Adding nightly run feature, fixing CloudWatch Log spelling & adding solution architecture overview #81

aws-samples / aws-iam-identity-center-extensions

This solution is intended for enterprises that need a streamlined way of managing user access to their AWS accounts. Using this solution, your identity and access management teams can extend AWS SSO functionality by automating common access management and governance use cases

MIT License

65 stars 24 forks source link

Adding nightly run feature, fixing CloudWatch Log spelling & adding solution architecture overview #81 #92

Closed vpegg closed 1 year ago

vpegg commented 2 years ago

Issue #, if available: Fixes #75 #59 #47

Description of changes:

Have added solution diagram for Issue #75
Have updated spelling mistake (related) for #59
Have added nightly run feature #47 . Nightly run feature (if enabled) will run at 23:00. It will determine if there are any deviations between the SSO Configuration and the solution (what is found in Amazon Dynamo DB). 2 remediation modes have been created to either automatically remove additional permission sets/account assignments and revert any changes made outside of the solution. The other mode is to notify a user of these changes.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

allquixotic commented 2 years ago

It might be harder to implement, but is there a way to add a mode that updates the solution DynamoDB with the latest artifacts out there in SSO? As a bonus, also create the equivalent artifacts in S3 if S3 mode is enabled.

Use case:

(At least until this is fixed) When we need SSO permission sets applied to the OrgMain account, we have to use the UI since SSOEx doesn't support provisioning permission sets into the OrgMain account.
Less technically inclined administrators might want to create or update their permission sets or account assignments in the UI in the management console.

Once this capability is introduced, a future effort might be to enable "Git-like" user level merge control. I.e., for each conflict between Dynamo and live, let the user select which way to merge ("left" or "right", "mine" or "theirs", or however you want to word it). Sometimes we might want some of both ways to merge...

leelalagudu commented 2 years ago

Hi @allquixotic , I am hoping https://github.com/aws-samples/aws-sso-extensions-for-enterprise/issues/94#issuecomment-1181691995 would answer the out of sync use case.

To clarify, we would rely on SSO as state of truth always for permisison set management and compute delta etc, on that basis. This would help us align with what the customer sees in SSO, and align the solution with an org specific controls.

This, along with us handling https://github.com/aws-samples/aws-sso-extensions-for-enterprise/issues/80 would help close this gap.

The difference between your proposal versus what we are aiming for is that the solution always uses SSO as its source of truth and operates on that premise.

Let us know what you think about this.