Skip to content

IDC.md

Latest commit

 

History

History
27 lines (19 loc) · 2.55 KB

IDC.md

File metadata and controls

27 lines (19 loc) · 2.55 KB

Identity Center - IDC

Completed delegated admin setup in dev - process can be repeated for prod master payer (gecc) - Rakesh to write the steps in Confluence

Created a role in dev - identity-center-admin - that gives identity team permissions to only perform directory synch related operations

Created a role in dev - delegated-identity-admin - this role gives identity team (or BU team) permissions to create/delete permissions sets with a particular tag only and then allows assignment of groups and permission sets to only the specified accounts in the role (identity accounts) - we can do some more testing on this, not a very scalable approach, I think AWS has a request to do assignment of accounts at OU level in the role

Current Status

  • AWS IDC enabled in Dev Account . IAM team has Admin permissions assigned with one role (“”)
  • Completed delegated admin setup in dev - process can be repeated for prod master payer(gecc) - Rakesh to write the steps in Confluence
  • Created a role in dev - identity-center-admin - that gives identity team permissions to only perform directory synch related operations

Test Status: Successful

  • Created a role in dev - delegated-identity-admin - this role gives identity team(or BU team) permissions to create/delete permissions sets with a particular tag only and then allows assignment of groups and permission sets to only the specified accounts in the role (identity accounts) - we can do some more testing on this, not a very scalable approach, I think AWS has a request to do assignment of accounts at OU level in the role

Challenge: Manual with no automation. Needs manual management of delegated administration for Identity Center. Document the approach to tag the Delegated Administrator role.

Test Status: Have a meeting to test the delegated Admin to ensure permission sets can be assigned only to targeted accounts and cannot affect any other account

  • Production change needs to be enabled - Rakesh
    • Enable Identity Center in AWS IAM prod ( Corporate Tenant)
    • Provide Delegated admin to Identity AWS account to manage permission sets ( VDS and SSO Account)
  • Next steps: EY Vendor engagement
    • Demonstrate Least privileged access for each persona, create groups permission sets to accomplish access and limit Admin access to a small group for all of IAM accounts instead of a generic BU_Admin roles
    • Replacing Local IAM accounts with AWS role based access
    • Using WIZ controls for monitoring and enforcement of required policies