- Log into the Operations account that is the delegated administration account for AWS IAM Identity Center.
- If you plan to use the AWS Directory that the reference architecture deploys follow the IAM Identity centre guidance to configure AD. If you plan to use an external IDP follow the IAM Identity centre guidance to configure an external identity provider.
We recommend the following minimum settings:
- Every time they sign in (always-on)
- Security key and built-in authenticators
- Authenticator apps
- Require them to provide a one-time password sent by email to sign in
- Users can add and manage their own MFA devices
The breakglass users are highly privileged user accounts.
Login to the management and follow the AWS IAM documentation to configure MFA on both breakglass accounts. We recommend that you use hardware MFA for these accounts.
Since the 1.7.0-a release of the configuration, Application Load Balancers are deployed in the Perimeter VPC. Sample configuration is also provided to automate the deployment of Application Load Balancers in workload accounts. AWS ALBs are published using DNS names which resolve to backing IPs which could silently change at any time due to a scaling event, maintenance, or a hardware failure. While published as a DNS name, ALBs can only target IP addresses. This presents a challenge as we need the ALBs in the perimeter account to target ALB's in the various back-end workload accounts.
ALB Forwarding solves this problem by executing a small snippet of code every 60 seconds which updates managed ALB listeners with any IP changes, ensuring any managed flows do not go offline. This removes the requirement to leverage a 3rd party appliance to perform NAT to a DNS name.
When using Managed Active Directory, manual steps are needed to customize the security group created for your domain controllers. By default traffic is only allowed from the CIDR range of the VPC where the directory is deployed. Traffic needs to be allowed from the Endpoint VPC where Amazon Route 53 Outbound Resolver endpoints are deployed as well as all other CIDRs associated to your VPC, other peered VPCs, or networks that you have connected using AWS Direct Connect, AWS Transit Gateway, or Virtual Private Network that need to communicate with the domain controllers.
- Locate the security group created by Directory Service in your Operations account (named
d-<your-directory-id>_controllers) and edit the source of the inbound rules to allow traffic from the needed CIDR ranges. You can use the same value used for theAcceleratorIpamSupernetreplacement variable that covers all your VPC address space. This needs to be customized according to your needs.
Refer to the AWS Directory Service documentation for more details.
-
Edit the
iam-config.yamlfile to un-comment and edit as needed theactiveDirectoryConfigurationInstanceblock undermanagedActiveDirectories. Send your configuration changes to CodeCommit or S3 -
Release the
AWSAccelerator-Pipelineto finalize the deployment of the Active Directory configuration instance.
The CloudFormation stack to deploy the ALB forwarding is provided in customizations/AlbIpForwardingStack.template.json. The configuration to deploy this stack to the Perimeter account is provided in customizations-config.yaml. This stack creates a new DynamoDB table named <AcceleratorPrefix>-Alb-Ip-Forwarding-vpc-* in the Perimeter account.
When using the default configuration file, an external ALB is already provisioned in the Perimeter account with a listener on port 443. For each application that needs to be published, a record needs to be added to the DynamoDB table, see sample below.
Records can be added to the table for any ALB in the account running the ALB Forwarding component (by default, the Perimeter account). Records can be added at any time. DynamoDB change logs will trigger the initial creation of the appropriate target group(s) and IP addresses will be verified and updated every 60 seconds thereafter.
Note: The sample below is in standard JSON format, not DynamoDB JSON. When adding an entry via the console, ensure that JSON view is selected and that View DynamoDB JSON is disabled.
{
"id": "App1",
"targetAlbDnsName": "internal-Core-mydevacct1-alb-123456789.ca-central-1.elb.amazonaws.com",
"targetGroupDestinationPort": 443,
"targetGroupProtocol": "HTTPS",
"vpcId": "vpc-0a6f44a80514daaaf",
"rule": {
"sourceListenerArn": "arn:aws:elasticloadbalancing:ca-central-1:123456789012:listener/app/Public-DevTest/b1b12e7a0c412bf3/ef9b022a4fdd8bdf",
"condition": {
"paths": ["/img/*", "/myApp2"],
"hosts": ["aws.amazon.com"],
"priority": 30
}
}
}idis any unique texttargetAlbDnsNameis the DNS address for the internal ALB for this application (in workload account)vpcIdis the vpc ID containing the external ALB (in perimeter account)sourceListenerArnis the ARN of the listener of the external ALB (in Perimeter account)pathsandhostsare both optional, but one of the two must be suppliedprioritymust be unique and is used to order the listener rules. Priorities should be spaced at least 40 apart to allow for easy insertion of new applications and forwarder rules.- the provided
targetAlbDnsNamemust resolve to addresses within a supported IP address space.
For tips on troubleshooting issues with ALB forwarding rules see the FAQ about Application Load Balancers Forwarding