Tag: Okta Privileged Access

Securing AWS EC2 instance with Okta

Posted on by Akshit Konaperthi in Okta
  • Usecase Overview
  • Solution
  • Prerequisites
  • Benefits
  • Reference Links

Usecase Overview

The organization needs a modern, secure, and fully auditable approach for managing access to its AWS environment. This includes centralizing and controlling AWS Console authentication, enforcing granular least privilege permissions, and providing administrators with a unified way to access all AWS EC2 servers. Traditional EC2 keypair based server access creates operational overhead and security risks, so the organization aims to eliminate static keys in favor of identity based, short lived access. Additionally, complete visibility into user activity including session recordings and detailed audit trails is essential to support compliance requirements, streamline troubleshooting, and enhance overall security governance across AWS workloads.

Solution

By integrating AWS with Okta and Okta Privileged Access (OPA), the organization can centralize and secure AWS Console authentication through Okta SSO with MFA, while implementing granular, least privilege access by mapping Okta groups to AWS IAM roles via SAML.

OPA further streamlines operations by providing a unified portal for accessing all AWS EC2 instances without relying on static SSH or RDP key pairs, instead issuing short lived, identity bound certificates for every connection. This keyless access model eliminates the operational and security challenges associated with key management, and with OPA’s comprehensive session recording and server level audit capabilities combined with Okta’s authentication logs, the organization gains full visibility into who accessed what, when, and what actions were performed across all AWS resources.

Prerequisites

  • Super admin privileges to access Okta Tenant.
  • Admin access to Okta Privileged Access.
  • Admin support or access to AWS Console
  • Admin Access to Target EC2 Servers

Theoretical Demonstration

Please watch the video to understand how we can secure AWS and AWS EC2 instance with Okta.

Technical Demonstration

Watch a streamlined demo showing how to easily manage identities with Okta and secure both AWS console and EC2 instances using step up MFA factors along with session recording to boost efficiency, security, and auditability.

Benefits

  • Centralized & Secure AWS Console Access
  • Granular, Least Privilege Access Control
  • Unified Access to All AWS Accounts & EC2 Servers
  • Eliminate the key pair used to access the EC2 instances.
  • Comprehensive Session Recording

Reference Links

Okta Privileged Access | Okta Identity Engine

Configure SAML and SCIM with Okta and IAM Identity Center – AWS IAM Identity Center

Self Service Access Request for AD Joined Servers

Posted on by Akshit Konaperthi in Okta
  • Usecase Overview
  • Solution
  • Prerequisites
  • Theoretical Demonstration
  • Technical Demonstration
  • Benefits
  • Reference Links

Usecase Overview

An organization needs to secure access for their servers by ensuring that users can request access only based on their specific roles or departments. All access requests must go through a formal approval process to validate the appropriate permissions granted. Users should be granted access exclusively to the actions permitted by their assigned roles. Additionally, to enhance security, the organization requires regular password rotation for all server accounts. The system must also record all user sessions and securely store these logs on the gateway for monitoring and auditing purposes. The challenge is to implement a security framework that enforces these controls effectively to maintain strong security and tight control over server access.

Solution

By leveraging Okta, we can implement the above Usecase. For Access request we are going to utilize Okta Access request capability, with this we can control the approval levels and also segregate the request types based on the department or role and for the Servers we can utilize the Okta Advanced Server Access feature for access to AD Joined Servers and also it stores the user activity with the help of Session recording feature. For managing AD server accounts password rotation, we can utilize the Okta Privileged Access feature. By combining all the Okta products, we can build a robust and secure access management solution for your sensitive resources.

Prerequisites

  • A running instance of On Prem Active Directory.
  • A running instance of Linux Gateway for session recording.
  • A domain joined windows server which acts a target resource.
  • Super admin privileges to access Okta Tenant.
  • Admin access to Okta Privileged Access, Okta Advanced Server Access & Okta Access Request.
  • Required access to Okta Workflows Application
  • Feature – Manage Active Directory Accounts for Okta PA must be enabled. For more details contact to the Okta Support team.
  • Feature – Delegated workflow for Access Request must be enabled.

Theoretical Demonstration

Please watch the video to understand why we are configuring SSR on AD-joined servers with password rotation using Okta.

Technical Demonstration

Watch a demonstration on effortlessly handling identities in Okta and setting up access requests for AD Joined Servers and accounts, along with password rotation and session recording features to improve efficiency, security, and auditing. 

Benefits

  • Automated access grants and revocations which enables quick and error-free granting and revoking of AD server account access.
  • Okta PA automatically changes or rotates AD account passwords, keeping them safe and reducing hacking risks.
  • All access and actions are recorded, making it easy to audit and meet compliance.
  • Strong authentication and session recording prevent misuse and assists in investigating issues.
  • Everything is automated, so IT spends less time on manual work and users get access faster.

Reference Links

Okta Advanced Server Access

Managing AD Accounts using Okta Privileged Access

Okta Access Requests

Okta Workflows