fbpx

Posted on by admin

How exactly to automate AWS account development with SSO user assignment

Background

AWS Manage Tower supplies a straightforward method to setup and govern an Amazon Web Solutions (AWS) multi-account atmosphere, following prescriptive guidelines. AWS Manage Tower orchestrates the abilities of other AWS solutions, which includes AWS Businesses, AWS Support Catalog, and AWS Solitary Sign-On (AWS SSO), to create a landing zone rapidly. AWS SSO is really a cloud-based support that simplifies the method that you manage SSO usage of AWS accounts and company applications using Protection Assertion Markup Vocabulary (SAML) 2.0. You may use AWS Manage Tower to generate and provision brand new AWS accounts and make use of AWS SSO to assign user usage of those newly-produced accounts.

 

Some clients have to provision tens, or even hundreds, of brand new AWS accounts at once and assign usage of many users. If you work with AWS Control Tower, achieving this needs that you provision an AWS accounts in AWS Manage Tower, and assign the user usage of the AWS accounts in AWS SSO before shifting to another AWS account. This technique adds complexity and period for administrators who manage the AWS atmosphere while delaying users’ usage of their AWS accounts.

In this website post, we’ll demonstrate how exactly to automate creating several AWS accounts in AWS Control Tower, and how exactly to automate assigning user usage of the AWS accounts in AWS SSO, having the ability to repeat the process very easily for subsequent batches of accounts. This answer simplifies the provisioning and assignment processes, while allowing automation for the AWS environment, and enables your builders to start out making use of and experimenting on AWS quicker.

Providers used

This solution uses the next AWS services:

Higher level solution overview

Determine 1 displays the architecture and workflow of the batch AWS accounts development and SSO assignment procedures.

Physique 1: Batch AWS accounts creation and SSO assignment automation architecture and workflow

Figure 1: Batch AWS account development and SSO assignment automation architecture and workflow

Before starting

This solution is configured to be deployed in the North Virginia Region (us-east-1). Nevertheless, you can transform the CloudFormation template to perform in virtually any Region that supports all of the services required in the perfect solution is.

AWS Control Tower Account Factory may take around 25 minutes to generate and provision a fresh account. During this time, you’ll be struggling to use AWS Control Tower to execute actions such as for example creating an organizational unit (OU) or enabling a guardrail on an OU. As a recommendation, running this solution throughout a time period once you usually do not anticipate using AWS Control Tower’s features is most beneficial practice.

Collect needed information

Note: You’ll want already configured AWS Control Tower, AWS Organizations, and AWS SSO to utilize this solution.

Before deploying the answer, you will need to first collect some information for AWS CloudFormation.

The mandatory information you’ll have to gather in these steps is:

  • AWS SSO instance ARN
  • AWS SSO Identity Store ID
  • Admin email address
  • Amazon S3 bucket
  • AWS SSO user group ARN

Prerequisite information: AWS SSO instance ARN

From the net console

You’ll find these details under Settings in the AWS SSO web console as shown in Figure 2.

Figure 2: AWS SSO instance ARN

Figure 2: AWS SSO instance ARN

From the CLI

You can even understand this information by running the next CLI command using AWS Command Line Interface (AWS CLI):

aws sso-admin list-instances

The output is comparable to the next:


"Instances": [
"InstanceArn": "arn:aws:sso:::instance/ssoins-abc1234567",
"IdentityStoreId": "d-123456abcd"

]

        Take note of the InstanceArn value from the output, as this is found in the AWS SSO instance ARN.

 

Prerequisite information: AWS SSO Identity Store ID

That is available from either the net console or the CLI.

From the net console

You’ll find this information in exactly the same screen because the AWS SSO Instance ARN, as shown in Figure 3.

Figure 3: AWS SSO identity store ID

Figure 3: AWS SSO identity store ID

From the CLI

To get this from the AWS CLI command aws sso-admin list-instances, utilize the IdentityStoreId from the next key-value pair returned.

Prerequisite information: Admin email address

The admin email notified whenever a new AWS account is established.

This email is used to get notifications whenever a new AWS account is established.

Prerequisite information: S3 bucket

The name of the Amazon S3 bucket where in fact the AWS account list CSV files will undoubtedly be uploaded to automate AWS account creation.

