9/1/25About 9 min
Chapter 12: Hands-on Project: Enterprise-level IAM Architecture Design
Learning Objectives
By the end of this chapter, you will be able to:
- Design a multi-account IAM architecture
- Implement a hierarchical permission management system
- Build an automated IAM management workflow
- Establish an IAM security monitoring and response mechanism
- Formulate IAM governance and compliance strategies
Knowledge Points
12.1 Project Background and Requirements Analysis
12.1.1 Enterprise Scenario Description
Suppose we are designing an IAM architecture for a medium-sized technology company with the following characteristics:
- Number of employees: 500-1000
- Departments: Engineering, Product, Sales, Marketing, Operations, Finance
- Environments: Development, Testing, Staging, Production
- Applications: Web applications, mobile applications, data analysis platform, internal tools
- Compliance requirements: SOC 2, ISO 27001, GDPR
12.1.2 Architecture Design Python Framework
import boto3
import json
from typing import Dict, List, Any, Optional
from dataclasses import dataclass
from enum import Enum
from datetime import datetime, timedelta
import yaml
class Environment(Enum):
DEVELOPMENT = "dev"
TESTING = "test"
STAGING = "staging"
PRODUCTION = "prod"
class Department(Enum):
ENGINEERING = "engineering"
PRODUCT = "product"
SALES = "sales"
MARKETING = "marketing"
DEVOPS = "devops"
FINANCE = "finance"
@dataclass
class IAMPrincipal:
"""IAM Principal Definition"""
name: str
type: str # user, role, group
department: Department
environment_access: List[Environment]
permissions: List[str]
tags: Dict[str, str]
@dataclass
class AccountStructure:
"""Account Structure Definition"""
account_id: str
account_name: str
environment: Environment
purpose: str
organizational_unit: str
class EnterpriseIAMArchitect:
"""Enterprise-level IAM Architect"""
def __init__(self):
self.organizations = boto3.client('organizations')
self.iam = boto3.client('iam')
self.sts = boto3.client('sts')
self.sso = boto3.client('sso-admin')
def design_account_structure(self) -> Dict[str, Any]:
"""Design a multi-account structure"""
account_structure = {
"root_account": {
"account_id": "111111111111",
"purpose": "Organization management and billing",
"services": ["Organizations", "Control Tower", "SSO"]
},
"security_account": {
"account_id": "222222222222",
"purpose": "Centralized security and compliance",
"services": ["CloudTrail", "Config", "GuardDuty", "Security Hub"]
},
"shared_services": {
"account_id": "333333333333",
"purpose": "Shared infrastructure and services",
"services": ["DNS", "Active Directory", "Monitoring"]
},
"environments": {
"development": {
"account_id": "444444444444",
"purpose": "Development workloads",
"access_level": "broad"
},
"testing": {
"account_id": "555555555555",
"purpose": "Testing and QA workloads",
"access_level": "moderate"
},
"staging": {
"account_id": "666666666666",
"purpose": "Pre-production testing",
"access_level": "restricted"
},
"production": {
"account_id": "777777777777",
"purpose": "Production workloads",
"access_level": "minimal"
}
}
}
return account_structure
def create_organizational_units(self) -> Dict[str, str]:
"""Create an organizational unit structure"""
ou_structure = {}
try:
# Get the root organization ID
root_response = self.organizations.list_roots()
root_id = root_response['Roots'][0]['Id']
# Create the main OUs
security_ou = self.organizations.create_organizational_unit(
ParentId=root_id,
Name='Security'
)
ou_structure['Security'] = security_ou['OrganizationalUnit']['Id']
workloads_ou = self.organizations.create_organizational_unit(
ParentId=root_id,
Name='Workloads'
)
ou_structure['Workloads'] = workloads_ou['OrganizationalUnit']['Id']
# Create environment OUs under Workloads
for env in Environment:
env_ou = self.organizations.create_organizational_unit(
ParentId=workloads_ou['OrganizationalUnit']['Id'],
Name=env.value.title()
)
ou_structure[f'Workloads-{env.value}'] = env_ou['OrganizationalUnit']['Id']
return ou_structure
except Exception as e:
print(f"Failed to create organizational units: {e}")
return ou_structure
def design_permission_boundary_strategy(self) -> Dict[str, Any]:
"""Design a permissions boundary strategy"""
