Resources
Oct 27, 2022

Scalable AWS Access Management Part 3: Securing Complex Multi-Account Environments

Opal launches integrations with AWS IAM Identity Center and AWS Organizations

Lance Larsen
Head of Solutions Engineering

Background 

In part 1 of the blog series, we discuss the explosion of the cloud and how it's easier than ever to create infrastructure, even for teams outside of software engineering. While this trend has enabled greater innovation, it has also led to permissions sprawl, increasing the risk of insider threats. Part 2 introduces Opal’s vision toward securing complex multi-account environments.

Today, we are beyond thrilled to announce the general availability of Opal’s integrations with AWS IAM Identity Center and AWS Organizations!

AWS IAM Identity Center (formerly known as AWS SSO)

AWS IAM Identity Center enables organizations to connect with identity providers such as Okta, Azure AD, and more, to centrally manage access to AWS resources and applications. Permission sets sit at the center of this feature, allowing administrators to define and maintain a curated set of permission policies that can be easily applied to any of your AWS accounts.

How does Opal integrate with IAM Identity Center?
Opal's management plane allows you to take control of your permission sets by providing seamless assignment of permission sets to users or groups, and just-in-time access workflows, helping eliminate long-standing access to sensitive permission sets. Additionally, with AWS IAM Identity Center’s authorization scheme, Opal is only allowed to provision access to users in your IAM Identity Center instance, keeping your AWS infrastructure secure even if Opal were to experience a security breach.

AWS Organizations

AWS Organizations with cross-account roles was the recommended way to manage AWS infrastructure across accounts before the emergence of AWS IAM Identity Center. While AWS IAM Identity Center is powerful, we recognize that some identity providers do not support it, and configuring it can be a long and complex process for organizations with a large amount of infrastructure already configured without it.

How does Opal integrate with AWS organizations?

With the AWS Organizations integration, Opal provides a single pane of glass for all of your AWS accounts and their resources that can be configured in minutes. Additionally, with AWS Organizations, Opal’s permissions requirements for managing AWS infrastructure have been hardened:

  1. Opal no longer needs any long-term credentials to interface with your AWS infrastructure. All operations are performed using IAM Roles.
  2. Opal only grants federated access to your users via your identity provider, using OpenID Connect. This way, Opal is unable to grant access to users outside of your organization, just like with IAM Identity Center.

Managing Many AWS Accounts

As companies scale, they often transition from a single AWS account to multiple AWS accounts, such as dev, staging, prod, and ops accounts. Organizations continue this expansion in per-team and per-system accounts - with some companies adding one or two AWS accounts weekly! While this multi-account strategy provides security isolation between systems and increases reliability, it also drastically increases the complexity of management. Users that need access may have questions such as “What team manages access to account Foo?”, or “Who should I ask to request access to account Bar, and what information should be included in that ticket?”. 

Opal’s AWS Organizations and IAM Identity Center integrations are a single pane of glass for all accounts. Opal can import resources from all of your accounts in minutes without the need for long-lived access to sensitive permissions.

Benefits of Opal’s Scalable AWS Management

Investing in scalable AWS infrastructure is crucial for fast-growing companies. Opal customers are seeing three major pillars of value:

1. Access Reduction

Security leaders are increasingly moving away from long-lived access to a broad set of permissions to just-in-time access, granting (and revoking) granular privileges on an as-needed basis. This security practice minimizes the risk of standing privileges that malicious insiders or attackers can exploit. 

Once developers get access, they can easily generate identity-based and auto-expiring credentials to sensitive infrastructure like production databases. This eliminates credential sprawl, as credentials are no longer stored locally.

2. Secure Productivity

While just-in-time access reduces a company’s attack surface, it also introduces friction. Opal believes access management can only be scalable by delegating management to system owners with the most context and automating provisioning through Slack. 

 After getting access, Opal enables developers to start sessions via the CLI. 

3. Continuous Compliance 

Opal enables customers to maintain continuous compliance across complex AWS accounts. User access reviews are historically painful, time-consuming, and confusing. Moving away from spreadsheet-based workflows, Opal snapshots user listings, notifies reviewers via Slack, launches self-service reviews, and propagates access changes with automated reporting.

Summary:

Opal's integrations with AWS Identity Center SSO and AWS Organizations enable enterprises to manage infrastructure access for complex multi-account environments. In a secure manner, Opal can import all accounts so that end users can browse and request for what they need and system owners can configure the appropriate guardrails.

About Opal:

Opal is the centralized authorization platform for IT and Infrastructure teams. Deeply integrated with developer infrastructure, SaaS applications, and custom internal tools, Opal enables companies to implement scalable access management.

Want to see it yourself? Contact hello@opal.dev or book a meeting here for a personalized demo.

Lance Larsen

Updates + insights about the future of access management