Sep 8, 2022

Resources

Scalable AWS Access Management Part 2: Supporting Enterprises of all Sizes

Scalable AWS Access Management Part 2: Supporting Enterprises of all Sizes

Scalable AWS Access Management Part 2: Supporting Enterprises of all Sizes

Scalable AWS Access Management Part 2: Supporting Enterprises of all Sizes

Understanding Opal’s Vision

In the previous blog, we discuss why access is over-provisioned and how Opal can help enterprises to implement least privilege with their cloud infrastructure. This post will outline our vision to enhance support for large deployments with AWS Organizations and AWS Identity Center SSO. 

Supporting Flexibility and Choice

In the words of our friends over at AWS, least privilege is a journey, not a destination. We at Opal deeply understand our role in helping customers accelerate AWS best practices. Feedback is equally vital in this relationship, and we’ve heard from our users that they are increasingly adopting more accounts to create firm organizational boundaries around sensitive resources.

There’s a lot of software that values function over usability. At Opal, we believe in form, not just function. It became clear that we needed to support our customer’s multi-account experience to help them adopt Opal faster. After many customer interviews, three patterns emerged.

  1. The need for Just-In-Time (JIT) access - Regardless of IAM strategy,  companies without JIT were significantly over-provisioned by comparison.

  2. Mandates for Identity Federation - Static IAM users present the most risk.  Single Sign-On (SSO) with Identity Center is the goal for large enterprises, but strategies are fragmented; many still use legacy federation instead of Identity Center SSO.

  3. IAM Migrations are Complex, Time-Consuming Projects - Moving between strategies is a time-consuming process involving people, processes, and tools. The sophistication of the Identity Provider is a critical dependency that can delay migrations for quarters or even years.

These conversations validated many of our assumptions, but we were most surprised with the level of fragmentation across IAM strategies. This insight was the foundational reason we chose to support AWS organizations and AWS Identity Center SSO as distinct, complementary additions to give our customers maximum flexibility and choice as they mature AWS deployments.

Officially Announcing Native Integrations with AWS Organizations and AWS Identity Center SSO

We are excited to announce two complimentary API-driven integrations: AWS Organizations and Identity Center SSO.

Both will offer admins frictionless onboarding for large multi-account deployments and an intuitive new interface for end-users to request and access resources across accounts.

The Right Solution for Me

We secure access for small startups to the largest enterprises at Opal. Most follow a progression on AWS, starting with a few accounts, adopting an organizational model, and scaling to the Identity Center SSO. Each method uses a different AWS Security Token Service (STS) API.

Opal AWS Accounts

Introduced in part one of the blog series, Opal’s integration with AWS Accounts is the most accessible starting point. Create an IAM service account for Opal in each AWS Account and import resources. Opal issues temporary IAM role credentials via STS AssumeRole.

This approach appeals to small deployments, typically ten accounts or less, that do not have access to an identity provider.

Opal AWS Organizations

Opal’s integration with AWS organizations is a lightweight, federated approach between Opal, AWS, and an OpenID Connect capable Identity Provider. Opal connects seamlessly to your AWS organization and automatically imports resources across all accounts. Opal issues temporary IAM role credentials via STS AssumeRoleWithWebIdentity.

This approach is excellent for deployments of any size and pairs well with Infrastructure as Code for IAM and identity providers that support OpenID Connect. Complex protocols like SCIM are not required. 

From our design partners:

“The integration with our IdP was simple!!” - Senior Security Engineer

“Opal’s organizational approach allowed us to use our existing Terraform managed roles with minimal effort.” - Staff DevOps Engineer

“Migrating to the solution brought Opal’s fine-grained resource model that our developers were familiar with to every account in an automated way.” - Director of Security Engineer

Opal AWS Identity Center SSO

Opal’s integration with AWS identity center provides out-of-the-box support for Identity Center permission sets as first-class resources in Opal. Opal assigns users and groups to permission sets via AWS Identity Center APIs, and AWS issues temporary credentials via STS AssumeRoleWithSAML.

This approach is perfect for existing identity center users who want deep visualization of access paths and JIT request flows for permission sets. Identity provider deployments for these customers are sophisticated and mature.

From our design partners:

“We did a lot of work to migrate to identity center (role migration, SCIM, etc.), so we could manage IAM more scalably and provide both console and CLI access in one platform, which our developers liked!” - Staff Security Engineer

“We were always overprovisioned without a just-in-time platform and out of compliance.  Opal’s helped us close this gap with auditable, automatic revocations and a deep understanding of how engineers had access to what.” - Manager, Cloud Security

“Opal’s visibility features made it easy for developers to find and request the permissions sets they need quickly.” - CISO

Summary

This blog post discusses Opal's vision to manage large AWS deployments with two new integrations, AWS Organizations and AWS Identity Center SSO. In part one, we discussed the account-based integration available today, and in the following parts, we deep dive into how our AWS Organizations and AWS Identity Center SSO integrations work.

About Opal:

Opal is the centralized authorization platform for IT and Infrastructure teams. Deeply integrated with developer infrastructure, SaaS applications, and custom internal tools, Opal enables companies to implement scalable access management.

Want to see it yourself? Contact hello@opal.dev or book a meeting here for a personalized demo.

Ready to see how Opal can help you achieve and maintain least privilege access?

Ready to see how Opal can help you achieve and maintain least privilege access?

Ready to see how Opal can help you achieve and maintain least privilege access?