Speaker: Yuji Oshima @ AWS Amarathon 2025
Summary by Amazon Nova
Multi-Accounts and IAM Design:
[ 1 ] Single Account Architecture:
Complex permission management makes it difficult to ensure security
Difficulty tracking costs per workload
Prone to operational errors and quota issues, making it difficult to operate
[ 2 ] Multi-Account Architecture:
Improve security by separating privileges
Easily understand costs for each workload
Improve operational efficiency by minimizing the impact of work
Jump Account Method:
Set up Jump accounts and consolidate IAM users
Users log in to the Jump account and switch roles to each account
Permissions for each account are granted to the target role
Tips for IAM design using the Jump Account method:
[ 1 ] Create groups based on actual roles
[ 2 ] Create roles for each account based on their role
[ 3 ] Define the switching account and IAM role for each IAM group
Access Control with TEAM:
How should we handle access control for the production environment?
Change Management: When and who accessed the production environment for change operations?
Production Access Control: Is the production environment accessible at any time?
Access Control with TEAM
What is TEAM (Temporary Elevated Access Management)?
Abbreviation for Temporary Elevated Access Management
An authorization-based workflow for managing access to accounts
Provided as an application accessible through the IAM Identity Center access portal
Workflow for Production Access Control with TEAM (Application):
[1/3] Only have read-only permissions for the production account, select TEAM from the application
[2/3] Create a request
[3/3] The status is pending because it has not been approved yet
Workflow for Production Access Control with TEAM (Approval):
- The approver selects the relevant request from "Approve request," enters a comment, and approves it
Workflow for Production Access Control with TEAM (Authorization):
Access permissions to the production account have been added
Since it has been approved, the status is now set to "approved."
Overall Team Structure:
① Access the Amazon Web Services access portal in IAM Identity Center
② Access the TEAM application
③ Request elevated access
④ Approve elevated access
⑤ Activate elevated access
⑥ Invoke elevated access
⑦ Log session activity
⑧ End elevated access
⑨ Review request details and session activity logs
Design and Implementation of TEAM:
Organizing permissions for migration to IAM Identity Center:
① Organize roles and policies for each account, Create permission sets
② Organize Jump account groups and policies, Register groups with Entra ID
③ Create an assignment, Utilize CloudFormation
Designing rules for persona assignment and approval workflows:
TEAM has four personas (Request access, Approve access request, Audit logs, Managing rules)
Designing persona assignment and approval rules
Persona assignment design
What should be submitted for approval?
Who should approve/reject?
Maximum time for granting approval
Notification destinations (Mail, Chat...)
Gradually expanding the scope of application from small-scale operations:
Test operations with a small team, gradually expanding the scope of adaptation
Individual → My team → whole department
[ 1 ] Operate in parallel with existing systems
Minimize impact on business
[ 2 ] Review settings and operations based on feedback
Is the assignment of personas sufficient? Are any unexpected permissions being granted?
IAM Identity Center x TEAM:
Use SSO users provisioned from Entra ID
Switch roles to non-production accounts via the IAM Identity Center access portal
Switch roles to non-production accounts after approval in TEAM
Benefits of TEAM:
IAM Identity Center x TEAM:
[ 1 ] User Perspective:
Switching roles between accounts is now simpler
The path to requests is shorter, with a simpler and clearer UI
Improved development efficiency
[ 2 ] Administrator Perspective:
Freed from IAM management
Setting management such as assigning personas and request rules is now simpler
Improved operational efficiency
Summary:
Through "TEAM", all "Team" members have improved their operational and security awareness
In multi-account configurations, consider access management for production accounts
"IAM Identity Center x TEAM" enables easy control
TEAM implementation enhances team productivity, security, and compliance
Team:
Top comments (0)