Amazon Web Services (AWS), Granting access to the AWS Console
How to use Authman to manage access to an AWS account.
AWS Access Management
AWS accounts managed by UIUC uses Authorization Manager, also known as AuthMan, for user access management.
The AWS account can be found in AuthMan at the path "Urbana:app:AWS:<AWS_Account_Name>".
Standard Roles
The following roles are created by default for your AWS account.
- Admins: Granted full control over all resources.
- PowerUsers: Granted access to all AWS services and resources, excluding user and role management.
- BusinessOffice: Permitted to access billing and cost management functionalities, which includes viewing account usage and viewing and modifying budgets notifications.
- ReadOnly: Allowed to view all resources and settings but cannot make changes.
- Prisma: Grants access to the Prisma Cloud Security system. Does not grant access to the AWS account. Cloud Security, Prisma, What is Prisma Cloud?
See the KB article Authorization Manager, Manage Memberships for step-by-step instructions on adding or removing members.
Creating Custom Roles
If the standard roles do not meet your requirements, you have the option to create custom roles that align with your specific need.
To create a custom role:
- Go to the AuthMan application: https://authman.illinois.edu/
- Select the folder with your AWS account name. It can be found at "Urbana:app:AWS:<AWS_Account_Name>"
- Click the "Functions" button in the upper right corner and select "Create new group" from the dropdown menu.
- Enter a Group name and Description. Click Save.
- Log into your AWS account with the Admins role: https://aws.illinois.edu
- Search for and go to the IAM service.
- Go to the Roles section and click on "Create role".
- In "Trusted entity type", select "SAML 2.0 federation"
- In the "SAML 2.0-based provider" drop down, select "shibboleth.illinois.edu".
- Select "Allow programmatic and AWS Management Console access" and click Next.
- Add the necessary policies to fit your specific need.
- Name this role the same as the newly created group in Authman.
- Save.
Active Directory
NOTE:
Instructions below are for legacy AWS accounts. If you do not see the AuthMan groups listed above, please contact aws-support@illinois.edu to be migrated to AuthMan.
Instructions below are for legacy AWS accounts. If you do not see the AuthMan groups listed above, please contact aws-support@illinois.edu to be migrated to AuthMan.
Shibboleth is configured to search for AD groups named according to the following format:
AWS-<AccountID>-<RoleName>
- AccountID: 12-digit AWS account number, provided when the account is provisioned.
- RoleName: Arbitrary name for the AWS IAM role that group members will be able to use.
An example: AWS-123456789012-Researchers
Some groups like to name roles based on logical affiliation with the project (Researchers, ITSupport, Admins), while others prefer to grant access according to organizational units (NetworkEngineering, HelpDesk, ApplicationSupport). Either method is acceptable.
AD groups should be Security Groups with a Global context. At present, it's not possible to nest groups, so your AD group must be populated with people.
Once your group is in place, you can create the corresponding AWS role:
Amazon Web Services
Note: When your account is initially provisioned, this step will be handled by our AWS account management team.
- From the AWS Console, navigate to IAM, then select Roles from the left-column menu.
- Click the Create Role button at the top of the page.
- Select Saml 2.0 federation as the type of trusted entity.
- Select shibboleth.illinois.edu as the SAML provider.
- Select Allow programmatic and AWS Management Console access and click the blue Next: Permissions button.
- Find and attach one or more policies, appropriate to the function of the role. By default, roles have no access, so you must grant appropriate access. Click Next: Review.
- Enter the role name which matches the RoleName portion of your AD group name (including capitalization), click Create role.
Once AD and AWS are both configured, users should be able to login to the role via aws.illinois.edu.
Questions? Send an email to aws-support@illinois.edu.