# Developer permissions boundary
developer_boundary = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedTag/Environment": [
"development",
"testing"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"organizations:*",
"account:*",
"iam:CreateUser",
"iam:DeleteUser",
"iam:CreateRole",
"iam:DeleteRole"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedTag/Environment": [
"staging",
"production"
]
}
}
}
]
}
# DevOps permissions boundary
devops_boundary = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"ap-northeast-1", # Forbid access to certain regions
"ap-southeast-1"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"organizations:*",
"account:CloseAccount"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com",
"lambda.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
}
}
}
]
}
# Finance permissions boundary
finance_boundary = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ce:*",
"cur:*",
"budgets:*",
"billing:*",
"account:GetAccountInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::billing-reports/*",
"arn:aws:s3:::cost-optimization/*"
]
},
{
"Effect": "Deny",
"Action": "*",
"NotResource": [
"arn:aws:ce:*",
"arn:aws:cur:*",
"arn:aws:budgets:*",
"arn:aws:s3:::billing-reports/*"
]
}
]
}
return {
"developer": developer_boundary,
"devops": devops_boundary,
"finance": finance_boundary
}
def create_role_hierarchy(self) -> Dict[str, Any]:
"""Create a role hierarchy"""
role_hierarchy = {
"administrative_roles": {
"OrganizationAdmin": {
"description": "Organization administrator, manages the AWS organization structure",
"permissions": ["organizations:*", "account:*"],
"restrictions": ["Cannot directly access workloads", "Requires MFA"],
"assume_conditions": {
"Bool": {"aws:MultiFactorAuthPresent": "true"},
"NumericLessThan": {"aws:MultiFactorAuthAge": "1800"}
}
},
"SecurityAdmin": {
"description": "Security administrator, manages IAM and security configurations",
"permissions": ["iam:*", "config:*", "cloudtrail:*"],
"restrictions": ["Cannot access application data", "Independent of the development team"],
"assume_conditions": {
"Bool": {"aws:MultiFactorAuthPresent": "true"},
"StringEquals": {"aws:PrincipalTag/Department": "Security"}
}
},
"AuditAdmin": {
"description": "Audit administrator, read-only access to audit logs",
"permissions": ["*:Get*", "*:List*", "*:Describe*"],
"restrictions": ["Read-only permissions", "Cannot modify configurations"],
"assume_conditions": {
"Bool": {"aws:MultiFactorAuthPresent": "true"}
}
}
},
"operational_roles": {
"DevOpsEngineer": {
"description": "DevOps engineer, manages infrastructure",
"permissions": ["ec2:*", "cloudformation:*", "lambda:*"],
"restrictions": ["Cannot modify IAM", "Environment isolation"],
"assume_conditions": {
"StringEquals": {"aws:ResourceTag/Environment": "${aws:PrincipalTag/AllowedEnvironment}"}
}
},
"DatabaseAdmin": {
"description": "Database administrator, manages database resources",
"permissions": ["rds:*", "dynamodb:*"],
"restrictions": ["Cannot access application data", "Can only manage database instances"],
"assume_conditions": {
"Bool": {"aws:MultiFactorAuthPresent": "true"}
}
}
},
"application_roles": {
"WebServerRole": {
"description": "Web server role",
"permissions": ["s3:GetObject", "dynamodb:GetItem"],
"restrictions": ["Can only access specified resources"],
"assume_conditions": {
"StringEquals": {"ec2:SourceInstanceARN": "${aws:TokenIssueTime}"}
}
},
"LambdaExecutionRole": {
"description": "Lambda function execution role",
"permissions": ["logs:*", "s3:GetObject"],
"restrictions": ["Least privilege"],
"assume_conditions": {
"StringEquals": {"aws:SourceArn": "arn:aws:lambda:*"}
}
}
}
}
return role_hierarchy
# Example usage
architect = EnterpriseIAMArchitect()
# Design the account structure
account_design = architect.design_account_structure()
print("Account structure design:")
for category, details in account_design.items():
if isinstance(details, dict) and 'account_id' in details:
print(f" {category}: {details['account_id']} - {details['purpose']}")
# Create organizational units
ou_structure = architect.create_organizational_units()
print(f"\nOrganizational unit creation result: {len(ou_structure)} OUs created")
# Design permissions boundaries
boundaries = architect.design_permission_boundary_strategy()
print(f"\nPermissions boundary policies: {list(boundaries.keys())}")
