Deploying "TEAM" and Building the Best Engineering "Team" (Amarathon 2025)

Transcript

1. None

2. Deploying "TEAM" and Building the Best Engineering "Team" Yuji Oshima

3. Profile Yuji Oshima Senior Security Architect NRI Secure Technologies, Ltd.

   Nomura Research Institute, Ltd. I have obtained over 100 certifications and am also dedicated to disseminating technical information and managing communities. @yuj1osm

4. 01 | Multi-Accounts and IAM Design 02 | Access Control

   with TEAM 03 | Design and Implementation of TEAM 04 | Benefits of TEAM 05 | Summary Table of Contents

5. Multi-Accounts and IAM Design 01 01 01

6. Benefits of Multi-Accounts Single Account Architecture • Complex permission management

   makes difficult to ensure security • Difficulty tracking costs per workload • Prone to operational errors and quota issues make difficult to operate Multi-Account Architecture • Improve security by separating privileges • Easily understand costs for each workload • Improve operational efficiency by minimizing the impact of work VPC (Development) VPC (Staging) VPC (Production) Amazon Cloud Amazon Cloud (Development) Amazon Cloud (Staging) Amazon Cloud (Production)

7. Jump Account Method Set up Jump accounts and consolidate IAM

   users Users log in to the Jump account and switch roles to each account Permissions for each account are granted to the target role User1 User2 User3 Login to Jump account User1 User2 User3 Role Permissions Role Permissions Role Permissions Amazon STS Switch roles to each account Permissions Amazon Cloud (Development) Amazon Cloud (Staging) Amazon Cloud (Production) Amazon Cloud (Jump)

8. Tips for IAM design using the Jump Account method Create

   groups based on actual roles Create roles for each account based on their role Define the switching account and IAM role for each IAM group admin01 member01 JumpAdminGroup LeaderGroup MemberGroup Jump_AdminRole Dev_LeaderRole Dev_MemberRole Dev_ReadOnlyRole Stg_LeaderRole Stg_MemberRole Stg_ReadOnlyRole Prod_LeaderRole Prod_MemberRole Prod_ReadOnlyRole leader01 Amazon Cloud (Jump) Amazon Cloud (Development) Amazon Cloud (Staging) Amazon Cloud (Production)

9. How should we handle access control for the production environment?

   Change Management: When and who accessed the production environment for change operations? Production Access Control: Is the production environment accessible at any time? admin01 member01 JumpAdminGroup LeaderGroup MemberGroup Jump_AdminRole Dev_LeaderRole Dev_MemberRole Dev_ReadOnlyRole Stg_LeaderRole Stg_MemberRole Stg_ReadOnlyRole Prod_LeaderRole Prod_MemberRole Prod_ReadOnlyRole leader01 Amazon Cloud (Jump) Amazon Cloud (Development) Amazon Cloud (Staging) Amazon Cloud (Production) How to manage and control this?

10. Access Control with TEAM 02 02 02

11. TEAM (Temporary Elevated Access Management) What is TEAM? • Abbreviation

    for Temporary Elevated Access Management • An authorization-based workflow for managing access to accounts • Provided as an application accessible through the IAM Identity Center access portal Amazon Web Services Amazon Web Services environment

12. Workflow for Production Access Control with TEAM (Application) [1/3] Only

    have read-only permissions for the production account Select TEAM from the application Amazon Web Services access portal Amazon Web Services access portal

13. Workflow for Production Access Control with TEAM (Application) [2/3] Create

    a request environment Amazon Web Services

14. Workflow for Production Access Control with TEAM (Application) [3/3] Enter

    account and role The status is pending because it has not been approved yet

15. Workflow for Production Access Control with TEAM (Approval) The approver

    selects the relevant request from “Approve request,” enters a comment, and approves it.

16. Workflow for Production Access Control with TEAM (Authorization) Since it

    has been approved, the status is now set to “approved.” Access permissions to the production account have been added Amazon Web Services

17. Overall Team Structure ② Access the TEAM application ④ Approve

    elevated access ⑤ Activate elevated access ⑥ Invoke elevated access ⑦ Log session activity ⑧ End elevated access ⑨ Review request details and session activity logs Amazon Organization Amazon ③ Request elevated access Amazon Management Console Amazon ① Access the Amazon Web Services access portal in IAM Identity Center Amazon target environment Amazon account(s) Amazon access portal

18. Design and Implementation of TEAM 03 03 03

19. Organizing permissions for migration to IAM Identity Center Amazon IAM

    Identity Center × ・・・ Group A ・・・ Group B Role X1 Role X2 ・・・ Role Y1 Role Y2 ・・・ User/Group Permission Set Account × SCIM ・・・ user01 user02 ② Organize Jump account groups and policies Register groups with Entra ID ① Organize roles and policies for each account Create permission sets Provisioning of Users/Groups Role X1 Role Y1 XXX YYY Group A Group B XXX Group A Group B ③ Create an assignment Utilize CloudFormation Jump Account SSO Switch Roll Amazon Cloud (Jump) Amazon Cloud (XXX) Amazon Cloud (YYY) Amazon Cloud (Jump) Microsoft Entra ID

20. Designing rules for persona assignment and approval workflows TEAM has

    four personas Designing persona assignment and approval rules • Persona assignment design • What should be submitted for approval? • Who should approve/reject? • Maximum time for granting approval • Notification destinations (Mail, Chat...) Requester Approver Auditor Admin Request access Approve access request Audit logs Managing rules Visible to everyone Visible only to Auditors Visible only to Admins

21. Gradually expanding the scope of application from small-scale operations Test

    operations with a small team, gradually expanding the scope of adaptation Operate in parallel with existing systems • Minimize impact on business Review settings and operations based on feedback • Is the assignment of personas sufficient? Are any unexpected permissions being granted? etc. My team individual whole department

22. IAM Identity Center × TEAM Use SSO users provisioned from

    Entra ID Switch roles to non-production accounts via the IAM Identity Center access portal Switch roles to non-production accounts after approval in TEAM ・・・ ・・・ Role X1 Role X2 Role Y1 Role Y2 Switch Roll Used 216 times in about a year Amazon Cloud (Jump) Microsoft Entra ID Amazon Cloud (XXX) Amazon Cloud (XXX) Group B Group A Group A Group B SCIM

23. Benefits of TEAM 04 04 04

24. IAM Identity Center × TEAM User Perspective • Switching roles

    between accounts is now simpler • The path to requests is shorter, with a simpler and clearer UI Administrator Perspective • Freed from IAM management • Setting management such as assigning personas and request rules is now simpler Improved development efficiency Improved operational efficiency Through “TEAM”, all “Team” members have improved their operational and security awareness Users Admins One Team

25. Summary 05 05 05

26. Summary In multi-account configurations, consider access management for production accounts

    “IAM Identity Center × TEAM” enables easy control TEAM implementation enhances team productivity, security and compliance
27. None