In the previous blog, we discuss why access is over-provisioned and how Opal can help enterprises to implement least privilege with their cloud infrastructure. This post will outline our vision to enhance support for large deployments with AWS Organizations and AWS Identity Center SSO.
In the words of our friends over at AWS, least privilege is a journey, not a destination. We at Opal deeply understand our role in helping customers accelerate AWS best practices. Feedback is equally vital in this relationship, and we’ve heard from our users that they are increasingly adopting more accounts to create firm organizational boundaries around sensitive resources.
There’s a lot of software that values function over usability. At Opal, we believe in form, not just function. It became clear that we needed to support our customer’s multi-account experience to help them adopt Opal faster. After many customer interviews, three patterns emerged.
These conversations validated many of our assumptions, but we were most surprised with the level of fragmentation across IAM strategies. This insight was the foundational reason we chose to support AWS organizations and AWS Identity Center SSO as distinct, complementary additions to give our customers maximum flexibility and choice as they mature AWS deployments.
We are excited to announce two complimentary API-driven integrations: AWS Organizations and Identity Center SSO.
Both will offer admins frictionless onboarding for large multi-account deployments and an intuitive new interface for end-users to request and access resources across accounts.
We secure access for small startups to the largest enterprises at Opal. Most follow a progression on AWS, starting with a few accounts, adopting an organizational model, and scaling to the Identity Center SSO. Each method uses a different AWS Security Token Service (STS) API.
Introduced in part one of the blog series, Opal’s integration with AWS Accounts is the most accessible starting point. Create an IAM service account for Opal in each AWS Account and import resources. Opal issues temporary IAM role credentials via STS AssumeRole.
This approach appeals to small deployments, typically ten accounts or less, that do not have access to an identity provider.
Opal’s integration with AWS organizations is a lightweight, federated approach between Opal, AWS, and an OpenID Connect capable Identity Provider. Opal connects seamlessly to your AWS organization and automatically imports resources across all accounts. Opal issues temporary IAM role credentials via STS AssumeRoleWithWebIdentity.
This approach is excellent for deployments of any size and pairs well with Infrastructure as Code for IAM and identity providers that support OpenID Connect. Complex protocols like SCIM are not required.
From our design partners:
“The integration with our IdP was simple!!” - Senior Security Engineer
“Opal’s organizational approach allowed us to use our existing Terraform managed roles with minimal effort.” - Staff DevOps Engineer
“Migrating to the solution brought Opal’s fine-grained resource model that our developers were familiar with to every account in an automated way.” - Director of Security Engineer
Opal’s integration with AWS identity center provides out-of-the-box support for Identity Center permission sets as first-class resources in Opal. Opal assigns users and groups to permission sets via AWS Identity Center APIs, and AWS issues temporary credentials via STS AssumeRoleWithSAML.
This approach is perfect for existing identity center users who want deep visualization of access paths and JIT request flows for permission sets. Identity provider deployments for these customers are sophisticated and mature.
From our design partners:
“We did a lot of work to migrate to identity center (role migration, SCIM, etc.), so we could manage IAM more scalably and provide both console and CLI access in one platform, which our developers liked!” - Staff Security Engineer
“We were always overprovisioned without a just-in-time platform and out of compliance. Opal’s helped us close this gap with auditable, automatic revocations and a deep understanding of how engineers had access to what.” - Manager, Cloud Security
“Opal’s visibility features made it easy for developers to find and request the permissions sets they need quickly.” - CISO
This blog post discusses Opal's vision to manage large AWS deployments with two new integrations, AWS Organizations and AWS Identity Center SSO. In part one, we discussed the account-based integration available today, and in the following parts, we deep dive into how our AWS Organizations and AWS Identity Center SSO integrations work.
Opal is the centralized authorization platform for IT and Infrastructure teams. Deeply integrated with developer infrastructure, SaaS applications, and custom internal tools, Opal enables companies to implement scalable access management.