AWS users can share the same AWS accounts yet remain in control of their own resources using an unconventional security approach

HeleCloud consultants showcased an unconventional security approach to the management of hundreds of users for software development companies running more than one project on AWS, during the 10th AWS Bulgaria meetup on 22 March 2018 in Sofia.

“We enabled hundreds of users to use only their own resources in AWS by implementing isolation within a single AWS Account. The unconventional approach provided for management and support efficiencies”, said Ivaylo Vrabchev, HeleCloud AWS Consultant and AWS Solution Architect.

For a second time in a row, HeleCloud hosted the AWS User Group Bulgaria monthly get-together, which gathers AWS experts and has become a platform for experience and knowledge sharing for Bulgarian Cloud professionals.

The case study presented by Ivaylo Vrabchev showed how the HeleCloud team achieved isolation for multiple users to use only their resources based on the project they were working on. The HeleCloud customer operates in three regions, has more than 200 projects and thousands of users. Instead of applying the generic AWS approach and conventional account security strategy, they undertook a thorough assessment of the client’s requirements and AWS capabilities.

The chosen security approach for isolation within a single AWS account has several advantages, among which:

  • Lower price;
  • Single account security and monitoring tools;
  • The optimal number of network connections;
  • An optimal number of Active Directory Domain Controllers.

It required building custom a permission matrix focused on security, least privilege access, inviolability and traceability. The system was composed of the following:

  • Identity Provider (IdP) Integration;
  • Processes Automation with Lambda functions;
  • IAM Policy permission matrix;
  • Management & Deployment.

The IdP was integrated with Active Directory Federation Services (ADFS), AWS Identity and Access Management (IAM), Security Assertion Markup Language (SAML) and AWS Security Token Service (STS). The component permits a user to log in a certain project with only one role. If a user has several roles within the system, a list with all his accounts is displayed before login.

The Processes Automation is achieved through Lambda functions where IAM is configured per project with credentials roles, policies and Key Management Services (KMS). Auto-tagging of AWS resources has been used as well.

Further details about HeleCloud’s approach, can be found in the attached “AWS account security with IAM policies, CloudTrail, Lambda” presentation.

About HeleCloud

HeleCloud™ is an Amazon Web Services technology consultancy with offices in Maidenhead, UK, and Sofia, Bulgaria that helps enterprises of all sizes establish Cloud vision, and execute Cloud strategies through their industry leading Cloud Roadmap methodology. HeleCloud™ also provides Cloud managed services to further amplify Cloud benefits and enable enterprises to focus on their core business and customers.