# Create a role hierarchy
role_hierarchy = architect.create_role_hierarchy()
print(f"\nRole hierarchy:")
print(f" Management levels: {len(role_hierarchy)} main categories")12.2 Identity Federation and SSO Integration
12.2.1 Enterprise Identity Provider Integration
class EnterpriseIdentityFederation:
"""Enterprise Identity Federation Management"""
def __init__(self):
self.sso = boto3.client('sso-admin')
self.identitystore = boto3.client('identitystore')
self.iam = boto3.client('iam')
def setup_sso_instance(self) -> Dict[str, Any]:
"""Set up an SSO instance"""
try:
# Get SSO instance information
instances = self.sso.list_instances()
if not instances['Instances']:
print("❌ No SSO instance found, please enable AWS SSO first")
return {}
instance = instances['Instances'][0]
instance_arn = instance['InstanceArn']
identity_store_id = instance['IdentityStoreId']
# Configure the identity source
identity_source_config = {
"instance_arn": instance_arn,
"identity_store_id": identity_store_id,
"external_identity_provider": {
"type": "SAML",
"configuration": {
"metadata_document": self._get_saml_metadata(),
"login_url": "https://company.okta.com/login",
"logout_url": "https://company.okta.com/logout"
}
}
}
return identity_source_config
except Exception as e:
print(f"Failed to set up SSO instance: {e}")
return {}
def create_permission_sets(self) -> Dict[str, str]:
"""Create permission sets"""
permission_sets = {}
# Define permission set configurations
permission_set_configs = {
"DeveloperAccess": {
"description": "Developer access with limited permissions",
"session_duration": "PT8H", # 8 hours
"managed_policies": [
"arn:aws:iam::aws:policy/PowerUserAccess"
],
"inline_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"iam:*",
"organizations:*",
"account:*"
],
"Resource": "*"
}
]
}
},
"DevOpsAccess": {
"description": "DevOps full access with MFA requirement",
"session_duration": "PT4H", # 4 hours
"managed_policies": [
"arn:aws:iam::aws:policy/AdministratorAccess"
],
"inline_policy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
},
"ReadOnlyAccess": {
"description": "Read-only access for analysts",
"session_duration": "PT12H", # 12 hours
"managed_policies": [
"arn:aws:iam::aws:policy/ReadOnlyAccess"
],
"customer_managed_policies": [
"BillingReadOnlyAccess"
]
},
"SecurityAuditorAccess": {
"description": "Security auditor access",
"session_duration": "PT6H", # 6 hours
"managed_policies": [
"arn:aws:iam::aws:policy/SecurityAudit",
"arn:aws:iam::aws:policy/ReadOnlyAccess"
]
}
}
try:
sso_instance = self.setup_sso_instance()
instance_arn = sso_instance.get('instance_arn')
if not instance_arn:
return permission_sets
for ps_name, ps_config in permission_set_configs.items():
# Create a permission set
response = self.sso.create_permission_set(
Name=ps_name,
Description=ps_config['description'],
InstanceArn=instance_arn,
SessionDuration=ps_config['session_duration'],
Tags=[
{
'Key': 'Purpose',
'Value': 'Enterprise-SSO'
}
]
)
ps_arn = response['PermissionSet']['PermissionSetArn']
permission_sets[ps_name] = ps_arn
# Attach AWS managed policies
if 'managed_policies' in ps_config:
for policy_arn in ps_config['managed_policies']:
self.sso.attach_managed_policy_to_permission_set(
InstanceArn=instance_arn,
PermissionSetArn=ps_arn,
ManagedPolicyArn=policy_arn
)
# Add an inline policy
if 'inline_policy' in ps_config:
self.sso.put_inline_policy_to_permission_set(
InstanceArn=instance_arn,
PermissionSetArn=ps_arn,
InlinePolicy=json.dumps(ps_config['inline_policy'])
)
print(f"Permission set {ps_name} created successfully: {ps_arn}")
return permission_sets
except Exception as e:
print(f"Failed to create permission sets: {e}")
return permission_sets
def setup_group_mappings(self, permission_sets: Dict[str, str]) -> Dict[str, Any]:
"""Set up group mappings"""
# Define mappings from AD groups to permission sets
group_mappings = {
"Engineering-Developers": {
"permission_set": "DeveloperAccess",
"accounts": ["444444444444", "555555555555"] # dev, test
},
"Engineering-DevOps": {
"permission_set": "DevOpsAccess",
"accounts": ["444444444444", "555555555555", "666666666666", "777777777777"] # all
},
"Finance-Analysts": {
"permission_set": "ReadOnlyAccess",
"accounts": ["111111111111"] # root account for billing
