EmpowerID and AWS: Identity Governance, Seamless Integration, and Auditing

Watch a short demo video of EmpowerID and AWS:

Watch a short demo video of EmpowerID and AWS:

EmpowerID Identity Lifecycle for AWS automates account provisioning and access assignment.
Automation of policy-based “Compliant Access” eliminates the security problems and human errors associated with the manual user creation and access assignment for AWS.

Within your organization, manually triggered lifecycle events are inefficient. With EmpowerID, workflows are triggered via changes from your HR system.

Using such triggers, EmpowerID can then automatically handle the provisioning and deprovisioning of your IAM user accounts.

In such cases, either extending your current workflow (or creating an entirely new one) is straightforward enough to grant necessary access and permissions for AWS.

Permissions range from IAM group membership to AWS roles that will be accessed as ephemeral session-based permissions during Security Token Service (STS) federated logins.

Deprovisioning happens in a similar fashion. Permanent workflows detect changes in your HR system and, in conjunction with your own business policy settings, gracefully handle the necessary and essential handover of responsibilities and the transfer of data ownership.

Just in Time Privileged Access for AWS

EmpowerID supports a Zero Trust strategy for Amazon AWS by enabling a Just in Time (JIT) and Just Enough administrative access model.

EmpowerID uses permanent workflows to continuously inventory and monitor the users, groups, and roles in your AWS tenants.

When they need access, end users can request temporary access to IAM groups or roles. Such requests can be pre-approved or they can be routed for approval, as per your own business policies.

As with all requests in EmpowerID, the status and progress are tracked and can be viewed in our user-friendly interface.

With JIT access requests for AWS groups, EmpowerID will temporarily provision the user’s existing AWS account as a member of the appropriate group and will then revoke that access when the time expires.

Note: this approach is much better for your organization for 2 reasons:

1. It is simpler than checking out vaulted privileged account passwords.
2. It also improves a more accurate correlation of user activity as the end user will use their regular account for the privileged access session.

EmpowerID both federates and integrates with AWS, depending upon the request: On the one hand, EmpowerID’s federation with your AWS STS leverages access requests for AWS roles. On the other, EmpowerID integrates with STS to automatically generate role- or policy-based temporary sessions for the AWS Management Console or API level access.

In both cases, all access is revoked when the requested time has expired.

Privileged Session Management for Amazon AWS

Privileged accounts in AWS are both a necessity and a liability. With their nearly unlimited access to system resources, they are essential for everyday IT operations, and your organization cannot operate without them.

Unfortunately, according to research, 62% of security breaches are through abuse of privileged accounts. That is also why EmpowerID fully supports the Zero Trust model.

Zero Trust stipulates that only the minimal access required should be granted for the minimal time period and, if possible, the access should always be proxied and monitored.

EmpowerID’s Privileged Session Manager (PSM) is a web-based gateway that you deploy as a microservice container in your AWS environments.

PSM provides authorized users with RDP or SSH access to AWS EC2 Windows or Linux virtual machines through a web interface. Servers never get actual network access.

This best practice approach avoids most common malware and hack exploits which rely on network connectivity to the servers they are targeting.

In addition, strong adaptive identity verification is enforced, and sessions can be optionally recorded as videos for later compliance investigation or verification.

In all cases, the password of the privileged credential is never revealed to the end user, eliminating the potential for sharing or misuse.

Amazon AWS Compliance and Recertification

EmpowerID allows your AWS team to breeze through audits.

AWS’s sprawling and dynamic nature can pose a huge headache for auditors. Consequently, to complete a certification process, it may be difficult to prove who has access to critical systems.

But producing this proof becomes almost automatic with EmpowerID

EmpowerID maintains an up to date audit and can provide complete control over who has access to what resources across all your AWS tenants.

In addition, built-in attestation policies allow for rapid periodic recertification of AWS group and role assignments. This eliminates the hassle of auditing this critical infrastructure.

Furthermore, risk-based separation of duties policies also allow you to define, detect, and remediate toxic combinations of access.

Adaptive MFA for Amazon AWS

Organizations run some of their most critical workloads and store sensitive content in AWS.

Ensuring the identity of those accessing these services is critical in preventing data loss or system downtime.

Unfortunately, passwords continue to be the weakest link in an organization’s security strategy. Multifactor Authentication (MFA) is the only proven means to plug this gap.

With over 20 MFA types, your organization now has a wide selection of options, including:

• one-time passwords
• 3rd parties, such as DUO
• The EmpowerID Mobile phone app, which allows users to click to approve their logins
• FIDO/Yubikey tokens, etc.

However, because users are traditionally resistant to change, EmpowerID’s adaptive MFA makes it even better.

Adaptive MFA eases user adoption of more secure login procedures by ensuring that they only have to perform MFA login when circumstances warrant it and not every time.

These circumstances are dictated solely by your own business policies and conditions.