Console access to Northwestern-owned AWS accounts should only be done via a federated, NetID-based and MFA-protected IAM role. IAM user credentials should not be used for console access. This document outlines the process of creating an IAM role in AWS and federating it with Northwestern’s identity servers.
The process of creating a federated login role in AWS IAM consists of these steps:
- Create a security group in Active Directory
- Create and configure a matching role in AWS
- Assign users to the security group in Active Directory
1. Create a security group in Active Directory
To complete this step, your NetID must be a member of the “Admins” group within the ADS OU (Organizational Unit) for your account. If you have questions or need to request this level of access, please email firstname.lastname@example.org.
Finding the OU for your AWS account in ADS
If you are not sure which ADS OU your AWS account is set up to use, log in to the AWS console for your account by visiting https://aws.northwestern.edu/ and choosing the Admins role for the account if prompted. Then visit the My Account page and check the value for the “Full Name” field:
The value in this field will correspond to an OU within the ads.northwestern.edu/Cloud/AWS OU. You will also need the AWS account Id, which can be found on this screen as well.
Access the OU in Active Directory
On a Windows machine joined to the ADS domain (or a domain with which ADS has established a trust), open the Active Directory Users and Computers MMC snap-in with your domain account. If you do not log into Windows with your domain account, you may need to shift-right-click (that is, right click while holding down the Shift key) on the Active Directory Users and Computers snap-in and choose “Run as different user”. In the authentication window that appears, enter your NetID prefixed with “ADS\” (e.g. “ADS\abc123”) and your NetID password.
When the window appears, navigate to Cloud/AWS and then to the OU for your account.
Create the Security Group
Right click on this OU and choose “New -> Group”. In the window that appears, enter a name for your group. NOTE: Your security group name MUST begin with “AWS-<account id>-“. For example if your AWS account Id were “999999999999”, then the name of your group would begin with “AWS-999999999999-” as below:
Replace “GroupName” with an appropriate name for your role, then click OK to save.
2. Create and configure a matching role in AWS
Log in to your AWS console by visiting https://aws.northwestern.edu/ and choosing the “Admins” role for your account if prompted.
Visit the Roles page within the IAM console, then click the “Create Role” button. In the screen that appears, choose the “SAML 2.0 Federation” option at the top of the page, then choose “ADFS” as the SAML provider and leave “Allow programmatic and AWS Management Console access” checked:
Click the “Permissions” button to continue.
On the next screen, search for AWS-managed policies for the role or, if necessary, create a new IAM policy for it. AWS-managed policies are preferred, as they will be updated by AWS when new actions are available. Additionally, be sure to grant roles only the permissions required to perform the role, and especially avoid granting any permissions that would allow the role to create or modify IAM resources, such as AdministratorAccess or IAMFullAccess. Only the “Admins” role for the account should be able to add, modify, or delete IAM resources. Note that you can also change the policies attached to a role after it is created.
Once the IAM permissions policies have been selected, click the “Next: Tags” button to continue.
On the Tags screen, the following tags should be attached:
- Owner: the email address of the technical contact who manages roles for this account (required)
- Project: the project associated with this role, if any (optional)
Click the “Next: Review” button to continue.
Enter the role name. The role name must exactly match everything after “AWS-<account Id>-” in the ADS security group name. For example, if the ADS security group name is “AWS-999999999999-DeveloperRole”, then the role name in AWS must be “DeveloperRole”.
Click the “Create role” button to finish the role creation process.
You can continue to modify the IAM permissions policies attached to the role after it is created.
3. Assign users to the security group in Active Directory
To allow users to log in to the account using this role, you must add their NetIDs to the security group in ADS. Access the OU using the same directions as step 1, and then either double-click on the security group or right click on it and choose Properties. In the window that appears, click the “Members” tab, then click the “Add…” button to add users.
In the next window, enter a user’s NetID then click the “Check Names” button to confirm the NetID is correct. Once confirmed, click “OK”, then “OK” again to save and close.
The group members will now be able to log in to the AWS console with this role by visiting https://aws.northwestern.edu/, logging in with their NetID, and choosing the role when prompted. (Note: if the user has access to only one role, they will be automatically logged into it rather than being prompted.)