Ensure that the IAM Identity Providers (IdPs) utilized within your AWS account are valid in order to manage securely your user identities outside AWS cloud and give these external identities permissions to use cloud resources in your account. This is useful if your organization has its own identity system or if you develop mobile applications that require access to your AWS resources as you don't have to distribute or embed long-term security credentials such as IAM access keys for secure access. Before running this rule by the Trend Cloud One™ – Conformity engine, you need to specify the Identity Provider endpoint within the conformity rule configuration settings.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using a valid Identity Provider (IdP) helps you keep your AWS account secure as you don't have to embed and distribute security credentials like IAM access keys with your application. Instead, your application users can sign in through a well-known Identity Provider that securely manages the user identities for you.
Audit
To determine if the Identity Providers (IdPs) used within your AWS cloud account are valid, perform the following operations:
For SAML Identity Providers:For OpenID Connect (OIDC) Identity Providers:
Remediation / Resolution
To replace an invalid Identity Provider (IdP) within your AWS cloud account, perform the following operations:
For SAML Identity Providers:For OpenID Connect (OIDC) Identity Providers:
References
- AWS Documentation
- Identity Providers and Federation
- Creating IAM Identity Providers
- Creating IAM SAML identity providers
- Creating OpenID Connect (OIDC) Identity Providers
- Obtaining the Thumbprint for an OpenID Connect Identity Provider
- Enabling SAML 2.0 Federated Users to Access the AWS Management Console
- Integrating Third-Party SAML Solution Providers with AWS
- AWS Command Line Interface (CLI) Documentation
- iam
- list-saml-providers
- get-saml-provider
- update-saml-provider
- create-open-id-connect-provider