AWS Cloud Operations Blog

Generate External IdP User Access Privilege Reports with AWS Audit Manager

Organizations are required to adhere to industry-specific regulations and certification programs, and a key component of this compliance is the creation of a comprehensive user privilege and access report for cloud infrastructure. Auditors rely on these reports to verify that permissions are tightly controlled at a granular level. However, the complexity of access control mechanisms, which are implemented at various levels such as service control policies, resource-based policies, user/group/role policies, permission boundaries, and external identity providers, poses a challenge in generating a consolidated access report.

External IdPs have become increasingly popular for managing user identities and access across cloud environments. However, this can complicate the process of creating comprehensive user privilege reports. We aim to simplify this task by providing step-by-step guidance on generating detailed access reports when utilizing external identity management solutions.

This blog post focuses on generating user access reports for organizations using external Identity Providers (IdPs) via AWS IAM Identity Center. While our previous blog covered reporting for identities stored in AWS IAM, this new blog specifically addresses the challenges faced by customers who rely on third-party IdPs such as Okta, GSuite, Active Directory, and others.

Overview of solution

This post demonstrates how to create an AWS Config custom rule which gathers configuration evidence automatically, stores them in Amazon S3, and provides the link to the evidence with the AWS Audit Manager assessment report. Using this solution, customers can automate the process of generating custom reports and reduce the manual effort of importing evidence to their AWS Audit Manager assessments.

Audit Manager is a fully-managed service that provides prebuilt frameworks for common industry standards and regulations, and that automates the continual collection of evidence to help you prepare for an audit. The continuous and automated gathering of evidence related to your AWS resource usage helps simplify risk assessment and compliance with regulations and industry standards.

AWS Config enables customers to evaluate the configuration settings of AWS resources. This is done by AWS Config rules, which evaluate the current state against the desired state. Customers can use AWS-managed rules or custom rules. You can use Audit Manager to capture AWS Config evaluations as evidence for audits. When you create or edit a custom control, you can specify one or more AWS Config rules as a data source for evidence collection.

AWS IAM Identity Center is a centralized service for managing user access across multiple AWS accounts and applications. It offers single sign-on, supports various identity sources, simplifies multi-account permissions, and provides access to AWS and cloud applications. As the recommended solution for human user management in AWS, it improves upon traditional IAM with better scalability and centralized control.

In this post, we use AWS Lambda backed AWS Config custom rules to extend AWS Config and collect configuration evidence for AWS Identity Center. This evidence will be stored in Amazon S3 and referenced as part of your AWS Audit Manager custom assessment report.

In this post, we will cover:

  1. Setting up Audit Manager assessment.
  2. Setting up AWS Config custom rule to invoke a Lambda function which generates a new AWS IAM Identity Center access report.
Figure 1: Architecture of the solution

Figure 1: Architecture of the solution

Prerequisites

The following prerequisites are required before continuing:

  • An S3 bucket to which the AWS Config custom rule can write evidence.
  • AWS Config must be enabled and have an AWS Config Recorder (Refer to Set up AWS Config).
  • Permissions to deploy the provided AWS CloudFormation template. Sample permissions can be reviewed under here.
  • AWS Audit Manager must be enabled (Set up AWS Audit Manager).
  • Permissions to access AWS Config, AWS Audit Manager, AWS Identity Center and AWS Organizations.
  • A AWS Cloud9 instance.

Deployment Steps

1. Login to AWS Console and navigate to AWS Cloud9 IDE.

2. Follow Instructions to Set up AWS Cloud9 Environment on EC2.

(Make sure to Select the Amazon Linux 2 AMI for the platform)

3. Create openpyxl Lambda Layer.

a. In Cloud9 terminal, create a new directory for your layer:

mkdir openpyxl-layer && cd openpyxl-layer

b. Create a Python 3.9 virtual environment:

python3.9 -m venv venv

source venv/bin/activate

d. Create a python directory and copy the installed packages:

mkdir -p python/lib/python3.9/site-packages

cp -r venv/lib/python3.9/site-packages/* python/lib/python3.9/site-packages/

e. Create a ZIP file of the layer contents:

zip -r openpyxl-layer.zip python

f. Publish the Lambda Layer.

aws lambda publish-layer-version --layer-name openpyxl-layer --zip-file fileb://openpyxl-layer.zip --compatible-runtimes python3.9

g. Copy LayerVersionArn.

4. Create S3 Bucket using the steps listed here.

(Note: Enable versioning on the S3 bucket)

5. Navigate to CloudFormation . Choose ‘Create stack’ followed by ‘With new resources (standard)’. In the ‘Specify template’ section, paste this Amazon S3 URL below and hit ‘Next’

6. Enter the requested information.

a. ConfigRuleName – specify a unique name for the AWS Config Rule which runs periodically to invoke a custom lambda function for generating a report on user privileges and saves it to an S3 bucket specified in the parameters below.

b. Under LambdaLayerVersionARN – please specify the ARN copied in Step 3.

c. For the S3BucketName – enter the bucket name created in Step 4.

d. Choose ‘Next’.

7. Choose ‘Next’, then check the Capabilities checkbox, and choose ‘Create stack’. Wait until the stack is in the ‘CREATE_COMPLETE’ state.

