Identity Management – SCIM from ERP or IAM?

In our field, users are mastered in ERP. synchronization scripts are in place for inserting entries in the IAM. The scripts only pass a very small subset of attributes to the IAM. Some applications are notified by IAM using SCIM when a new user is added (see App 1), other apps only know new users when they use the service (see App 2) . There is now a new requirement for SCIM synchronization, but with fields outside the subset copied into IAM (see Annex 3).

If the data is synchronized from ERP via the script:
architecture diagram showing the 3 application connected to the synchronization script

Or should the subset change to include these details:
architecture diagram showing the App 3 connected to the IAM solution

and why?

json – how to create an aws iam role with console access and saml

I've viewed the aws document here https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html

I am able to create a role with console access from the aws console. How can I get the same thing using aws cloudformation.

What I want to reflect in CFT

I've created the cft file below, but the role does not work, it does not seem to have access to the console.

{
  "Parameters": {
    "SAMLID": {
      "Type": "String",
      "Description": "SAML IDENTITY PROVIDER ARN"
    }
  },
    "Resources": {
      "FullAdminXME": {
        "Type": "AWS::IAM::Role",
        "Properties": {
            "Description" : "SAML Role for Azure AD SSO",
            "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": 
              {
                "Effect": "Allow",
                "Principal": {
                  "Federated": { "Ref" : "SAMLID" }
                },
                "Action": "sts:AssumeRoleWithSAML",
                "Condition": {
                  "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                  }
                }
              }

          },
          "ManagedPolicyArns": [
            "arn:aws:iam::aws:policy/AdministratorAccess"           
          ]
        }
      },

Hi iam again

Hi DP members, I am new here, I hope to find good things here

What is a secure way to store AWS IAM credentials?

When creating a new user in AWS IAM, it generates access keys for that user that must be stored somewhere. Where is a secure and easily accessible location for storing this identification information?

Amazon web services – The IAM administrator role assigned to the user can not see VPCs

In AWS, I created a user and gave him AdministratorAcess permissions.

As I understand it, this user can do anything that the root administrator can: by clicking on the AdministratorAccess permission, it gives me:

{
"Version": "2012-10-17",
"Declaration": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

However, when I log on to the console, with this user's credentials, I can not see any of the VPCs, subnets, or Internet gateway previously created by the root user.

Have I misunderstood how it works?

Amazon Web Services – Sharing IAM Policy Between Accounts in Organizations

When creating my organization in AWS, I came across a problem.
We plan to use AWS Organizations to separate different services (development, operations, IT, projects) into different AWS and AWS SSO accounts to manage inter-account access. In some departments (Dev, Projects)

I want some users to be able to create their own IAM users (called "function users") to use for programmatic access. These function users should not have the right to create users themselves or update access keys. In addition, these users (or their access keys) should only be valid for a limited time. The idea is that if an employee leaves the company, the user of the created function only remains valid for a limited time (if it is not found during the deactivation of the employee's user).

I plan to implement the time limit by calling a lambda function once a day to disable the access keys of all function users older than a given time.

My problem is to limit the rights of users created.
I have created a set of SSO permissions (mapped to a role in each account) to which the AWS Managed Policy "IAMReadOnlyAccess" is attached. In addition, he has the following online policy:

{
"Version": "2012-10-17",
"Declaration": [
    {
        "Sid": "CreateUsersWithTag",
        "Effect": "Allow",
        "Action": [
            "iam:CreateUser",
            "iam:DeleteUserPolicy",
            "iam:AttachUserPolicy",
            "iam:DetachUserPolicy",
            "iam:PutUserPermissionsBoundary"
        ],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws: RequestTag / Owner": "$ {aws: username}",
"iam: PermissionsBoundary": "arn: aws: iam :: 12356789012: policy / FunctionUserBoundary"
}
}
}
]}

With this policy, I try to force all users created to have a tag with the user who creates it (to identify the users of functions and allow that user to update the keys. access). I'm also trying to force an IAM policy to this newly created user who Denys any IAM access for the user of the function.

My problem is the ARN of this policy. He resides in the main account of the organization. Therefore, a user can not reference it in a subaccount when creating a user.

Is there a way to allow subaccounts to access IAM policies from another account? Another option would be to write a Lambda function triggered when creating the account, which creates the FunctionUserBoundary rule in each new account and changes the iam: PermissionsBoundary value to arn: aws: iam :: *: policy / FunctionUserBoundary but when I change policy later, I will end up with different policy versions in different accounts.

Is there a way to implement my plan or is my plan fundamentally wrong?

Cloud Computing – Questions to Ask the SaaS Vendor Using Active Directory for IAM

I am in a business environment in which we want to use a SaaS solution, and they use their own AD environment to manage our user accounts.

What kind of questions should I ask them about how they manage accounts? I have already made sure that the complexity of the passwords, the frequency of change of the passwords, is in place.

For example:

  • Do you use NTLM v1 or v2 for hashing?
  • Who has access to the AD, only the administrators?