},
"Security-Team": {
"permission_set": "SecurityAuditorAccess",
"accounts": ["222222222222"] # security account
}
}
mapping_results = {}
try:
sso_instance = self.setup_sso_instance()
instance_arn = sso_instance.get('instance_arn')
identity_store_id = sso_instance.get('identity_store_id')
if not instance_arn:
return mapping_results
for group_name, mapping_config in group_mappings.items():
try:
# Find the group ID
groups = self.identitystore.list_groups(
IdentityStoreId=identity_store_id,
Filters=[
{
'AttributePath': 'DisplayName',
'AttributeValue': group_name
}
]
)
if not groups['Groups']:
print(f"Group {group_name} does not exist, skipping mapping")
continue
group_id = groups['Groups'][0]['GroupId']
ps_arn = permission_sets.get(mapping_config['permission_set'])
if not ps_arn:
print(f"Permission set {mapping_config['permission_set']} does not exist")
continue
# Create an assignment for each account
for account_id in mapping_config['accounts']:
assignment_response = self.sso.create_account_assignment(
InstanceArn=instance_arn,
TargetId=account_id,
TargetType='AWS_ACCOUNT',
PermissionSetArn=ps_arn,
PrincipalType='GROUP',
PrincipalId=group_id
)
print(f"Group {group_name} has been assigned to account {account_id}")
mapping_results[group_name] = {
'group_id': group_id,
'permission_set': mapping_config['permission_set'],
'accounts': mapping_config['accounts'],
'status': 'success'
}
except Exception as e:
mapping_results[group_name] = {
'status': 'error',
'error': str(e)
}
return mapping_results
except Exception as e:
print(f"Failed to set up group mappings: {e}")
return mapping_results
def _get_saml_metadata(self) -> str:
"""Get SAML metadata"""
# This should return the actual SAML identity provider metadata
return """<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.company.com/saml">
<!-- SAML metadata content -->
</md:EntityDescriptor>"""
# Example usage
identity_federation = EnterpriseIdentityFederation()
# Set up the SSO instance
sso_config = identity_federation.setup_sso_instance()
print("SSO instance configuration:")
print(f"Instance ARN: {sso_config.get('instance_arn')}")
# Create permission sets
permission_sets = identity_federation.create_permission_sets()
print(f"\nCreated {len(permission_sets)} permission sets:")
for name, arn in permission_sets.items():
print(f" {name}: {arn}")
# Set up group mappings
group_mappings = identity_federation.setup_group_mappings(permission_sets)
print(f"\nGroup mapping results:")
for group, result in group_mappings.items():
if result['status'] == 'success':
print(f" {group}: Successfully mapped to {len(result['accounts'])} accounts")
else:
print(f" {group}: Mapping failed - {result['error']}")12.3 Complete Deployment Script
12.3.1 Infrastructure as Code Deployment
class EnterpriseIAMDeployment:
"""Complete Enterprise IAM Deployment"""
def __init__(self):
self.cloudformation = boto3.client('cloudformation')
self.iam = boto3.client('iam')
self.organizations = boto3.client('organizations')
def deploy_complete_iam_infrastructure(self) -> Dict[str, Any]:
"""Deploy the complete IAM infrastructure"""
deployment_results = {
'foundation': self._deploy_foundation_stack(),
'identity_federation': self._deploy_identity_federation(),
'governance': self._deploy_governance_automation(),
'monitoring': self._deploy_monitoring_stack(),
'validation': self._validate_deployment()
}
return deployment_results
def _deploy_foundation_stack(self) -> Dict[str, Any]:
"""Deploy the foundation stack"""
foundation_template = {
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Enterprise IAM Foundation Stack",
"Parameters": {
"OrganizationName": {
"Type": "String",
"Default": "TechCorp",
"Description": "Organization name for resource naming"
}
},
"Resources": {
# Permissions boundary policy
"DeveloperPermissionsBoundary": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedTag/Environment": ["development", "testing"]
}
}
},
{
"Effect": "Deny",
"Action": [
"organizations:*",
"account:*",
"iam:CreateUser",
"iam:DeleteUser"
],
"Resource": "*"
}
]
},
"Description": "Permissions boundary for developers"
}
},
# Basic IAM roles
"CrossAccountAuditRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222222222:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": {"Ref": "AWS::AccountId"}
