Chat: Use of adf to deploy functionality that allows RDP,SSH connections to multiple member accounts , through SSO authentication

[TestROB9]

Hi, this is Roberto, sorry to bother, I don't know if you will be able to help me. I will try anyway:

right now I know how to allow an SSO user of a member account , to make a RDP,SSH connection through system manager.

how can i develop this functionality, distributing this across multiple member accounts using ADF(aws deployment framework)?

Thanks

[stemons]

Hello Roberto,

you could create a CloudFormation ADF pipeline to automate the deploy of needed resources in the member accounts. Here below a simple schema of a System Manager Session Manager deployment.

CloudFormation should create the following resources in the logging account, if you want to centrally store the session in an S3 bucket, and in the member accounts:

• Logging account
  • S3 bucket for audit logs
  • S3 bucket policy for audit logs
• Member accounts:
  • SSM Document to enable Session Manager
  • KMS Key to encrypt Session Manager audit logs
  • IAM policy and role to be assigned to the EC2 instance to provide the right permission to interact with System Manager

Hope this helps. Stefano

[TestROB9]

hello Stephen , thank you for your helpfulness and intervention.

At the moment I don't know what to do and I think it is normal.

Maybe, I try to rephrase it , to see if I was clear or not, so that I can start to see your solution provided.

Currently, I know and can allow an SSO group, with a given permission set, to make RDP, SSH connections , through the use of Systems Manager (Fleet Manager for RDP and Session Manager for SSH).

Obviously, this SSO group, is part of a given member account.

Having said that, I would like to distribute what I have said within the aws organization , through the use of ADF.

Thank you and best regards, Roberto

[stemons]

Hello Roberto, if you are working with AWS Organizations, the association between AWS SSO Group, AWS account and Permission Set can be done centrally in AWS Single Sign-On (Management account or SSO delegated account) and propagated automatically to the member account. e.g. Group: Linux Admin Permission Set: System Manager Admin Member Account: Account A, Account B, Account C ... , Account NEW, ...

Once you have configured properly the permission of your users in AWS IAM Identity Center (successor of AWS SSO :) ), you need to deploy the proper resources in the member accounts to leverage System Manager capabilities.

The needed resources are listed in my previous message and can be deployed through a CloudFormation ADF pipeline. Therefore, every time a new account is created by ADF, System Manager capabilities will be automatically deployed in the newly created account.

[TestROB9]

Hi Stephen, I have never used CloudFormation's ADF pipeline. could you please give me some pointers to learn this usage? maybe some pointers I thank you in advance.

Best regards, Roberto

[TestROB9]

hi, sorry for the trouble . is there any new news about this? Thank you

[stemons]

Hello Roberto, you can find the detail on how to define a new pipeline and target your member accounts in the ADF User Guide https://github.com/awslabs/aws-deployment-framework/blob/master/docs/user-guide.md Regards, Stefano

[TestROB9]

Thanks, correct me if I'm wrong.

You need to use the ADF pipeline to automate distribution to different accounts.

the ADF pipeline will call the Cloudformation model, where inside we have the resources we need, iam policy, etc.

Thank you