Overview AWS Connector
The IDHub AWS connector manages accounts and groups for your AWS instance. In this AWS connector guide you will learn about the supported features of the IDHub AD connector, configurations and schema, how to deploy the connector and more.
For more information about the Connector Health and it's status, Click here
Architecture
The connector's architecture is constructed in accordance with the diagram below: The connector architecture primarily consists of a connector application and a target system component. The native communication with the target system is handled by the target system by leveraging the IDHub implementation of the AWS Specific connection. This architecture is implemented because it allows for rapid and straightforward connector deployment as well as precise versioning capabilities. AWS APIs is used for provisioning and reconciliation from Amazon Web Services instance.
Features
- Account Management
- Entitlement Management
- IAM Group Management
- AWS Managed Policy Management
- Customer Managed Policies
- Inline Policies
- Role Management
- Tag Management
- Authentication Features
- OAuth 2.0 Authentications
- Multi-factor Authentication(MFA) Management
- Single Sign On (SSO) Management
- Disable/Enable User
Below are the features in details.
Account Management
This section describes the supported features of AWS Connector for Users management:
| Operation | Supported |
|---|---|
| Create IAM user (Manage as accounts) | Yes |
| Update IAM user | Yes |
| Enable/Disable IAM user | Yes |
| Fetch Account | Yes |
| Account Reconciliation | Yes |
| Add/Remove Entitlements for User Add/Remove Groups Add/Remove AWS Managed Policies Add/Remove Customer Managed Policies Add/Remove Inline Policies | Yes |
Entitlement Management
Our connector pulls all AWS Entitlements and keep them in IDHub as separate Entitlement type. We supports many entitlements such as:
- IAM Groups
- AWS Managed Policies
- Customer Managed Policies
- Inline Policies
- Roles
IDHub retrieves interdependent entitlement information and reflects it in the user profile. For example, if policies are assigned through a group, they will appear in the user's profile.
Tag Management
IDHub updates information of IAM User from custom tags. On account reconciliation, system fetches tags associated to each user and updates in IDHub based on attribute sync direction.
Authentication Features
IDHub uses Keycloak to use its Authentication features. SAML based Single Sign-On and MFA Setup can be done with your AWS instance outside of Connector features.
Disable/Enable User
A dedicated enable/disable function is built in IDHub. When an AWS Account is affected below things are done by system:
On Enable:
- Set default console Password (This would also activate the Signing Certificate if it is associated with an IAM User.)
- Activates Last Created Access Keys
- Activates Last CreatedAWS CodeCommit HTTPS Credentials
- Activates Last CreatedAWS CodeCommit SSH Keys
- Activates Signing Certificates
On Disable:
- Deletes Console Password
- Inactivates Both Access Keys
- Inactivates Both AWS CodeCommit HTTPS Credentials
- Inactivates All AWS CodeCommit SSH Keys
- Inactivates Signing Certificates