}
}
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/SecurityAudit",
"arn:aws:iam::aws:policy/ReadOnlyAccess"
],
"Tags": [
{
"Key": "Purpose",
"Value": "CrossAccountAudit"
}
]
}
}
},
"Outputs": {
"DeveloperBoundaryArn": {
"Description": "ARN of Developer Permissions Boundary",
"Value": {"Ref": "DeveloperPermissionsBoundary"},
"Export": {
"Name": {"Fn::Sub": "${AWS::StackName}-DeveloperBoundary"}
}
},
"AuditRoleArn": {
"Description": "ARN of Cross Account Audit Role",
"Value": {"Fn::GetAtt": ["CrossAccountAuditRole", "Arn"]},
"Export": {
"Name": {"Fn::Sub": "${AWS::StackName}-AuditRole"}
}
}
}
}
try:
response = self.cloudformation.create_stack(
StackName='enterprise-iam-foundation',
TemplateBody=json.dumps(foundation_template),
Capabilities=['CAPABILITY_IAM'],
Tags=[
{
'Key': 'Project',
'Value': 'EnterpriseIAM'
},
{
'Key': 'Environment',
'Value': 'Infrastructure'
}
]
)
return {
'status': 'success',
'stack_id': response['StackId']
}
except Exception as e:
return {
'status': 'failed',
'error': str(e)
}
def _deploy_identity_federation(self) -> Dict[str, Any]:
"""Deploy identity federation configuration"""
# This would deploy the SAML identity provider and related roles
try:
# Create a SAML identity provider
saml_metadata = """<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.company.com/saml">
<!-- SAML metadata content -->
</md:EntityDescriptor>"""
saml_provider = self.iam.create_saml_provider(
SAMLMetadataDocument=saml_metadata,
Name='CompanyADFS'
)
# Create a federated role
federated_role_trust_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": saml_provider['SAMLProviderArn']
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}
federated_role = self.iam.create_role(
RoleName='ADFS-DeveloperRole',
AssumeRolePolicyDocument=json.dumps(federated_role_trust_policy),
PermissionsBoundary='arn:aws:iam::123456789012:policy/DeveloperBoundary'
)
return {
'status': 'success',
'saml_provider_arn': saml_provider['SAMLProviderArn'],
'federated_role_arn': federated_role['Role']['Arn']
}
except Exception as e:
return {
'status': 'failed',
'error': str(e)
}
def _deploy_governance_automation(self) -> Dict[str, Any]:
"""Deploy governance automation"""
governance_template = {
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "IAM Governance Automation Stack",
"Resources": {
# Lambda function for automated response
"IAMGovernanceLambdaRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
],
"Policies": [
{
"PolicyName": "IAMGovernancePolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:TagUser",
"iam:TagRole",
"iam:GetUser",
"iam:GetRole",
"ses:SendEmail",
"sns:Publish"
],
"Resource": "*"
}
]
}
}
]
}
},
# EventBridge rule to monitor IAM events
"IAMUserCreationRule": {
"Type": "AWS::Events::Rule",
"Properties": {
"EventPattern": {
"source": ["aws.iam"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["iam.amazonaws.com"],
"eventName": ["CreateUser"]
}
},
"Targets": [
{
"Id": "IAMUserCreationTarget",
"Arn": {"Fn::GetAtt": ["IAMUserCreationFunction", "Arn"]}
}
]
}
},
# SNS topic for alerts
"SecurityAlertsTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"TopicName": "iam-security-alerts",
"Subscription": [
{
"Protocol": "email",
"Endpoint": "security@company.com"
}
]
}
}
}
}
try:
response = self.cloudformation.create_stack(
StackName='iam-governance-automation',
TemplateBody=json.dumps(governance_template),
Capabilities=['CAPABILITY_IAM'],
Tags=[
{
'Key': 'Project',
'Value': 'IAMGovernance'
}
]
)
return {
'status': 'success',
'stack_id': response['StackId']
}
except Exception as e:
return {
'status': 'failed',
'error': str(e)
}
def _deploy_monitoring_stack(self) -> Dict[str, Any]:
"""Deploy the monitoring stack"""
# Deploy CloudWatch Dashboard and Alarms
try:
dashboard_body = {
"widgets": [
{
"type": "metric",
"properties": {
"metrics": [
["AWS/IAM", "NumberOfUsers"],
["AWS/IAM", "NumberOfRoles"],
["AWS/IAM", "NumberOfPolicies"]
],
"period": 3600,
"stat": "Average",
"region": "us-east-1",
"title": "IAM Resource Count"
}
}
]
}
cloudwatch = boto3.client('cloudwatch')
cloudwatch.put_dashboard(
DashboardName='enterprise-iam-overview',
DashboardBody=json.dumps(dashboard_body)
)
return {
'status': 'success',
'dashboard_name': 'enterprise-iam-overview'
}
except Exception as e:
