ADR-010 Use AWS IAM Identity Center customer managed applications for user access
Status
✅ Accepted
Context
AWS IAM Identity Center is integrating with Entra ID. We can simplify logon and access to the Analytical Platform by making use of customer managed application’s registered with Identity Center for our users.
Decision
We will use a customer managed application registered with AWS Identity Center to authenticate and authorise users access to Analytical Platform and AWS managed applications.
Consequences
General consequences
- Trusted identity propagation will authorise access to AWS resources based on the user’s identity context and securely share the user’s identity context with other AWS services.
- We won’t need to manage certificates for our applications against Entra ID, these will be managed by the Modernisation Platform Team.
Advantages
- Centralised Cloudtrail logging against a single identity helps us identify requests made to AWS services
- Our proposed solution will simplify the JML process by handling user removal through the existing JML processes and will not need to be handled by our team
- Makes possible end-to-end auditing of users’ AWS activities easily reconciled to their Entra ID identity
Disadvantages
- We will continue to require additional services to maintain access to Analytical Platform for users outside of JusticeUK
This page was last reviewed on 19 December 2024.
It needs to be reviewed again on 19 June 2025
by the page owner #analytical-platform-notifications
.
This page was set to be reviewed before 19 June 2025
by the page owner #analytical-platform-notifications.
This might mean the content is out of date.