Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configurable handling of 'manually created' Users/Groups in IAM Identity Center #179

Open
ChrisPates opened this issue Mar 21, 2024 · 0 comments
Open

Configurable handling of 'manually created' Users/Groups in IAM Identity Center #179

ChrisPates opened this issue Mar 21, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@ChrisPates
Copy link
Contributor

ChrisPates commented Mar 21, 2024
edited

Is your feature request related to a problem? Please describe.
Normal behavior for a uni-directional identity replication is that the downstream IdP, will contain only the user/groups (or a sub-set there of) that exist in the upstream IdP.

With IAM Identity Center, local users (those that do not exist in the upstream IdP) can exist but will not be able to authenticate (since the upstream SAML IdP can not create a auth token for a user identity it doesn't have).

AWS Control Tower's behavior of creating groups (at LZ setup time) and users (as part of account factory provisioning), also its assigning of Administrator Access. Is often found to be inconsistent with organizations Identity Management principles and the permissions granted excessive for the principle of least privilege. This behavior also only implemented when using the Identity Store with IAM Identity Center, where an instance of AWS Managed Microsoft AD or AWS Directory Service, these users are not created.

Describe the solution you'd like
Some users may wishes to handle locally created users and groups in a specific fashion (related issues: #141, #88, #59:

  • delete (default and current behavior)
    • Groups are deleted
    • Users are deleted
  • disable
    • Groups are ignored
    • Users are disabled
  • ignore
    • Groups are ignored
    • Users are ignored

The above behavior should be configurable, via either cli parameter or environment variable (lambda)

Describe alternatives you've considered

  • A list of Groups/User named to ignore
    • likely to differ between customer environments,
    • changes in service behavior (AWS Control Tower for example) may cause issues
  • regex based
    • more configurable than above, but has many of the same limitations

Additional context
'Manual' as a creation method is an implicit property and can not be directly interrogated via the apis, for this reason it would be necessary to start using the externalId field (see related enhancement Ensure all groups/user creates in IAM Identity Store are via SCIM api and populate externalId field #166) to allow the code to determine what resources are SCIM provision but no longer exist upstream vs manually created resources that only exist in IAM Identity Center.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ChrisPates