This globally unique bucket name will undoubtedly be used to make a new Amazon S3 Bucket, and the automation script will receive events from new objects uploaded to the bucket.

Prerequisite information: AWS SSO user group ARN

Head to AWS SSO > Groups and choose an individual group whose permission set you want to assign to the brand new AWS account. Copy the combined group ID from the selected user group. This is often a local AWS SSO user group, or perhaps a third-party identity provider-synced user group.

Note: For the AWS SSO user group, there is absolutely no AWS CLI equivalent; you should employ the AWS web console to get this information.

Figure 4: AWS SSO user group ARN

Figure 4: AWS SSO user group ARN

Prerequisite information: AWS SSO permission set

The ARN of the AWS SSO permission set to be assigned to an individual group.

From the net console

To see existing permission sets utilizing the AWS SSO web console, head to AWS accounts > Permission sets. From there, you can view a summary of permission sets and their respective ARNs.

Figure 5: AWS SSO permission sets list

Figure 5: AWS SSO permission sets list

You can even choose the permission set name and from the detailed permission set window, copy the ARN of the chosen permission set. Alternatively, create your personal unique permission set to be assigned to the intended user group.

Figure 6: AWS SSO permission set ARN

Figure 6: AWS SSO permission set ARN

From the CLI

To obtain permission set information from the CLI, run the next AWS CLI command:

aws sso-admin list-permission-sets --instance-arn

This command will return an output such as this:


"PermissionSets": [
"arn:aws:sso:::permissionSet/ssoins-abc1234567/ps-1234567890abcdef",
"arn:aws:sso:::permissionSet/ssoins-abc1234567/ps-abcdef1234567890"
]

In the event that you can’t determine the facts for the permission set from the output of the CLI shown above, you may get the details of every permission set by running the next AWS CLI command:

     aws sso-admin describe-permission-set --instance-arn  --permission-set-arn

The output will undoubtedly be such as this:

     
"PermissionSet": 
"Name": "AWSPowerUserAccess",
"PermissionSetArn": "arn:aws:sso:::permissionSet/ssoins-abc1234567/ps-abc123def4567890",
"Description": "Provides full usage of AWS services and resources, but will not allow management of Users and groups",
"CreatedDate": "2020-08-28T11:20:34.242000-04:00",
"SessionDuration": "PT1H"

The output above lists the name and description of every permission set, which can assist you to identify which permission set ARN you’ll use.

Solution initiation

The perfect solution is steps come in two parts: the initiation, and the batch account creation and SSO assignment processes.

To initiate the perfect solution is

  1. Get on the management account because the AWS Control Tower administrator, and deploy the provided AWS CloudFormation stack with the mandatory parameters done.

    Note: To complete the mandatory parameters of the answer, make reference to steps 1 to 6 of the To launch the AWS CloudFormation stack procedure below.

  2. Once the stack is successfully deployed, it performs the next actions to create the batch process. It generates:
    • The S3 bucket where you’ll upload the AWS account list CSV file.
    • A DynamoDB table. This table tracks the AWS account creation status.
    • A Lambda function, NewAccountHandler .
    • A Lambda function, CreateManagedAccount . This function is set off by the entries in the Amazon DynamoDB table and initiates the batch account creation process.
    • An Amazon CloudWatch Events rule to detect the AWS Control Tower CreateManagedAccount lifecycle event.
    • Another Lambda function, CreateAccountAssignment . This function is set off by AWS Control Tower Lifecycle Events via Amazon CloudWatch Events to assign the AWS SSO Permission Set to the specified User Group and AWS account

To generate the AWS Account list CSV file

Once you deploy the perfect solution is stack, you need to make a CSV file predicated on this sample.csv and upload it to the Amazon S3 bucket created in this solution. This CSV file will undoubtedly be used to automate the brand new account creation process.

