Case Study
Scalable Identity Management Solution

THE TASK

Development of a reliable identity management solution for accessing cloud resources inside AWS and establishment of a governance over all identity management aspects.

ABOUT THE COMPANY 

The company is an internationally active insurance group with almost 30,000 employees worldwide and more than 10,000 full-time agents. With insurance premiums in the tens of billions, the company is one of the largest primary insurers in Germany and Europe.

12

month
duration

3

customer
employees

3

direkt gruppe
employees

130

managed
AWS accounts

60

DevOps managed
productive applications

200

active users accessing
dev/staging environments

THE CHALLENGE

The customer has an environment with over 130 AWS accounts and 60 productive applications where a reliable central IAM solution was needed to report compliance of all user accounts and to allow a reliable and compliant (against customer’s security guidelines) solution for accessing AWS resources for all application developers. The solution should scale with the size of the platform and be able to onboard new projects within minutes rather than days or weeks. The platform was designed to scale and to take up even more corporate applications with different operating models.

OUR PROPOSED SOLUTION

We developed a multi-purpose and multi-project account structure that separates projects from each other on an AWS account level. Each project was given two AWS accounts (development/integration and production) for their workloads. For authentication against AWS accounts we used AWS IAM to fulfill all customer needs regarding compliance (MFA/IP restriction/Rotation of Keys/Service User Governance and others), scalability and security.

For this we automated account setup in the following way:

  • Fully automated setup of workload accounts involves deployment of several IAM roles that are trusted automatically with the central IAM account (via CloudFormation)
  • Setup of IAM groups in a central identity management account that allows role assumption to the new project account
  • Central cloud governance process that helps project with onboarding to AWS including the setup of users with access to the dev/int environment of the project
  • User can then set their MFA on their own (self-managed)
  • Configuration of all users and roles is checked constantly through a self-developed compliance logic that checks all configurations against a guideline (CIS Benchmark + customer guidelines)

With this solution we could onboard new users very quickly and without compromises in terms of speed/agility and security. Users can access their project resources in an agile but governed way by a central logic that notifies in case of a misconfiguration or incident.

Additionally, we implemented several compliance checks against AWS IAM that were reported to a central ElasticSearch for further handling of a central cloud operations team:

  • Access Key Age (>90 days)
  • User Activity (>30 days)
  • MFA activated (even though all roles enforce the usage of an MFA)
  • Complex Password Policy

Incidents/findings are reported to a central cloud operations teams (within a cloud competence center) to handle the incidents and route them to the user.

AWS AS A CENTRAL PART OF THE SOLUTION

The solution was heavily built on multiple AWS services.

  • AWS IAM is a very good fit for a scalable IAM infrastructure with over 130 AWS accounts. We did raise multiple limits of policy sizes, group limits, user limits during the project and hypercare phase without hitting any hard limit.
  • AWS Lambda is used to check the IAM compliance constantly (“continuous compliance”) with very low costs.
  • AWS ElasticSearch is used as an easy-to-setup dashboard for a compliance overview that helps the cloud operations team.

REALIZED RESULTS AND POTENTIALS

All requirements regarding identity management of the customer could be fulfilled. The solution even surpasses the currently implemented solutions from the customer regarding scalability and security. A very low issue rate from customers regarding accessing their resources via AWS IAM was achieved. Very good transparency of the compliance state of all IAM resources was established via AWS ElasticSearch (Age, Activity, …). Onboarding of new projects is handled in minutes and a compliance report can be created on demand without manual tasks involved.

Meet the Cloud Experts!