Description: 

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. 

Rationale: 

Ensure there are SAML Providers

Impact:

When you use an IAM identity provider, you don't have to create custom sign-in code or manage your own user identities. The IdP provides that for you. Your external users sign in through a well-known IdP, such as Login with Amazon, Facebook, or Google. You can give those external identities permissions to use AWS resources in your account. IAM identity providers help keep your AWS account secure because you don't have to distribute or embed long-term security credentials, such as access keys, in your application.

Default Value:

You can use a role to configure your SAML 2.0-compliant identity provider (IdP) and AWS to permit your federated users to access the AWS Management Console. The role grants the user permissions to carry out tasks in the console. If you want to give SAML federated users other ways to access AWS

Pre-Requisite:

  1. Sign in as an IAM user with administrative permissions.

  2. Should have IAM role created which gives permission to SAML provider to access AWS console

  3. Should have account in any providers which are SAML-Based federation.

Remediation:

Test Plan:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

  3. In the left navigation panel, choose Identity providers

  4. Check whether any Idp are added

  5. If not then follow the implementation steps to add identity provider 


Using AWS CLI:

  1. This command gives the list of SAML providers you added to your account

    aws iam list-saml-providers


Implementation Steps:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

  3. In the left navigation panel, choose Identity providers

  4. Click on Add provider

  5. Select SAML, Give a provider name

  6. Now choose the file in which you saved the Meta data from the SAML-Based federation provider

  7. And the click on Add provider


Using AWS CLI:

  1. This command creates a SAML provider, give your meta data file url

    aws iam create-saml-provider --saml-metadata-document file://SAMLMetaData.xml --name MySAMLProvider


Backout Plan:

  1. Go to Identity provider, select the Idp you want to delete 

  2. Click on action, choose delete





Resources:

  1. Enabling SAML 2.0 federated users to access the AWS Management Console - AWS Identity and Access Management 

  2. Providing access to AWS accounts owned by third parties - AWS Identity and Access Management 

  3. list-saml-providers — AWS CLI 1.22.70 Command Reference 

GJHJ