Securing Cloud Infrastructure with Teleport and AWS Identity Federation

Aug 25, 2022 by 

Janakiram MSV

AWS

Over the last decade, enterprises have accelerated the adoption of the cloud. According to the State of the Cloud report by Flexera, the average annual spend on cloud computing is over $62 million. As enterprises continue to invest in the cloud, AWS, the market leader in cloud computing, is growing at a rapid pace.

The rise of cloud computing poses new challenges to enterprise IT. With each department migrating and managing their workloads in AWS, there is a proliferation of accounts, users and roles. The central IT team responsible for enforcing compliance and security struggles to keep up with the increasing AWS account sprawl.

System integrators (SI) and consulting organizations specializing in migrating and managing cloud deployments are recognized by AWS for their expertise. Enterprises engage these AWS partners to tackle long-term, strategic initiatives and day-to-day operations related to DevOps. Based on the expertise of an SI, enterprises often engage with multiple consulting companies to manage their AWS operations.

One of the common approaches enterprise IT takes is the mechanism of creating IAM roles and federated identities. Each IAM user gets unique credentials to access AWS resources through the browser-based console or the command line tools. However, this becomes complex with the growth in internal and external users.

Enterprise IT is under pressure to deal with internal DevOps teams and external SIs working with various departments. They need a reliable mechanism to put them in control of their infrastructure and workloads. IT should be able to delegate access based on the principles of least privilege. In scenarios where elevated privileges are required, they should be able to provide just-in-time privilege escalation.

Teleport to centralize AWS access control

Teleport is an identity-aware and context-aware proxy designed to work seamlessly with AWS. Its access plane becomes the centralized window to consume various AWS managed services by internal and external users of an organization. Teleport is tightly integrated with mainstream services such as IAM, EC2, S3, RDS and EKS. When users access these services through Teleport, they automatically comply with the policies defined by the central enterprise IT team. With its tight integration with AWS console, SDK and AWS CLI, these policies work consistently irrespective of how users access the services.

The Teleport access understands and integrates with AWS federation and IAM role trust relationships. This integration enables enterprises to implement role-based access control (RBAC) for internal and external users. DevOps engineers from internal departments can access the AWS console or CLI through a role with just enough permissions for the target resource. External consultants and contractors belonging to other AWS accounts can also be given access to AWS resources through trust relationships. Both the approaches rely on a centrally defined Teleport access policy.

5 Advantages of using Teleport to access AWS resources

Here are a few advantages of using Teleport to centralize AWS access control:

  1. Fine-grained control of each AWS service - Enterprises can define precise access policies based on the user persona. For example, internal employees will get read/write access to an S3 bucket, while contractors can only read the objects in a bucket. Similarly, users can be restricted to dev/test Amazon EC2 instances while limiting access to production servers.
  2. Consistent experience in using AWS Console and CLI- With its deep integration of AWS IAM and identity federation, Teleport delivers a consistent experience using AWS console, AWS SDK and AWS CLI tools. Users continue to use the most familiar tools to access AWS while complying with the policies defined by enterprise IT.
  3. Simplified role-based access control (RBAC)- Teleport’s role-based access control (RBAC) is a simple yet powerful mechanism to enforce policies. By mentioning the AWS role ARNs, Teleport administrators can define fine-grained policies to allow or restrict access to various services. The same roles can be extended to server access, database access, Kubernetes access, desktop access and application access policies.
  4. Just-in-time (JIT) elevated privileges - One of the best features of the Teleport access plane is the ability to perform just-in-time (JIT) privilege escalation. A contractor with read-only access to a production server can be given temporary, time-bound access to perform an upgrade. With integration with notification tools such as Slack and PagerDuty, Teleport administrators can receive alerts and even approve or reject requests for privilege escalation.
  5. Insights through AWS CloudTrail and Teleport Audit - Teleport supports logging the events directly to AWS CloudTrail. Federated login sessions are recorded in CloudTrail that can be easily searched based on a Teleport username or a federated username. Apart from this, Teleport can be configured to log all events to Amazon DynamoDB for performing audit trails. Amazon EC2 SSH sessions are recorded in Amazon S3 buckets for playback and review.

Teleport complements and extends AWS IAM to deliver fine-grained role-based access control and detailed insights for audit and review. For a detailed discussion of these capabilities and concepts, sign up for the upcoming webinar delivered by Teleport.

Try Teleport today

In the cloud, self-hosted, or open source
Get StartedView developer docs