return {
'status': 'failed',
'error': str(e)
}
def _validate_deployment(self) -> Dict[str, Any]:
"""Validate the deployment results"""
validation_results = {
'foundation_stack': self._check_stack_status('enterprise-iam-foundation'),
'governance_stack': self._check_stack_status('iam-governance-automation'),
'iam_resources': self._validate_iam_resources(),
'permissions_test': self._test_permissions()
}
return validation_results
def _check_stack_status(self, stack_name: str) -> str:
"""Check the stack status"""
try:
response = self.cloudformation.describe_stacks(StackName=stack_name)
return response['Stacks'][0]['StackStatus']
except:
return 'NOT_FOUND'
def _validate_iam_resources(self) -> Dict[str, bool]:
"""Validate IAM resources"""
validation = {}
try:
# Check the permissions boundary policy
self.iam.get_policy(PolicyArn='arn:aws:iam::123456789012:policy/DeveloperPermissionsBoundary')
validation['developer_boundary'] = True
except:
validation['developer_boundary'] = False
try:
# Check the cross-account audit role
self.iam.get_role(RoleName='CrossAccountAuditRole')
validation['audit_role'] = True
except:
validation['audit_role'] = False
return validation
def _test_permissions(self) -> Dict[str, bool]:
"""Test permission configurations"""
# This is where you would add actual permission testing logic
return {
'developer_access': True,
'admin_access': True,
'cross_account_access': True
}
# Main deployment function
def main():
"""Main deployment process"""
print("Starting enterprise-level IAM architecture deployment...")
# Initialize the deployer
deployer = EnterpriseIAMDeployment()
# Execute the complete deployment
deployment_results = deployer.deploy_complete_iam_infrastructure()
print("\nDeployment results summary:")
print("=" * 50)
for component, result in deployment_results.items():
if isinstance(result, dict) and 'status' in result:
status = "✅ Success" if result['status'] == 'success' else "❌ Failed"
print(f"{component}: {status}")
if result['status'] == 'failed':
print(f" Error: {result.get('error', 'Unknown error')}")
else:
print(f"{component}: Complete")
print("\nDeployment complete!")
print("\nNext steps:")
print("1. Verify that all IAM resources have been created correctly")
print("2. Test user and role permissions")
print("3. Configure monitoring and alerting")
print("4. Perform a security audit")
print("5. Train administrators and users")
if __name__ == "__main__":
main()Project Summary
Architecture Features
This enterprise-level IAM architecture has the following features:
- Multi-layered Security: Preventive controls + Detective controls + Responsive controls
- Zero Trust Principle: Least privilege + Continuous verification + Dynamic access control
- Automated Governance: Automated monitoring + Automated response + Automated reporting
- Scalable Design: Supports multi-account + Multi-environment + Multi-department
- Compliance-oriented: Built-in compliance checks + Audit trail + Regular reporting
Key Technology Stack
- Identity Management: AWS SSO + SAML 2.0 + OIDC
- Permission Control: IAM Roles + Policies + Boundaries
- Governance Automation: Lambda + EventBridge + Config Rules
- Monitoring and Alerting: CloudWatch + CloudTrail + SNS
- Infrastructure: CloudFormation + Python + Boto3
Operational Recommendations
- Regular Reviews: Conduct monthly permission reviews and quarterly architecture assessments
- Continuous Improvement: Optimize permission configurations based on monitoring data
- Security Training: Regularly train administrators and developers
- Disaster Recovery: Develop an IAM-related disaster recovery plan
- Version Control: Keep all IAM configurations under version control
Future Directions
- AI/ML Enhancement: Use machine learning to detect anomalous access patterns
- Zero Trust: Further deepen the implementation of the zero trust architecture
- Multi-cloud Support: Extend to unified identity management for other cloud platforms
- DevSecOps: Deeper integration of development, security, and operations
By completing this hands-on project, you have mastered the complete knowledge and skills to design and implement an enterprise-level IAM architecture, and can provide professional identity and access management solutions for enterprises of different sizes and needs.