We Enabled Self-Service Permission Settings in AWS IAM Identity Center

In this article, I’d like to share how we enabled self-service for permission settings in AWS IAM Identity Center (formerly AWS SSO) within our company.

Background

At our company, we use AWS IAM Identity Center to manage access permissions to various AWS accounts. Initially, the access request process was managed by a centralized team, which received requests from users and manually assigned permissions. However, as the number of users and AWS accounts increased, this approach became less efficient, leading to delays and operational bottlenecks.

To solve this, we decided to automate and streamline the permission assignment process by enabling self-service for users. This way, users could request and obtain the necessary permissions on their own, without needing to go through the central team.

The Challenges We Faced

One of the biggest challenges was to implement a framework for self-service permission settings in IAM Identity Center while maintaining governance over the permission setting process.

Implementation Details

We have addressed this challenge with the following architecture.

Here’s a high-level overview of the implementation:

1. GitHub Repository for Terraform-Based IAM Identity Center Permission Management:
   At MIXI, we incorporate an Infrastructure as Code approach to manage infrastructure configurations. This practice extends to IAM Identity Center, where we manage permission definitions using Terraform. We have established a GitHub repository under the central team, following an organized directory structure based on business units and products, each functioning as a Terraform root module where IAM Identity Center permissions are defined.
2. Governance with GitHub Code Owners: We leverage GitHub’s code owners feature for governance. Specific GitHub accounts or teams are set as code owners for directories, enforcing approval conditions for PR merges through branch protection rules. Each directory has a corresponding GitHub team comprising AWS account administrators, and these teams are designated as code owners.
3. HCP Terraform Workspaces for CI/CD Workflows: HCP Terraform is used for CI/CD workflows. Corresponding HCP Terraform Workspaces are created for each directory.
4. Restricting Provisioning Permissions: HCP Terraform supports OpenID Connect integration with AWS, which enables dynamic credential issuance via trust relationships with IAM Roles. Each directory has an associated IAM Role with tailored policies to restrict account assignments to those under directory management. We adopted a Tag-based model for policy definitions, allowing creation/update/deletion of permission sets with specific tags and Assignments of these permission sets to specific AWS accounts.For detailed information about the policies, please refer to the AWS blog titled “Delegating permission set management and account assignment in AWS IAM Identity Center”.

Results and Benefits

Since implementing the self-service permission system, we’ve seen several benefits:

• Reduced Operational Overhead: The central team is no longer burdened with processing every permission request, freeing them up for more strategic tasks.
• Faster Access: Users can now obtain the necessary permissions quickly, allowing them to start working on their tasks without delay.

Conclusion

Enabling self-service permission settings in AWS IAM Identity Center has significantly improved our operational efficiency while maintaining robust security controls. We believe this approach can be beneficial for other organizations facing similar challenges.

Thank you for reading!