SEC02-BP04: Rely on a centralized identity provider
For workforce identities (your employees, contractors, and partners), rely on an identity provider that enables you to manage identities in a centralized place. This makes it easier to manage access across multiple applications and services because you are creating, managing, and revoking access from a single location.
Implementation guidance
Centralizing identity management provides numerous benefits, including simplified user management, consistent security policies, and improved user experience. By using a centralized identity provider, you can manage access across multiple AWS accounts and applications from a single location.
Key steps for implementing this best practice:
- Choose a centralized identity provider:
- Use AWS IAM Identity Center as your primary identity provider
- Or integrate with your existing identity provider:
- Microsoft Active Directory (on-premises or AWS Managed Microsoft AD)
- Azure Active Directory (Microsoft Entra ID)
- Okta, Ping Identity, or other SAML 2.0 compatible providers
- Consider your organization’s existing investments and requirements
- Evaluate features like MFA support, user lifecycle management, and reporting capabilities
- Configure federation between AWS and your identity provider:
- Set up SAML 2.0 federation
- Configure attribute mapping to pass user attributes to AWS
- Establish trust relationships between your identity provider and AWS
- Test the federation setup with sample users
- Document the federation configuration
- Implement single sign-on (SSO):
- Enable SSO for AWS Management Console access
- Configure SSO for AWS CLI and SDK access
- Extend SSO to other business applications
- Implement consistent authentication policies
- Provide user training on SSO usage
- Manage user lifecycle centrally:
- Implement automated user provisioning and deprovisioning
- Synchronize user attributes and group memberships
- Establish processes for handling user role changes
- Implement regular access reviews
- Create procedures for emergency access management
- Apply consistent security policies:
- Enforce MFA through your identity provider
- Implement consistent password policies
- Apply conditional access policies based on user, device, and network context
- Standardize session duration and timeout settings
- Implement risk-based authentication where appropriate
- Monitor and audit identity activities:
- Set up centralized logging for authentication events
- Monitor for suspicious login attempts
- Create alerts for unusual access patterns
- Implement regular access reviews
- Generate compliance reports for identity management
Implementation examples
Example 1: Setting up AWS IAM Identity Center with AWS Organizations
Example 2: Configuring SAML federation with an external identity provider
Example 3: Setting up AWS Managed Microsoft AD and AWS IAM Identity Center
AWS services to consider
Benefits of relying on a centralized identity provider
- Simplified user management: Manage users in a single location instead of across multiple systems
- Consistent security policies: Apply security policies uniformly across all applications and services
- Improved user experience: Users have a single set of credentials for accessing multiple systems
- Streamlined onboarding and offboarding: Quickly provision and deprovision access across multiple systems
- Enhanced security: Enforce strong authentication and access policies from a central location
- Reduced administrative overhead: Eliminate the need to manage users in multiple systems
- Improved compliance: Centralized visibility and control over user access
- Scalable access management: Easily manage access as your organization and AWS footprint grows