©MIXI Self-Service Implementation of AWS IAM Identity Center Permissions JAWS PANKRATION 2024

©MIXI Yusuke Hamano - Based in Japan - Software Engineer @ MIXI, Inc. - OpsJAWS - Core Member - AWS Community Builders - Security

©MIXI Agenda • Overview of AWS IAM Identity Center • Issues with Centrally Managing Access • Delegated Access Management Approach • Summary

©MIXI What is AWS IAM Identity Center ? • AWS IAM Identity Center allows organizations to create or connect their existing workforce identities to AWS, therefore allowing you to easily implement single sign-on (SSO). • This helps improve security, streamline user provisioning, and simplify the user experience by allowing users to access multiple accounts with a single set of credentials.

©MIXI Centrally Manage Access to Multiple AWS Accounts

©MIXI Issues with Centrally Managing Access

©MIXI Small/Medium-Scale Organization The Central Identity Team receives access requests from the development team, reviews the requests, and applies them to the IAM Identity Center. Since the Central Identity Team understands the internal workings of the development team, they can review access requests appropriately. Additionally, the limited number of development teams ensures that the workload remains manageable. In a small/medium-scale organization, such a centralized access management system can be operated without any issues.

©MIXI Large-Scale Organization As the number of development teams increases, the Central Identity Team may find it difficult to keep track of the internal workings of each development team, making appropriate reviews challenging. Additionally, the time-consuming review process can delay the granting of access requests, leading to decreased development productivity for the development teams. In a large-scale organization, such a centralized access management system can lead to issues.

©MIXI Delegated Access Management Approach

©MIXI Delegated Access Management Approach

©MIXI Tech stack to implement this approach • Infrastructure as Code Tool • Manage access permissions through code for reviewability. • e.g.) Terraform, AWS CloudFormation, AWS CDK • Git Hosting Service • Enable reviews through Pull Requests. • e.g.) GitHub, GitLab • CI/CD Service • Automate code checks and access permissions settings. • e.g.) GitHub Actions, CircleCI, HCP Terraform

©MIXI Proposed Architecture

©MIXI Governance through GitHub Code Owners Achieve governance by defining teams to which unit members belong as code owners for each directory, with access privilege definitions divided by units. The code owner settings are managed by the Central Identity Team.

©MIXI Governance via IAM Policies on apply roles Achieve governance by properly configuring IAM Policies attached to IAM Roles used during apply. With proper IAM Policy configuration, the management of permission sets can also be delegated to Unit Teams. For more details on delegation patterns, please refer to the AWS Blog titled "Delegating permission set management and account assignment in AWS IAM Identity Center." IAM Policies settings are managed by the Central Identity Team.

©MIXI Each team role in the delegated access management approach • Central Identity Team • Git repository and CI/CD workflow management • Code Owners management • IAM Policies management for IAM Roles used during apply • Delegated Identity Team for Each Unit • Review and apply the defined access permissions by Infrastructure as Code

©MIXI Enable Self-Service for setting team member permissions without involving the central identity team

©MIXI Summary • AWS IAM Identity Center allows you to easily implement SSO, and centrally manage access to multiple AWS Accounts. • Centrally managing access is not much of an issue for small/medium-scale organizations, but it can lead to issues in development productivity and other areas in large organizations. • By delegating access management to each unit, members of the unit can set permissions through self-service. We have introduced the architecture to achieve this.

©MIXI Thank you !