8. We will now create a custom control under Audit Manager.
To create a custom control in Audit Manager that will use your new AWS Config custom rule as a data source, follow these instructions. To attach your custom AWS Config rule:

a. In the ‘Control Library’ section, click on ‘Create Custom Control’, enter Control Name and click ‘Next’.

Figure 2: Audit Manager: Create Control Library

Figure 2: Audit Manager: Create Control Library

b. Uncheck entries under the ‘AWS managed sources – new’ section. Under Customer managed sources, select ‘Use a data source to collect manual or automated evidence’ and select ‘AWS Config custom rule’.

Figure 3: Configure AWS Config custom Rule

Figure 3: Configure AWS Config custom Rule

c. Select the ‘Custom Rule’ that you created when launching the AWS CloudFormation template. The default value is ‘AuditManagerUserAccessEvidenceRule’. If you haven’t made any modifications, choose the default option. If you have modified it, select your customized version.

Figure 4: Choose AWS Config custom rule and data source

Figure 4: Choose AWS Config custom rule and data source

d. Follow through the wizard, review and save changes.

9. Now that a custom control is defined that is leveraging the AWS Config custom rule that you built, it’s time to create a framework to use the custom control. Note that you could modify any existing framework and add the custom control. However, for the purpose of this post, we’ll create a custom framework and add the control that you previously created.

10. Choose ‘Framework Library’ from the left pane.

11. Choose ‘Custom frameworks’, followed by ‘Create custom framework’.

Figure 5: Choose AWS Config custom rule and data source

Figure 5: Choose AWS Config custom rule and data source

12. ‘Framework name’ field is the only required field. However, you may complete the fields that are suitable for your use. You may also tag the framework with the key/value pairs in any way you wish (tagging can help with automation and analysis in the future).

13. Choose ‘Next’ to define custom control.

a. Enter a ‘Control set’ name.

b. Choose ‘Custom controls’ from the ‘Select control type’ dropdown.

c. Under ‘Available custom controls’, check the box next to the custom control that you defined in the previous step, and choose ‘Add to control set’.

14. Confirm the choices, then choose ‘Next’.

15. Review your choices and choose ‘Create custom framework’.

16. Next step is to create an Assessment.

a. Click on ‘Assessments’ on the left pane.

b. Click on ‘Create Assessment’.

c. On the ‘Specify assessment’ details tab:

i. Enter an ‘Assessment name’.

ii. Select the S3 bucket created in Step 4.

iii. Under Frameworks, pick the custom framework we created earlier in Step 15.

d. Select the AWS account you are running in:

e. Pick ‘Audit Owners’.

f. Click ‘Review and Create Assessment’.

17. Go to the AWS Config dashboard, and choose ‘Rules’ in the left navigation pane. Click on the rule created by the stack. Choose ‘Actions’, then ‘Re-evaluate’. The last successful evaluation should change within a few minutes and reflect the latest evaluation.

18. Set ‘Resources in scope’ to display ‘All’. You should see the latest rule evaluation details.

19. Navigate Back to Audit manager console and Generate an assessment report and download it.

20. Unzip the report zip file, go to the unzipped folder, and open the AssessmentReportSummary PDF file. Scroll down to the ‘Assessment report selection’ section and choose the collected evidence. This will open another PDF file (which can also be found separately in the folder structure in the same folder).

21. Scroll down to the ‘Annotation’ field where you should find the link to the evidence in the designated S3 bucket. Open the link in a browser, and download the evidence file. Open it and you will find the collected configuration evidence.

Cleaning up

To avoid incurring charges, delete the resource you created as part of this post:

    1. Navigate to Audit Manager’s assessments page. Select the assessment you created, then select delete.
    2. Navigate to Audit Manager’s assessment reports page. Select the report you created, then select delete.
    3. Navigate to Audit Manager’s Framework library page. Under Custom frameworks tab, select the custom framework you created. Select action, then select delete.
    4. Navigate to Audit Manager’s Control library. Under Custom controls tab, select the custom control you created, then select delete.
    5. Delete the CloudFormation stack you created.
    6. Delete the lambda layer on the AWS Lambda Console.
    7. Delete the Cloud9 instance.

Conclusion

In conclusion, this post demonstrated how to create an AWS Config custom rule that gathers configuration evidence automatically, stores them in Amazon S3, and provides the link to the evidence with the Audit Manager assessment report. Using this solution, customers can reduce the manual effort of importing evidence to their Audit Manager assessments.

Consider this as a very first step in laying out the foundation for generating a consolidated access report. To take this further, similar reports can be generated for different policy controls (eg: resource based policy, resource boundary etc.) and stored in S3. The reports in S3 can be formatted and queried using Amazon Athena/ AWS Glue. To make it more interactive, an Amazon QuickSight dashboard can also be created.

About the authors:

Anu Jayanthi

Anu Jayanthi is an AWS Solutions Architect. She works with startup customers, providing advocacy and strategic technical guidance to help plan and build solutions using AWS best practices.

Parth Shah

Parth Shah is a Sr. Startup Solutions Architect at Amazon Web Services. He enjoys working with startup customers in cloud adoption and business strategy as well as helping them design applications and services on AWS. Outside of work, he enjoys gaming, soccer, traveling, and spending time with his friends and family.

John Fischer

John Fischer is a Senior Assurance Consultant for the AWS Security Assurance Services team and is a product specialist for AWS Audit Manager. In his spare time, John enjoys performing in his wedding band and spending time with his wife and kids.