Access existing AWS resources in new application

Question

We want to access existing AWS resources that have existing security policies.  We want to move to either OAuth2 or SAML authentication/authorization.  We would like to find documentation and examples demonstrating the  best practice for accomplishing this access of pre-existing resources using either OAuth2 or SAML.  Ideally we are looking for a tutorial covering both the API usage in our application as well as any additional IAM configuration.

Our reading of the documentation suggests that calling AssumeRoleWithWebIdentity() (for OAuth2) requires the addition of a role that maps the federated user space to a specific set of authorization policies for individual resources.  Is this the best practice?  If so, how does this interact with the existing set of authorization policies, especially when we scale to 10's of thousands of users and millions of resources?

Any pointers would be Most Helpful. Thank you!

Answer

That's a really big question which has multiple answers depending on actual use cases; which identity provider you're going to use; your multi-account structure; and so on. Not something that I'd like to give specific advice on here because of those variables.

For machine-to-machine authentication [this is an excellent resource](https://aws.amazon.com/blogs/security/approaches-for-authenticating-external-applications-in-a-machine-to-machine-scenario/).

For large-scale user authentication you definitely want to look at best practices for [IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html), [Single Sign-on](https://aws.amazon.com/single-sign-on/) as well as [Organizations](https://aws.amazon.com/organizations/getting-started/best-practices/) and possibly [Control Tower](https://aws.amazon.com/controltower/).

I'd strongly encourage you to reach out to your local AWS account team and get advice specific to you from them.

Access existing AWS resources in new application

관련 콘텐츠