with a continuous integration and delivery (CI/CD) pipeline and the Policies folder the tool automatically generates in the current local directory where the created templates were downloaded. Git repository version control allows pull requests, branch management, and history tracking. This process helps your team examine, update, and apply policies with better cooperation and control. Set up a CI/CD pipeline to automate CloudFormation stack updates to ensure regular and reliable updates. One suggestion is to install CloudFormation Hooks. CloudFormation Hooks can verify policies' syntax, security, and vulnerability reduction.

In conclusion

By integrating your AWS Organization's RCPs and SCPs into CloudFormation, you can manage and automate AWS governance efficiently. After import, you can maintain and change policies in CloudFormation to ensure company-wide consistency and version control. The program also creates a Policies folder in your current directory with downloaded templates for use as a central repository and with a continuous integration/continuous delivery pipeline. CloudFormation Hooks can test SCPs and RCPs against policy language and best practices to improve policy management. Centralising policy changes reduces misconfiguration and improves governance automation.

via Twitter https://twitter.com/releaseteam