iCompaas Support

Profile Applicability:
Level 1

Description:
This control ensures that Security Assertion Markup Language (SAML) providers are properly configured in AWS Identity and Access Management (IAM) to enable federated authentication through the AWS Security Token Service (STS). With a SAML provider in place, users from an external identity provider (IdP)—such as Okta, Azure AD, or Google Workspace—can securely assume AWS roles without requiring long-term IAM user credentials.

Rationale:
SAML-based federation allows organizations to leverage Single Sign-On (SSO) and short-lived temporary security credentials issued via STS, which significantly reduces the risk of credential exposure and management overhead. This approach enforces centralized identity management, enhances auditability, and supports compliance with security standards such as CIS, SOC 2, ISO 27001, HIPAA, and NIST 800-53.

Impact:
Positive Impact: Enhances security by eliminating long-term IAM user credentials and enabling secure, temporary access through STS tokens integrated with enterprise identity systems.
Negative Impact: Requires setup and maintenance of SAML integration with an external identity provider and ongoing synchronization of trust relationships.

Default Value:
By default, no SAML providers are configured in a new AWS account. Federated access must be explicitly established.

Pre-Requisite:

• IAM permissions required: iam:CreateSAMLProvider, iam:GetSAMLProvider, iam:ListSAMLProviders, and iam:UpdateSAMLProvider.

• A valid SAML metadata document exported from your organization’s IdP (e.g., Okta, Azure AD, PingFederate).

Test Plan 
Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to IAM → Identity providers.

3. Verify if a SAML provider is listed.

4. Click the provider name and ensure the SAML metadata document is valid and up to date.

5. Navigate to IAM → Roles and verify that at least one role is configured for SAML-based federation.

6. Confirm that AWS STS is enabled by navigating to IAM → Account settings → Security Token Service and checking that STS is active in the relevant regions.

7. If no SAML providers exist or STS is disabled, the account is non-compliant.
   
   

Implementation Plan 
Using AWS Console:

1. Obtain SAML Metadata:

   • Export the SAML metadata XML file from your organization’s IdP (e.g., Okta, Azure AD).

2. Create a SAML Provider in IAM:

   • Navigate to IAM → Identity providers → Add provider.

   • Choose Provider type: SAML.

   • Enter a Provider name (e.g., corp-saml-provider).

   • Upload the SAML metadata document.

   • Click Add provider.

3. Create a Role for Federated Access:

   • Navigate to IAM → Roles → Create role.

   • Choose SAML 2.0 federation and select your newly created SAML provider.

   • Choose Allow programmatic and AWS Management Console access.

   • Attach appropriate permissions (e.g., ReadOnlyAccess, or custom policy).

   • Name the role (e.g., SAML-Federated-ReadOnly).

4. Verify STS Access:

   • Go to IAM → Account settings → Security Token Service.

   • Ensure STS is enabled for all required regions.

   • Validate access by logging in through the IdP portal and assuming the federated role to obtain temporary credentials.
     
     

Backout Plan:

1. If the SAML provider or trust configuration causes login failures:

   • Temporarily disable the associated SAML provider by removing or detaching its roles.

   • Revert access for critical users via IAM roles or users until SAML integration is corrected.

2. Validate SAML metadata and re-establish trust once the IdP configuration is fixed.
   
   

References:

• AWS IAM Identity Providers and Federation Documentation

• Enabling SAML 2.0 Federated Users to Access AWS Management Console

• CIS AWS Foundations Benchmark v2.0.0 – Control 1.25

• AWS STS Temporary Security Credentials Documentation