site-logo

JAWS PANKRATION 2024

site-logo
HomeNewsTimetableCfPCommitteePromotionFollow UpPrivacy Policy

Self-Service Implementation of AWS IAM Identity Center Permissions

Lv300

Lv300

8/24/2024 05:40 (UTC)

Session Info

The AWS IAM Identity Center (hereafter referred to as IdC) is a service that provides single sign-on (SSO) to AWS accounts, allowing it to substitute for AWS account login by IAM User.

However, there are constraints in the permission settings of IdC that need to be considered when designing its operational management.

To address this, we have made the IdC permission settings self-service, enabling each AWS account administrator to set permissions at their discretion.

In this session, we will present an overview of IdC, the reasons for making the IdC permission settings self-service, and how we achieved it.

Yusuke  Hamano

Yusuke Hamano

- AWS Community Builders -

- AWS User Community Leaders -



Session Category
Management and governance
Security
Identity and compliance


AWS Services
AWS IAM Identity Center

Session Materials


    Session Summary (by Amazon Bedrock)
      The speaker, Yusuke from Yokohama, discusses how to implement self-service engineering with AWS Identity Center. The presentation covers: 1. AWS Identity Center Overview: - Simplifies single sign-on for multiple AWS accounts - Centralizes permission management 2. Problems with centralized permission management: - In large organizations, the central identity team can become overwhelmed - Developers face delays in permission changes, affecting productivity 3. Solution: Delegating permission management to unit-level identity teams - Each business unit manages its own permissions - Reduces central team workload and improves review efficiency 4. Implementation architecture: - Uses Infrastructure as Code (e.g., Terraform) - Version control system (e.g., GitHub) - CI/CD services (e.g., GitHub Actions) 5. Workflow: - Developers submit permission change requests via pull requests - Unit-level identity teams review and approve changes - Automated processes apply approved changes to AWS Identity Center 6. Control mechanisms: - GitHub CODEOWNERS to enforce reviews - IAM policies on OIDC-based roles to restrict permissions 7. Team responsibilities: - Central Identity Team: Manages overall infrastructure and control mechanisms - Unit-level Identity Teams: Handle permission reviews and changes for their unit 8. Benefits: - Enables self-service permission management - Improves development productivity - Reduces central team workload The presentation concludes by emphasizing that this approach allows for self-service permission settings in AWS Identity Center, addressing the challenges of centralized management in large organizations while maintaining necessary controls.

    ©JAWS-UG (AWS User Group - Japan). All rights reserved.