In the development of the AWS system, many environments (such as production, verification, development) are often established according to the purpose. When using multiple environments, we want to:
- Each person is assigned with appropriate authority to ensure the safe operation of the system.
- 2 regularly check whether there are redundant personnel in the system and whether the authority is correct
However, in the actual design or operation and maintenance, the following problems will be encountered.
1. The choice between security and flexibility
In order to ensure security and prevent everyone from “untouchable resources”, strict rules should be established with IAM policy. However, too strict permissions will make the IAM policy unable to be reused and may need to be modified at any time according to the specific work of personnel, resulting in the decrease of system flexibility and the complexity of management work.
On the contrary, if we only pay attention to flexibility and don’t restrict the permission, we will increase the risk of misoperation, such as the developer mistakenly delete the virtual machine in the production environment.
2. Design difficulties of IAM policy
AWS has a variety of management authority functions. At the same time, the mixed-use of various functions and black-and-white lists will lead to complex design and difficult maintenance.
**3. Increase or decrease of users and complexity of regular user audit. * *
In the operation and maintenance stage, when adding or deleting users, or verifying whether the users and permissions in the system are correct, it is usually necessary to operate in the AWS graphical interface. The operation is complex, time-consuming and error-prone. With the increase of users, the time required for operation and maintenance work will also increase in proportion.
For this reason, NCNF adopts the following strategies to solve the above problems.
1. Adopt a multi-account structure, while ensuring flexibility and security
AWS accounts are divided according to the functions of the environment and the responsible team (company) so that users can operate relatively freely in their own responsible environment without misoperation of other environments. At the same time, in view of the fact that our clientele often wants to develop the system quickly and efficiently, focusing on maintaining the advanced nature of products, NCNF uses relatively simple and uniform rules to specify the user’s permissions under each account (for example, read-only permissions and administrator privileges).
2. Adopt the latest AWS native service to simplify user design and permission design
We use AWS SSO and AWS organizations (described below) to manage multiple accounts, and modularize the permission mode in these services, so that the base disk personnel do not need to directly manage the complex binding relationship of IAM role, IAM policy, and IAM user.
At the same time, the entrance of operation and maintenance tools (such as Jenkins) is unified in SSO service, which is convenient for operation and maintenance personnel.
3. Provide user increase and decrease and monitoring tools
We provide users with automatic registration, rights management tools. With this tool, you can also count whether users in the environment are consistent with the design at any time.
Structure chart of account
Purpose of each account and user’s association table
- production Accounts OU used to organize AWS accounts related to production
- Development Accounts OU used to organize AWS accounts related to R & D
- DevAccount AWS account for developers
- ProdAccount AWS account for production and operation personnel
- Martha AWS SSO user, used to log in to AWS SSO and perform relevant operations
- Andrew AWS SSO user, used to log in to AWS SSO and perform relevant operations
Description of AWS services used
As the workload on AWS continues to grow and expand, [AWS organizations] (https://amazon aws-china.com/cn/organizations/? NC1 = h ouls) can help users centrally manage their environment. Organizations enable users to centrally manage bills, control access rights, compliance and security, and share resources among users’ AWS accounts, whether it’s a start-up company or a large enterprise.
With AWS organizations, users can automatically create accounts, create account groups, and apply management policies for these groups according to business requirements. Users can also simplify billing by setting up the same payment method for all AWS accounts. By integrating with other AWS services, users can use organizations to specify a concentration on a company account
OU (Organization Unit)
Users can use an organizational unit (OU) to group accounts together and manage them as a single unit. This will greatly simplify the user’s account management. For example, users can attach policy-based controls to an OU, and all accounts in that OU will automatically inherit the policy. Users can create multiple OUs within a single organization or create OUs in other OUs. Each OU can contain multiple accounts, and users can move accounts from one OU to another. However, the OU name must be unique within the parent OU or root.
For more information, please refer to here.
The main function
- Manage and define your organization and account
- Control access and permissions
- Audit, monitor and protect your environment to ensure compliance
- Share account resources
- Centrally manage costs and bills
AWS Single Sign-On
AWS Single Sign-On is a cloud-based service that simplifies SSO access management for AWS accounts and business applications. You can control SSO access and user permissions for all AWS accounts in AWS Organizations. You can also manage access to common business applications as well as custom applications that support Security Assertion Markup Language (SAML) 2.0. In addition, AWS SSO provides a user portal where your users can centrally find and access all assigned AWS accounts, cloud applications, and custom applications.
AWS SSO is integrated with AWS Organizations, enabling you to select one or more accounts from your organization and grant users access to those accounts. No additional configuration is required in a single account. Give users access to all AWS accounts used by the app or team in just a few clicks.
The main function
- User Portal
- Integrated with AWS Organization
- Centralized user rights management
- Manage SSO logins for multiple AWS accounts
- Create and manage users in AWS SSO
- Microsoft Active Directory integration
- The SAML-enabled application configuration wizard
- AWS Command Line Interface entry
- Integration with built-in SSO for business applications
- Highly available hosting infrastructure
- Review SSO activities