5

I'm a sysadmin of a medium sized chain of Italian restaurants. While I'm not dealing with patient health records or financial information I am still security focused.

I'm trying to achieve tenant restrictions for Amazon AWS, similar to what I do for Outlook. I do not want users to log into personal AWS accounts, only the organization one (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tenant-restrictions)

For S3 buckets themselves I can limit PUTs and POSTs to them to prevent uploads on non-approved buckets. I want to prevent users from logging into a personal AWS account on the web console and uploading from there.

I'm using a proxy based solution for a SWG and can apply headers as needed.

Does some kind of header exist that I can shove into my S3 requests (or auth requests to AWS) that prevents people from logging in with personal accounts similar to what O365 provides?

schroeder
  • 123,438
  • 55
  • 284
  • 319
oklSDfJDFLJSDfklj
  • 51
  • 1
  • You want to be able to determine which cloud account on a common service your users are logging into and block access to certain accounts? Your tags hold the answers, you need to implement a CASB. I'm not sure there would be any other way. You are essentially asking to control which Gmail account your users can use. – schroeder Nov 30 '17 at 15:41
  • @schroeder The bulk of what CASBs do can be replicated on my SWG although manually. I can add headers and redirect URLs based on the presence of content (headers, URLs, methods, etc). For example with outlook I am shoving those tenant restriction headers in there. We don't have a ton of money for a "real" CASB so I'm doing a lot of the heavy lifting myself with my SWG and open source tools. – oklSDfJDFLJSDfklj Nov 30 '17 at 16:34
  • @schroeder - O365 provides tenant restrictions by shoving a header into requests to O365. If that header is present it does not let the user login to personal accounts. Does some kind of header exist that I can shove into my s3 requests (or auth requests to AWS) that prevents people from logging in with personal accounts similar to what O365 provides? That is my question. How can I achieve this behavior with headers. – oklSDfJDFLJSDfklj Nov 30 '17 at 16:37
  • That's not a question that's in scope here. What one service may or may not include that you can leverage is really up to each service. You can test for it, or you might find documentation from the vendor on such a thing. – schroeder Nov 30 '17 at 16:39
  • @schroeder - Well that's what I'm asking for here. I'm asking if anyone knows a way to do tenant restrictions with AWS. I'm asking because I don't know if it's possible. – oklSDfJDFLJSDfklj Nov 30 '17 at 16:55
  • Amazon recommends to separate by having multiple Amazon Accounts. It is called multi account security and uses cross account IAM roles. See for example this Whitepaper https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf – eckes Jan 09 '18 at 06:34

1 Answers1

1

I don't think that there is any method supported directly by AWS to prevent users from logging into any account (that they have rights to).

AWS promotes the use of multiple accounts. With the recent announcement of AWS Single Sign-On it is even easier to use multiple accounts.

Announcing AWS Single Sign-On (SSO)

John Hanley
  • 320
  • 1
  • 6