CSV extendable

The CSV file must follow the next format:

     AccountName,SSOUserEmail,AccountEmail,SSOUserFirstName,SSOUserLastName,OrgUnit,Status,AccountId,ErrorMsg

Test-account-1,test-account-sso-1@example.com,test-account-1@example.com,Fname-1,Lname-1,Test-OU-1,,,
Test-account-2,test-account-sso-2@example.com,test-account-2@example.com,Fname-2,Lname-2,Test-OU-2,,,
Test-account-3,test-account-sso-3@example.com,test-account-3@example.com,Fname-3,Lname-3,Test-OU-1,,,

Where in fact the first line may be the column names, and each subsequent line provides the new AWS accounts that you would like to generate and automatically assign that SSO user group to the permission set.

CSV fields

AccountName: String between 1 and 50 characters [a-zA-Z0-9_-]
SSOUserEmail: String with an increase of than seven characters and become a valid email for the principal AWS Administrator of the brand new AWS account
AccountEmail: String with an increase of than seven characters and become a valid email not utilized by other AWS accounts
SSOUserFirstName: String with the initial name of the principal AWS Administrator of the brand new AWS account
SSOUserLastName: String with the final name of the principal AWS Administrator of the brand new AWS account
OrgUnit: String and should be a preexisting AWS Organizations OrgUnit
Status: String, for future use
AccountId: String, for future use
ErrorMsg: String, for future use

Figure 7 shows the facts that are contained in our example for both new AWS accounts that’ll be created.

Figure 7: Sample AWS account list CSV

Figure 7: Sample AWS account list CSV

    1. The  NewAccountHandler  function is triggered from an object upload in to the Amazon S3 bucket, validates the input file entries, and uploads the validated input entries to the Amazon DynamoDB table file.
    1. The CreateManagedAccount  function queries the DynamoDB table to obtain the details of another account to be created. When there is another account to be created, then your batch account creation process progresses to Step 4, it completes otherwise.
    1. The CreateManagedAccount  function launches the AWS Control Tower Account Factory product in AWS Service Catalog to generate and provision a fresh account.
    1. After Account Factory has completed the account creation workflow, it creates the CreateManagedAccount lifecycle event, and the function log states if the workflow SUCCEEDED or FAILED .
    1. The CloudWatch Events rule detects the CreateManagedAccount  AWS Control Tower Lifecycle Event, and triggers the CreateManagedAccount  and CreateAccountAssignment  functions, and sends email notification to the administrator via AWS SNS.
    1. The CreateManagedAccount  function updates the Amazon DynamoDB table with the outcomes of the AWS account creation workflow. If the account was created, it updates the input file entry in the Amazon DynamoDB table with the account ID; otherwise, it updates the entry in the table with the correct failure or error reason.
    1. The  CreateAccountAssignment  function assigns the AWS SSO Permission Set with the correct AWS IAM policies to an individual Group specified in the Parameters when launching the AWS CloudFormation stack.
    1. Once the Amazon DynamoDB table is updated, the Amazon DynamoDB stream triggers the CreateManagedAccount  function for subsequent AWS accounts or when new AWS account list CSV files are updated, steps 1-9 are repeated then.

Upload the CSV file

After the AWS account list CSV file has been created, upload it in to the Amazon S3 bucket developed by the stack.

Deploying the answer

To launch the AWS CloudFormation stack

Now that all of the requirements and the specifications to perform the solution are prepared, it is possible to launch the AWS CloudFormation stack:

    1. Open the AWS CloudFormation launch wizard in the console.
    1. In the Create stack page, choose Next .

      Figure 8: Create stack in CloudFormation

      Figure 8: Create stack in CloudFormation

    1. On the Specify stack details page, update the default parameters to utilize the info you captured in the prerequisites as shown in Figure 9, and choose Next .

      Figure 9: Input parameters into AWS CloudFormation

      Figure 9: Input parameters into AWS CloudFormation

    1. On the Configure stack option page, choose Next .
    1. On the Review page, check the box “ I acknowledge that AWS CloudFormation might create IAM resources. ” and choose Create Stack .
    1. After the AWS CloudFormation stack has completed, go directly to the Amazon S3 web console and choose the Amazon S3 bucket that you defined in the AWS CloudFormation stack.
    1. Upload the AWS account list CSV file with the info to generate new AWS accounts. See To generate the AWS Account list CSV file above for information on creating the CSV file.

