Request to Enable Single Sign On on AWS Accounts- Participation Systems Infra - 484535289196
Categories
(Community Building :: Systems and Data, task)
Tracking
(Not tracked)
People
(Reporter: schu, Assigned: tasos)
References
Details
Hi,
We're reaching out to Mozillians who are responsible for AWS accounts in an effort to standardize the authentication methods used for all of Mozilla's AWS accounts.
By standardizing your account and enabling Mozilla Single Sign On (SSO), you'll be able to use your existing Mozilla SSO web browser session to access AWS (no more typing your AWS password or AWS MFA token needed) and avoid storing static AWS API keys on your laptop. We will improve our ability to de-provision users when an employee leaves, gain enhanced visibility and auditability if your AWS account is compromised, reduce risk of exposure of AWS API keys and avoid manual processes.
We've created a set of instructions for AWS account owner(s) to enable federated AWS login with Single Sign On in your AWS account. The instructions can be found here. We'd like this to be completed within 2 weeks (4/20/20).
After enabling Single Sign on in your AWS account, you'll be able to access your account via the AWS Web Console, the CLI or in code using these instructions.
Once your team has used AWS with Single Sign On for a few weeks, you'll be ready to remove the existing IAM users of the Mozillians that use your AWS account. We will likely follow up with you in this ticket about the removal of those IAM users when the time comes.
If, in the process of enabling Single Sign On in your AWS account, you encounter any problems or have any questions, feel free to ask them here in this bug.
If you'd like to learn more about this project, more detail about the tech and more ways you can implement this single sign on system you can find that on this page.
John would you be able to help or direct to who may be able to support?
Assignee | ||
Comment 2•4 years ago
|
||
Hi Sarah, I will try to apply these changes by the end of this week. Hope this is OK?
Hi Taso, were you able to apply the changes? Any questions?
Assignee | ||
Comment 5•4 years ago
|
||
Hi Sarah, apologies for the delay. This has been rolled out and I can successfully log in using sso. I will clean up the old accounts in a week.
Appreciate you working on this. Let's keep this bug open for now until the clean up of the accounts occur. Over the next 30 days, we would expect for there to be no cases of your team logging into the web console or interacting with the AWS API using their old IAM user API keys. We'll check back in 30 days for the account clean up. Step 4 in the link shows the instructions for deleting and disabling user roles: https://mana.mozilla.org/wiki/display/SECURITY/AWS+Federated+Login+Account+Setup#AWSFederatedLoginAccountSetup-Step4of4:Disablinganddeletinguserroles
Comment 7•4 years ago
|
||
:tasos,
Would you delete the limed
IAM user as well?
Assignee | ||
Comment 8•4 years ago
|
||
All the IAM users are deleted in the account. Only IAM users used by applications are left. Please let me know if there is anything that should be done for this account.
Description
•