Client
Amazon.com Inc. is the world’s largest e-commerce company covering the online sale of books, DVDs, consumer goods, etc., as well as various Cloud Computing services to a large number of enterprises worldwide.
Business Need
With the release of a new version, AWS Identity and Access Management (IAM) began to support identity federation for delegated access to the AWS Management Console or AWS APIs. Now the external identities (federated users) are granted secure access to resources in the enterprise’s AWS account without having to create IAM users for each individual user.
With the need to establish a relationship between corporate users and IAM accounts on a corporate level, Akvelon was tasked to provide more secure possession and use of IAM accounts by the enterprises to which these IAM accounts were issued (their identities and secret keys are never shared with end-users). We were also asked to provide the ability to quickly adjust federated corporate user roles/permissions by simple action at the Active Directory level.
Akvelon was chosen as the sole contractor for this project simply due to the aggressive timeline Akvelon agreed on, and the fact that Akvelon proactively proposed several viable solutions at the stage of the initial discussion. Akvelon assumed full responsibility for this end-to-end contract.
Solution
The Identity Federation application is an ASP.NET MVC web application hosted on corporation premises.
The application creates a proper request to Amazon Identity and Access Management services, containing an AWS Security Token Service (STS) for proper authentication and authorization on Amazon’s side.
The application was supplied with Windows Installer, allowing for rapid enterprise deployment. Amazon decided to ship the application with Open Source code, allowing the IT department of each enterprise to adjust the federation process if they chose to; or just use the application as developed. The final deliverable was published by Amazon.
Benefits and Results
Akvelon created an application that fully satisfied the client’s needs – it allowed for immediate and easy use by enterprises and helped Amazon to ease acceptance of AWS Identity and Access Management. It also improved the security of secret keys issued by Amazon to corporate clients, as they no longer needed to be explicitly shared with their corporate domain users.