Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Valid IAM Identity Providers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (should be achieved)
Rule ID: IAM-034

Ensure that the IAM Identity Providers (IdPs) utilized within your AWS account are valid in order to manage securely your user identities outside AWS cloud and give these external identities permissions to use cloud resources in your account. This is useful if your organization has its own identity system or if you develop mobile applications that require access to your AWS resources as you don't have to distribute or embed long-term security credentials such as IAM access keys for secure access. Before running this rule by the Trend Cloud One™ – Conformity engine, you need to specify the Identity Provider endpoint within the conformity rule configuration settings.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using a valid Identity Provider (IdP) helps you keep your AWS account secure as you don't have to embed and distribute security credentials like IAM access keys with your application. Instead, your application users can sign in through a well-known Identity Provider that securely manages the user identities for you.


Audit

To determine if the Identity Providers (IdPs) used within your AWS cloud account are valid, perform the following operations:

For SAML Identity Providers:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Identity providers.

04 Click on the name of the IAM Identity Provider that you want to examine.

05 On the Summary page, choose Download metadata to download the XML metadata document that includes the information about the selected Identity Provider.

06 Open the document downloaded at the previous step in your preferred XML editor and locate the IdP endpoint URL listed as value for the Location attribute within the <SingleSignOnService/> XML element (e.g. Location="https://mycompany.onelogin.com/trust/saml2/http-redirect/sso/994185").

07 Sign in to your Trend Cloud One™ – Conformity account, access the Valid IAM Identity Providers rule settings, and compare the IdP endpoint identified at the previous step against each endpoint listed in the rule configuration section. If the IdP endpoint found at the previous step does not match any of the endpoints listed on your Conformity account console, the selected Amazon IAM Identity Provider is not valid.

08 Repeat steps no. 4 – 7 for each SAML Identity Provider available within your AWS cloud account.

Using AWS CLI

01 Run list-saml-providers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of all the SAML Identity Providers (SAML IdPs) currently available in your AWS account:

aws iam list-saml-providers
  --query 'SAMLProviderList[*].Arn'

02 The command output should return an array with the requested ARN(s):

[
   "arn:aws:iam::123456789012:saml-provider/one-login-identity-provider"
]

03 Run get-saml-provider command (OSX/Linux/UNIX) using the Identity Provider ARN returned at the previous step as the identifier parameter to describe the Identity Provider meta-document that was uploaded when the SAML IdP resource object was created or updated:

aws iam get-saml-provider
  --saml-provider-arn arn:aws:iam::123456789012:saml-provider/one-login-identity-provider
  --query 'SAMLMetadataDocument'

04 The command output should return the requested XML metadata document:

<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/994185">
  <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate> ... </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycompany.onelogin.com/trust/saml2/http-redirect/slo/994185"/>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mycompany.onelogin.com/trust/saml2/http-redirect/sso/994185"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycompany.onelogin.com/trust/saml2/http-post/sso/994185"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://mycompany.onelogin.com/trust/saml2/soap/sso/994185"/>
  </IDPSSODescriptor>
</EntityDescriptor>

05 Analyze the XML document returned at the previous step and find the Identity Provider (IdP) endpoint URL listed as value for the Location attribute within the <SingleSignOnService /> XML element (e.g. Location="https://mycompany.onelogin.com/trust/saml2/http-redirect/sso/994185").

06 Sign in to your Trend Cloud One™ – Conformity account, access the Valid IAM Identity Providers rule settings, and compare the IdP endpoint identified at the previous step against each endpoint listed in the rule configuration section. If the IdP endpoint found at the previous step does not match any of the endpoints listed on your Conformity account console, the selected Amazon IAM Identity Provider is not valid.

07 Repeat steps no. 3 – 6 for each SAML Identity Provider available in your AWS cloud account.

For OpenID Connect (OIDC) Identity Providers:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Identity providers.

04 Click on the name of the IAM Identity Provider that you want to examine.

05 On the Summary page, locate the IdP endpoint URL listed as value for the Provider URL attribute (e.g. mycompany-ebb5e.firebaseapp.com).

06 Sign in to your Trend Cloud One™ – Conformity account, access the Valid IAM Identity Providers rule settings, and compare the IdP endpoint identified at the previous step against each endpoint listed in the rule configuration section. If the IdP endpoint found at the previous step does not match any of the endpoints listed on your Conformity account console, the selected Amazon IAM Identity Provider is not valid.

07 Repeat steps no. 4 – 6 for each OIDC Identity Provider available within your AWS cloud account.

Using AWS CLI

01 Run list-open-id-connect-providers command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of all the OIDC Identity Providers available in your AWS account:

aws iam list-open-id-connect-providers
  --query 'OpenIDConnectProviderList[*].Arn'

02 The command output should return an array with the requested ARN(s):

[
  "arn:aws:iam::123456789012:oidc-provider/mycompany-ebb5e.firebaseapp.com"
]

03 Run get-open-id-connect-provider command (OSX/Linux/UNIX) using the Identity Provider ARN returned at the previous step as the identifier parameter to describe the OIDC Identity Provider endpoint URL:

aws iam get-open-id-connect-provider
  --open-id-connect-provider-arn arn:aws:iam::123456789012:oidc-provider/mycompany-ebb5e.firebaseapp.com
  --query 'Url'

04 The command output should return the requested provider endpoint URL:

"mycompany-ebb5e.firebaseapp.com"

05 Sign in to your Trend Cloud One™ – Conformity account, access the Valid IAM Identity Providers rule settings, and compare the IdP endpoint identified at the previous step against each endpoint listed in the rule configuration section. If the IdP endpoint found at the previous step does not match any of the endpoints listed on your Conformity account console, the selected Amazon IAM Identity Provider is not valid.

