OneLogin with AWS Control Tower Integration for Secure and Quick Setup of a Multi-Account Environment

Today OneLogin is thrilled to announce our new integration with AWS Control Tower. Customers that use both OneLogin and Amazon Web Services (AWS) Control Tower can take advantage of this integration to easily setup and govern their multi-role, multi-account AWS environment.

As an Advanced APN Partner with a Security Competency, OneLogin is a trusted IAM platform for AWS customers building out an identity management strategy as part of AWS’s Shared Responsibility Model. We are excited to collaborate with AWS on this initiative building upon our existing capabilities to provide secure, unified access to cloud and on-premises environments.

What is AWS Control Tower?

AWS Control Tower is a popular service that provides the easiest way to set up and govern a new, secure, multi-account AWS environment based on best practices. With AWS Control Tower, builders can provision new AWS accounts in a few clicks, while you have peace of mind knowing your accounts conform to your company-wide policies. If you are building a new AWS environment, starting out on your journey to AWS, starting a new cloud initiative, or are completely new to AWS, Control Tower will help you get started quickly with governance and best practices built-in.

How AWS Control Towler Works - the easiest way to set up and govern a secure, compliant, multi-account AWS environment

Why OneLogin and AWS Control Tower?

When expanding your multi-account and multi-role AWS environment, cloud setup and IAM management quickly becomes cumbersome and complex. Whether you’re newly migrating to AWS or an Enterprise user, AWS Control Tower provides the easiest path to build a baseline environment based on best industry practices. Combining AWS Control Tower with Identity Federation ensures your organization has appropriate identity safeguards and automation to scale your multi-account environment.

OneLogin cloud-based Identity and Access Management (IAM) integrations enable IT teams to centrally manage and automatically provision access permissions across all users, roles, and AWS accounts.

How the OneLogin SSO, MFA and user provisioning integration with AWS Control Tower works

What are best practices and approaches for identity automation?

Our purpose-built integration delivers comprehensive identity automation capabilities for increased security and productivity as you scale your AWS environment. AWS Control Tower provides a sample CloudFormation Template that is used to set up identity federation with OneLogin, as well as to provide guidance on sample AWS IAM Roles and permissions in the different AWS accounts. After AWS Control Tower creates the various AWS accounts, OneLogin can perform identity federation via AWS IAM or directly to the accounts themselves.

Here are recommended approaches and best practices you can apply in your environment.

Approach 1: OneLogin Identity Federation and Automated Provisioning with AWS IAM
Leverage OneLogin’s integration with AWS IAM to enable Single Sign-On authentication into different AWS accounts managed under AWS Control Tower.

AWS Control Tower IAM

Approach 2: OneLogin Identity Federation and Automated Provisioning to AWS Accounts
Leverage OneLogin Unified Directory and advanced authentication capabilities with AWS to seamlessly manage authentication, authorization, and role provisioning as you create new accounts. Through our seamless integration. OneLogin assigns and maps AWS roles to end- users to manage their access to different AWS accounts managed by AWS Control Tower.

OneLogin mapping AWS roles to end-users

Best Practices
In our conversations with customers, especially modern organizations with a security mindset, we have seen common ideas and techniques for successfully scaling their Enterprise environment with AWS Control Tower and OneLogin:

  1. Consider a Phased Approach
    Start with a specific team (e.g. developers, etc.), functional areas (all staging environments, etc.), or AWS Service. By limiting your scope, you can avoid examining thousands of AWS roles and instead focus on evaluating access needs for that specific team. Then leverage our joint solution to apply pre-mapped identity policies based on best practices.

  2. Establish Boundaries around your AWS Environment
    AWS Control Tower features, such as Guardrails, make it even easier to spin up more AWS accounts as opposed to fine-tuning user permissions within a master account. As you begin to expand out your environment with AWS Control Tower, OneLogin’s integration lets you automatically provision accounts with complementary IAM limitations. You can then modify these restrictions and adjust as necessary as your needs evolve.

  3. Determine Authorization Principles and Apply Least-Privileged Access
    Every organization is unique in their security approach – First, evaluate the access needs and AWS security strategy for your organization. Leverage OneLogin’s identity templates to ensure you’re following best practices such as least-privileged access and then leverage AWS IAM roles to apply more granular security permissions as desired. Once you’ve mapped out specific users, roles, and permissions, automatically apply your settings to users through OneLogin’s advanced AWS integrations.

    Example: Role-based access control for AWS: All users in the Engineering role could be granted Admin access on various developer accounts, while those users in the Deploy Team Role would be granted access to Admin access in production.

  4. Review Your Authentication Strategy
    For the selected group of AWS users, determine the appropriate authentication pathways and security protocols. How and what will they be accessing within AWS – console, command line, database, etc. What will be your authentication source(s) – OneLogin’s Universal Directory can act as a standalone user source or federate against Microsoft Active Directory (AD) or Microsoft Azure.

    When would you like to apply additional layers of access security for specific teams or resources – For example, leverage OneLogin to enforce Multi-factor Authentication (MFA) for all developers or high-risk logins, or restrict login access to the VPN only. Once you’ve determined the appropriate strategy, set up OneLogin’s multi-role and multi-account connectors to securely authenticate those users into those services via a seamless login console.

  5. Never stop iterating
    The business environment continuously changes, compliance and risk requirements continue to evolve and new insight requires new measures to better monitor your environment. The nimble nature of a cloud-native infrastructure of OneLogin and AWS, where no software component is installed, provides the foundation for an agile approach to access management. With AWS Control Tower and OneLogin, seamlessly manage and replicate security changes across your AWS environment at the speed of your business.

How does it work?

The integration is completely cloud-based, so no software installation of any kind is needed.

The integration leverages OneLogin’s advanced IAM integrations with AWS, such as our multi-role, multi-account connector for seamless JIT provisioning. Additionally, OneLogin’s Unified Directory capabilities allows IT administrators to federate identities against Microsoft Active Directory (AD) or Microsoft Azure. Combining OneLogin’s capabilities to manage users and roles simplifies the creation and governance of multiple accounts and eliminates the need to migrate Identity Management logic to AWS. Once the integration is set up it is very simple to assign users to Roles in OneLogin and then use those OneLogin roles to grant access to various combinations of AWS Roles/Accounts.

To get started, download our joint setup guides on AWS Marketplace – OneLogin Identity Management.

Try it for yourself

The new OneLogin for AWS Control Tower integration provides AWS customers with enterprise automation and scalability as they build out their AWS environment, based on best practices gained from working with thousands of Enterprise organizations moving to the cloud.

The integration is available today — Try it yourself by creating a OneLogin Trial Account and following instructions on our joint setup guide. OneLogin customers using AWS Control Tower who are interested in enabling the integration in their environment should contact their OneLogin Account Representative.

About the Author

Richard Chetwynd

Rich Chetwynd founded Litmos, the market-leading learning technology company, as well as ThisData, a data security company leading the way in Account Takeover (ATO) attack detection. After ThisData was acquired by OneLogin in Summer 2017, Rich began working with the OneLogin engineering team with a focus on adaptive authentication.

Related Articles