EmpowerID and AWS: Identity Governance, Seamless Integration, and Auditing
With a cloud-computing marketing share of 31.7% , the number of organizations moving to Amazon AWS’ is staggering. For those thinking of transitioning, the sheer size, scale, and complexity of AWS must be overwhelming.
If your organization is already using AWS, but is reliant on outdated, manual actions/processes, we truly feel for you. We do have good news, though: EmpowerID integrates and works with AWS like you wouldn’t believe…
Zero Trust Principles
We adhere fully to Zero Trust, meaning that though users can get pre-approved or request-only access, permissions are for a finite period only and are then revoked.
Privileged Session Management
PSM provides access through a web interface (there is no direct access to your servers or virtual machines). Plus, Adaptive MFA with vaulted credentials for extra security.
Easy Auditing and Recertification
With unbeatable tracking, logging, and reporting capability across AWS, auditing and recertifying has never been easier. Finally, a smile on your auditor’s face…
Here, we look at the following items:
Identity Lifecycle for Amazon AWS – eliminates both security problems and manual errors associated with AWD user creation and access assignments.
- Just In Time Privileged Access for AWS – adhering to Zero Trust, JIT access ensures your users obtain access for only the specified time. Access requests can be pre-approved or routed, as required. When the requested time expires, access is automatically revoked
- rivileged Session Management for Amazon AWS – PSM is a web-based gateway that prevents direct access to your systems and apps. Deployed as a microservice, it’s quick, scalable, resilient, and effective.
- Amazon AWS Compliance and Recertification – traditionally a nightmare for auditors, tracking and logging AWS’ sprawling and dynamic landscape is simple with EmpowerID. Full tracking, logging, and reporting capability means audits have never been easier.
- Adaptive MFA for Amazon AWS – Besides the 20+ authentication that EmpowerID uses, Adaptive MFA also smooths user adoption by being required only when your business policies and circumstances warrant it.
Watch a short demo video of EmpowerID and AWS:
Watch a short demo video of EmpowerID and AWS:
EmpowerID Identity Lifecycle for AWS automates account provisioning and access assignment.
Automation of policy-based “Compliant Access” eliminates the security problems and human errors associated with the manual user creation and access assignment for AWS.
Within your organization, manually triggered lifecycle events are inefficient. With EmpowerID, workflows are triggered via changes from your HR system.
Using such triggers, EmpowerID can then automatically handle the provisioning and deprovisioning of your IAM user accounts.
In such cases, either extending your current workflow (or creating an entirely new one) is straightforward enough to grant necessary access and permissions for AWS.
Permissions range from IAM group membership to AWS roles that will be accessed as ephemeral session-based permissions during Security Token Service (STS) federated logins.
Deprovisioning happens in a similar fashion. Permanent workflows detect changes in your HR system and, in conjunction with your own business policy settings, gracefully handle the necessary and essential handover of responsibilities and the transfer of data ownership.
Just in Time Privileged Access for AWS
EmpowerID supports a Zero Trust strategy for Amazon AWS by enabling a Just in Time (JIT) and Just Enough administrative access model.
EmpowerID uses permanent workflows to continuously inventory and monitor the users, groups, and roles in your AWS tenants.
When they need access, end users can request temporary access to IAM groups or roles. Such requests can be pre-approved or they can be routed for approval, as per your own business policies.
As with all requests in EmpowerID, the status and progress are tracked and can be viewed in our user-friendly interface.
With JIT access requests for AWS groups, EmpowerID will temporarily provision the user’s existing AWS account as a member of the appropriate group and will then revoke that access when the time expires.
Note: this approach is much better for your organization for 2 reasons:
- It is simpler than checking out vaulted privileged account passwords.
- It also improves a more accurate correlation of user activity as the end user will use their regular account for the privileged access session.
EmpowerID both federates and integrates with AWS, depending upon the request: On the one hand, EmpowerID’s federation with your AWS STS leverages access requests for AWS roles. On the other, EmpowerID integrates with STS to automatically generate role- or policy-based temporary sessions for the AWS Management Console or API level access.
In both cases, all access is revoked when the requested time has expired.
Privileged Session Management for Amazon AWS
Privileged accounts in AWS are both a necessity and a liability. With their nearly unlimited access to system resources, they are essential for everyday IT operations, and your organization cannot operate without them.
Unfortunately, according to research, 62% of security breaches are through abuse of privileged accounts. That is also why EmpowerID fully supports the Zero Trust model.
Zero Trust stipulates that only the minimal access required should be granted for the minimal time period and, if possible, the access should always be proxied and monitored.
EmpowerID’s Privileged Session Manager (PSM) is a web-based gateway that you deploy as a microservice container in your AWS environments.
PSM provides authorized users with RDP or SSH access to AWS EC2 Windows or Linux virtual machines through a web interface. Servers never get actual network access.
This best practice approach avoids most common malware and hack exploits which rely on network connectivity to the servers they are targeting.
In addition, strong adaptive identity verification is enforced, and sessions can be optionally recorded as videos for later compliance investigation or verification.
In all cases, the password of the privileged credential is never revealed to the end user, eliminating the potential for sharing or misuse.
Amazon AWS Compliance and Recertification
EmpowerID allows your AWS team to breeze through audits.
AWS’s sprawling and dynamic nature can pose a huge headache for auditors. Consequently, to complete a certification process, it may be difficult to prove who has access to critical systems.
But producing this proof becomes almost automatic with EmpowerID
EmpowerID maintains an up to date audit and can provide complete control over who has access to what resources across all your AWS tenants.
In addition, built-in attestation policies allow for rapid periodic recertification of AWS group and role assignments. This eliminates the hassle of auditing this critical infrastructure.
Furthermore, risk-based separation of duties policies also allow you to define, detect, and remediate toxic combinations of access.
Adaptive MFA for Amazon AWS
Organizations run some of their most critical workloads and store sensitive content in AWS.
Ensuring the identity of those accessing these services is critical in preventing data loss or system downtime.
Unfortunately, passwords continue to be the weakest link in an organization’s security strategy. Multifactor Authentication (MFA) is the only proven means to plug this gap.
With over 20 MFA types, your organization now has a wide selection of options, including:
- one-time passwords
- 3rd parties, such as DUO
- The EmpowerID Mobile phone app, which allows users to click to approve their logins
- FIDO/Yubikey tokens, etc.
However, because users are traditionally resistant to change, EmpowerID’s adaptive MFA makes it even better.
Adaptive MFA eases user adoption of more secure login procedures by ensuring that they only have to perform MFA login when circumstances warrant it and not every time.
These circumstances are dictated solely by your own business policies and conditions.