06 Repeat steps no. 3 – 5 for each OIDC Identity Provider available in your AWS cloud account.

Remediation / Resolution

To replace an invalid Identity Provider (IdP) within your AWS cloud account, perform the following operations:

For SAML Identity Providers:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Identity providers.

04 Click on the name of the invalid Identity Provider (IdP) that you want to replace.

05 On the Summary page, choose Upload metadata to upload the new (valid) XML metadata document taken from your third-party Identity Provider (OneLogin, SecureAuth, Shibboleth, etc). By uploading a valid SAML metadata document you create a new SAML Identity Provider which replaces the invalid IdP with the valid one.

06 On the Upload Provider Metadata page, select Choose file and select the XML metadata document downloaded from your third-party provider.

07 Choose Upload to replace the existing IdP metadata document. Once uploaded, the invalid Identity Provider will be replaced.

08 Repeat steps no. 4 – 7 for each invalid SAML Identity Provider available in your AWS cloud account.

Using AWS CLI

01 Run update-saml-provider command (OSX/Linux/UNIX) using the ARN of the Identity Provider that you want to replace as the identifier parameter and the XML metadata document taken from your third-party Identity Provider (OneLogin, SecureAuth, Shibboleth, etc.) to update the selected Identity Provider configuration, which translates to replacing the invalid IdP with a valid one. The following command example updates the configuration of an IAM IdP, identified by the ARN "arn:aws:iam::123456789012:saml-provider/one-login-identity-provider" with the information downloaded from a third-party SAML provider available within the "3rdparty_idp_metadata.xml" metadata document:

aws iam update-saml-provider
  --saml-provider-arn arn:aws:iam::123456789012:saml-provider/one-login-identity-provider
  --saml-metadata-document file://3rdparty_idp_metadata.xml

02 The command output should return the ARN of the valid Identity Provider (IdP):

[
   "arn:aws:iam::123456789012:saml-provider/one-login-identity-provider"
]

03 Repeat steps no. 1 and 2 for each invalid SAML Identity Provider available within your AWS cloud account.

For OpenID Connect (OIDC) Identity Providers:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access management, choose Identity providers.

04 Select the invalid Identity Provider (IdP) that you want to replace.

05 Click on the Delete button from the console top menu to remove the selected Identity Provider.

06 In the Delete confirmation box, choose Delete to confirm your action.

07 Before you create an OIDC Identity Provider in AWS IAM, you must register your application with your third-party IdP to receive a client ID (also known as audience), which is a unique identifier for your application and issued to you when you register your application with the IdP.

08 Choose Add provider to create a new valid OIDC Identity Provider.

09 On the Add an Identity provider setup page, select OpenID Connect from the Provider type section.

10 In the Provider URL box, enter the endpoint URL of your OpenID Connect (OIDC) Identity Provider. The URL is case-sensitive and must begin with https://.

11 Choose Get thumbprint to verify the server certificate of your OIDC Identity Provider. To obtain the thumbprint for an OpenID Connect Identity Provider follow this AWS guide.

12 In the Audience box, enter the client ID of the application that you registered with your IdP.

13 Choose Add provider to add your new, valid OpenID Connect (OIDC) Identity Provider.

14 Repeat steps no. 4 – 13 for each invalid OIDC Identity Provider available within your AWS cloud account.

Using AWS CLI

01 Run delete-open-id-connect-provider command (OSX/Linux/UNIX) using the ARN of the invalid OIDC Identity Provider that you want to replace as the identifier parameter, to remove the IdP from your AWS account (the command does not return an output):

aws iam delete-open-id-connect-provider
  --open-id-connect-provider-arn arn:aws:iam::123456789012:oidc-provider/makewebfast-ebb5e.firebaseapp.com

02 Before you create an OIDC Identity Provider in Amazon IAM using AWS CLI, you must register your application with your IdP to receive a Client ID (also known as audience), which is a unique identifier for your application and issued to you when you register your application with the IdP and a Provider URL, where authentication requests are sent. Once you have the client ID and the Provider URL, you must obtain the thumbprint for your OIDC Identity Provider by following the procedure described here.

03 Run create-open-id-connect-provider command (OSX/Linux/UNIX) using the OIDC IdP configuration information compiled at the previous step to create a new and valid OIDC Identity Provider. The following command example creates an OpenID Connect IdP with the Client ID set to "mycompany-ebb5e", the Provider URL set to https://mycompany-ebb5e.firebaseapp.com and the thumbprint set to "ABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCD":

aws iam create-open-id-connect-provider
  --url "https://mycompany-ebb5e.firebaseapp.com"
  --client-id-list "mycompany-ebb5e"
  --thumbprint-list "ABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCD"

04 The command output should return the ARN of the valid Identity Provider (IdP):

{
  "OpenIDConnectProviderArn": "arn:aws:iam::123456789012:oidc-provider/mycompany-ebb5e.firebaseapp.com"
}

05 Repeat steps no. 1 – 4 for each invalid OIDC Identity Provider available in your AWS cloud account.

References

Publication date Jul 12, 2017