AWS MarketplaceAutomate multi account permissions management in AWS using CloudKnox and AWS Control Towerby Kanishk Mahajan | on 15 MAR 2021 | in AWS CloudFormation, AWS Control Tower, AWS Identity and Access Management (IAM), AWS Marketplace, Configuration, compliance, and auditing, Customer Solutions, Expert (400), Identity, Integration & Automation, Management & Governance, Monitoring and observability, Security, Security, Identity, & Compliance | Permalink | Share Show This blog post was written by Kanishk Mahajan, ISV Solutions Architecture Lead at AWS and guest author Maya Neelakandhan, Head of Customer Success at CloudKnox. IntroductionPermissions management in AWS empowers security and cloud infrastructure teams to protect your cloud resources from misuse of identity permissions. Cloud security requires continuous enforcement of least-privilege policies across all AWS accounts in the AWS organization. Having a multi-account strategy is a best practice to achieve higher isolation of resources. It also helps to meet regulatory and compliance needs, track operational costs, and add an extra layer of security. AWS Control Tower uses AWS best practices to establish a well-architected, multi-account baseline. It also enables governance across your AWS accounts. Many customers use AWS Control Tower to manage and govern multi-account AWS environments. For more information about managing multi-account AWS environments with AWS Control Tower, see Getting Started with AWS Control Tower. CloudKnox is an APN Advanced partner. The CloudKnox SaaS solution available in AWS Marketplace provides continuous monitoring and profiling of permissions granted to AWS Identity and Access Management (IAM) users and roles. CloudKnox enables security operations and cloud infrastructure teams to continuously create, monitor, and enforce least privilege policies across all AWS accounts from a single dashboard. This ensures that every identity that can access cloud infrastructure only have the permissions needed to perform their specific required tasks. This may include employees, third-party contractors, service accounts, applications, and cloud resources such as Amazon Elastic Compute Cloud (Amazon EC2) instances. In this blog post, Maya and I share a new solution that integrates CloudKnox with AWS Control Tower. This enables all newly added AWS accounts in an AWS Control Tower environment to be automatically enrolled with CloudKnox using Account Factory. The integration facilitates CloudKnox-based permissions management to be automatically enabled for all newly added AWS accounts. This includes detection and enforcement of least privileges and rightsizing of IAM permissions. PrerequisitesYou must complete the following prerequisites before implementing the CloudKnox and AWS Control Tower integration solution:
Solution overviewThe AWS Control Tower integration with CloudKnox is based on automation of AWS Control Tower lifecycle events via AWS CloudWatch events and AWS CloudFormation StackSets. It consists of one AWS CloudFormation template that fully automates the provisioning, setup, and integration of all the components necessary for this solution. The AWS CloudFormation template and a detailed README for this solution is available here. This template is deployed in the AWS Control Tower management account, and it creates the following components:
The following architecture diagram illustrates the components of AWS Control Tower and the CloudKnox integration.
Step-by-step walkthroughFollow these steps to set up the CloudKnox integration with AWS Control Tower. Set up CloudKnox integration with AWS Control Tower
Test your integrationTest the integration by adding a managed account and creating a lifecycle event. Add the managed account
It can take up to 30 minutes for the account to be created and the AWS Control Tower lifecycle event to trigger. Test your integrationTo check that the integration is working, do the following:
ConclusionIn this blog post, we have described our new marketplace solution to automatically enroll AWS Control Tower accounts with CloudKnox. CloudKnox’s integration with AWS Control Tower enables you to automatically extend the permissions management capabilities of CloudKnox to enforce the principle of least privileges in a multi-account AWS environment. For more information about this solution, see Solutions for AWS Control Tower in AWS Marketplace. About the AuthorsKanishk is an ISV Solutions Architecture Lead at AWS. In this role, he leads cloud transformation and solution architecture for our Independent Software Vendor partners and mutual customers in all areas that relate to management and governance, security and compliance, and migrations and modernizations in AWS.
Resources
Follow
|