Identity management is the easiest when you can manage identities in one place and use them across accounts and applications. AWS IAM Identity Center streamlines identity management by enabling you to connect to your identity provider (IdP), such as Active Directory, and use the IdP's identity information for access and collaboration within applications. You can do this, for example, by using an AD Connector and connecting it to your on-premises or Azure AD. An AD Connector is a directory gateway that allows you to route directory requests to your on-premises Microsoft Active Directory without storing information in the cloud cache.
If you have a large Active Directory with several thousand groups and users, you may not want to explicitly select the identities you want to synchronise with AWS Identity Center.
In this blog post, we will show you a solution that allows you to specify different prefixes for Active Directory groups that will be automatically synced to your AWS Identity Center.
The solution workflow includes the following steps:
The following architecture shows the solution of the automated sync of Active Directory Groups to AWS Identity Center .
🔗 Here you can find the Solution on Github
In our CDK based project several resources will be provisioned due deployment.
The Stack contains:
With Active Directory group synchronisation, you use IAM Identity Center to assign users and groups from Active Directory access to AWS accounts and to AWS-managed or customer-managed applications. All Active Directory Groups with specified prefixes will be automatically synchronised to your AWS IAM Identity Center.
The Sync LambdaFunction is triggered by Eventbridge Scheduled event to ensure that the Groups you want sync from your active directory are always uptodate in your AWS Identity Center.
The workflow of our Sync LambdaFunction is the following:
The deployment of the solution is done via a cdk stack which is part of the solution's repository. All the required Parameters will be configured in a typescript file - an example file is also included in the repository.
What you have to configure:
After each execution of the Synchronisation Lambda, we aim to notify our team about the actions taken during the previous run. Therefore, we have implemented a Teams notification that includes a status update and a link to an automatically generated dashboard.
ℹ️ Notifications are only sent when groups are added or deleted, or when an automation error occurs, to avoid a flood of notifications.
The following screenshot illustrates an example of a Teams notification.
Our Active Directory Synchronization Status Dashboard is a simple HTML file which will be generated trough a Lambda Function, saved in S3 and will be distributed trough a CloudFront. You can integrate this Dashboards in your Confluence or any other internal Wiki. This Dashboard is secured via CloudFormation Function - additionally you can also add a Firewall to restrict the access to an specific CIDR or Geographic region and prevent access from third parties. The screenshot below provides an example of a dashboard.
In this blog post, we showed you how to improve your security posture by automatically and regularly synchronising Active Directory groups that match a specific pattern with AWS Identity Center. This simplifies access management and increases security by automatically revoking access in AWS Identity Center when group objects are deleted or created in Active Directory. Furthermore, the automatically generated documentation facilitates an overview of the synchronised group objects.