AWS Root Account Management For SSO Using Azure Active Directory Part 3

Azure03/02/2023

Using a central IAM provider is certainly a great thing. While setting SSO up for AWS, the management for the AWS root-users became a issue, because its required for them to have globally unique e-mail address. This might not a problem for small companies, but if you plan several hundred or even thousand of AWS-accounts, this becomes a nightmare real fast. In this post, I will go over one approach on how you can manage all your root-users with M365 offerings and some Azure services, pretty much for free. This is the third and final part of the series, that covers the API and deployment.

Introduction

This is a multi part post - you can find all related posts here:

Part 1 - Problem, Architecture, next steps
Part 2 - Shared Mailboxes
Part 3 - API (You are here)

API

The Function App is written in PowerShell and therefore is kind of slow for this purpose. However, the amount of request is so low, it does not matter for this case. Unless you deploy 100 AWS accounts a minute, you will be fine 😉

The code can be found here.

The API provides four endpoints:

getAwsRootAccount
newAwsRootAccount
updateAwsRootAccount
deleteAwsRootAccount

Below, you will find examples for each endpoint.

getAwsRootAccount

List root-users by either:

AWS account id
user mail
aws mail

$uri = 'https://<function_name>.azurewebsites.net/api/getAwsRootAccount?code=<auth code>&aws_account_id=12345'
$response = Invoke-WebRequest -Method Get -Uri $uri
Write-Output $response.content

$uri = 'https://<function_name>.azurewebsites.net/api/getAwsRootAccount?code=<auth code>&user_mail=first.last@comany.com'
$response = Invoke-WebRequest -Method Get -Uri $uri
Write-Output $response.content

$uri = 'https://<function_name>.azurewebsites.net/api/getAwsRootAccount?code=<auth code>&aws_mail=first.last@comany.com'
$response = Invoke-WebRequest -Method Get -Uri $uri
Write-Output $response.content

newAwsRootAccount

$uri = 'https://<function_name>.azurewebsites.net/api/newAwsRootAccount?code=<auth code>'
$body = @{
  'user_mail' = 'first.last@company.com'
}

$response = Invoke-WebRequest -Method Post -Uri $uri -Body (ConvertTo-Json -InputObject $body)

Write-Output $response.content

updateAwsRootAccount

$uri = 'https://<function_name>.azurewebsites.net/api/updateAwsRootAccount?code=<auth code>'
$body = @{
  'aws_mail'       = 'aws_aijkdhs@company.com'
  'aws_account_id' = '123'
}

$response = Invoke-WebRequest -Method Put -Uri $uri -Body (ConvertTo-Json -InputObject $body)

Write-Output $response.content

deleteAwsRootAccount

$uri = 'https://<function_name>.azurewebsites.net/api/deleteAwsRootAccount?code=<auth code>'
$body = @{
  'aws_mail' = 'aws_aijkdhs@company.com'
}

$response = Invoke-WebRequest -Method Delete -Uri $uri -Body (ConvertTo-Json -InputObject $body)

Write-Output $response.content

Deployment

Some of you might have already spotted it, there are some pipelines includes in the repo in the .azuredevops folder. They are written for Azure Pipelines, and I would suggest you give them a go. If you want to learn more about those pipelines, I would suggest a previous post, they are all explained in further detail over there 😉

Conclusion

With this, your AWS team can manage all e-mail related tasks their own and your IT department has no worries for this. And If you run out of aliases, just create another shared mailbox using the script and you are good to go.

AWS Root User Management for SSO using Azure Active Directory - Part 2

Using a central IAM provider is certainly a great thing. While setting SSO up for AWS, the management for the AWS root-users became a issue, because its required for them to have globally unique e-mail address. This might not a problem for small companies, but if you plan several hundred or even thousand of AWS-accounts, this becomes a nightmare real fast. In this post, I will go over one approach on how you can manage all your root-users with M365 offerings and some Azure services, pretty much for free. This is the second part of the series, that covers the Shared Mailbox Setup.

Azure Active Directory License Assignment for Groups

The Azure Active Directory has for some time been offering the ability to assign licenses to users such as EMS, Office 365 (Exchange, SharePoint, etc.), but can also provide groups with licenses. As soon as a user is added to a group, if there are still enough licenses available, the user will receive the corresponding license assigned to the group. This works with synchronized groups from the local Active Directory as well as with Azure AD Security and dynamic groups.