Workflow and solution details

Whenever a new file is uploaded to the Amazon S3 bucket, the next actions occur:

    1. Once you upload the AWS account list CSV file to the Amazon S3 bucket, the Amazon S3 service triggers a meeting for newly uploaded objects that invokes the Lambda function NewAccountHandler .
    1. This Lambda function executes the next steps:
        • Checks if the Lambda function was invoked by an Amazon S3 event, or the CloudFormation CREATE event.
        • If the function is really a new object uploaded from Amazon S3, browse the object.
        • Validate this content of the CSV apply for the mandatory columns and values.
        • If the info includes a valid format, insert a fresh item with the info in to the Amazon DynamoDB table, as shown in Figure 10 below.

          Figure 10: DynamoDB table items with AWS accounts details

          Figure 10: DynamoDB table items with AWS accounts details

        • Amazon DynamoDB is configured to initiate the Lambda function CreateManagedAccount  when insert , update , or delete items are initiated.
        • The Lambda function CreateManagedAccount checks for update event type. When something is updated in the table, the Lambda checks this item function, and when the AWS account isn’t created, the Lambda function invokes the AWS Control Tower Account Factory from the AWS Service Catalog to make a new AWS account with the facts stored in the Amazon DynamoDB item.
        • AWS Control Tower Account Factory starts the AWS account creation process. Once the account creation process completes, the status of Account Factory will show as Available in Provisioned products , as shown in Figure 11.

          Figure 11: AWS Service Catalog provisioned products for AWS account creation

          Figure 11: AWS Service Catalog provisioned products for AWS account creation

        • In line with the Control Tower lifecycle events, the CreateAccountAssignment Lambda function will undoubtedly be invoked once the CreateManagedAccount event is delivered to CloudWatch Events. An AWS SNS topic can be triggered to send a contact notification to the administrator email as shown in Figure 12 below.

          Figure 12: AWS email notification when account creation completes

          Figure 12: AWS email notification when account creation completes

        • When invoked, the Lambda function CreateAccountAssignment assigns the AWS SSO user group to the brand new AWS account with the permission set defined in the AWS CloudFormation stack.

          Figure 13: New AWS account showing user groups with permission sets assigned

          Figure 13: New AWS account showing user groups with permission sets assigned

Figure 13 above shows the brand new AWS account with an individual groups and the assigned permission sets. This completes the automation process. The AWS SSO users which are area of the user group will automatically be permitted to access the brand new AWS account with the defined permission set.

Handling common resources of error

This solution connects multiple components to facilitate the brand new AWS account creation and AWS SSO permission set assignment. The correctness of the parameters in the AWS CloudFormation stack is essential to make certain that when AWS Control Tower creates a fresh AWS account, it really is accessible.

To verify that solution works, make sure that the e-mail address is really a valid email, you get access to that email, which is not being used for just about any existing AWS account. Following a new account is established, it isn’t possible to improve its root account email, if you input an invalid or inaccessible email, you need to develop a new AWS account and take away the invalid account.

You will see common errors by visiting AWS Service Catalog web console. Under Provisioned products , you can view all your AWS Control Tower Account Factory-launched AWS accounts.

Figure 14: AWS Service Catalog provisioned product with error

Figure 14: AWS Service Catalog provisioned product with error

Selecting Error beneath the Status column teaches you the foundation of the error. Figure 15 below can be an example of the foundation of the error:

Figure 15: AWS account creation error explanation

Figure 15: AWS account creation error explanation

Conclusion

In this article, we’ve shown you how exactly to automate batch creation of AWS accounts in AWS Control Tower and batch assignment of user usage of AWS accounts in AWS SSO. Once the batch AWS accounts creation and AWS SSO user access assignment processes are complete, the administrator will undoubtedly be notified by emails from AWS SNS. We’ve also explained the way to handle some common resources of errors and how to prevent them.

As you automate the batch AWS account user and creation access assignment, you can decrease the time you may spend on the undifferentiated heavy lifting work, and onboard your users in your company much more quickly, to allow them to begin using and experimenting on AWS immediately.

For more information about the guidelines of establishing an AWS multi-account environment, have a look at this documentation to find out more.

When you have feedback concerning this post, submit comments in the Comments section below.

Want more AWS Security news? Follow us on Twitter .