AWS SSO Identity Store records not currently read

[jcmadick]

Discussed in https://github.com/lyft/cartography/discussions/930

^{Originally posted by **jcmadick** September 9, 2022} AWS has released an update to AWS SSO (now IAM Identity Center) that exposes access to users using SSO for AWS access. https://docs.aws.amazon.com/singlesignon/latest/userguide/identities.html These users and groups are not included in the normal AWS Security Audit permissions and are not pulled through the current cartography code. In my case, most of the relationships I'm interested in analyzing are tied to the SSO users and groups. I have pulled a list of users and a list of groups from our AWS SSO. I do not see anything in the fields to create or tie relationships. I've attached a sanitized copy of a user record and a group record I had to have permissions added to my sp to allow read access to users and groups in the identity store (unique from the normal identity store.) From AWSCLI, the command is "aws identitystore list-users --identity-store-id d-*******" There are other list options including groups and group membership. I don't think integrating the pulls would be a challenge, but finding the relationships is where I'm having challenges.

AWS_SSO_Group_json.txt AWS_SSO_User_json.txt

[jcmadick]

I've done some more looking at this. In our environment, AAD users are members of AAD groups that are assigned to an AWS role based on an inline policy. I don't see how to unveil an inline policy associated with group.

[ethanzh]

I would love if the tool pulled in IAM Identity Center groups. Maybe one workaround could be to perform analysis on the roles that AWS creates under the hood for you a la AWSReservedSSO_...

[achantavy]

Somewhat related, but we now map AWS SSO roles to Okta groups after https://github.com/lyft/cartography/pull/1307