This cheatsheet depicts the identity federation between Azure Active Directory (AAD) and AWS Identity Center leveraging AAD as the source of truth for all users and group membership. The diagram illustrates AWS permissions being assigned to synced identities in Identity Center and roles are pushed to member accounts.
The SANS SEC549 course materials are built around the fictional company, Delos and its phased journey to the cloud. In course labs, students play the role of Delos Security Architects, tasked with helping them navigate their transformation into a cloud-first organization. In this architectural diagram, Delos has designed for centralized account provisioning originating in Azure Active Directory, and syncing users and groups to their burgeoning AWS environment.
The Delos C-Suite announced its intention to move the majority of Delos’ operations to the AWS cloud over the next few years. Given business’s direction, it was imperative to prevent identity sprawl in the new environment and maintain control of life cycles of users and groups. Leveraging AWS Identity Center additionally allowed for the central management of permission sets in AWS, rather than authorization dispersed within each Account.