Skip to main content

ADR-010 Use AWS IAM Identity Center customer managed applications for user access

Status

âś… Accepted

Context

AWS IAM Identity Center is integrating with Entra ID. We can simplify logon and access to the Analytical Platform by making use of customer managed application’s registered with Identity Center for our users.

Decision

We will use a customer managed application registered with AWS Identity Center to authenticate and authorise users access to Analytical Platform and AWS managed applications.

Consequences

General consequences

  • Trusted identity propagation will authorise access to AWS resources based on the user’s identity context and securely share the user’s identity context with other AWS services.
  • We won’t need to manage certificates for our applications against Entra ID, these will be managed by the Modernisation Platform Team.

Advantages

  • Centralised Cloudtrail logging against a single identity helps us identify requests made to AWS services
  • Our proposed solution will simplify the JML process by handling user removal through the existing JML processes and will not need to be handled by our team
  • Makes possible end-to-end auditing of users’ AWS activities easily reconciled to their Entra ID identity

Disadvantages

  • We will continue to require additional services to maintain access to Analytical Platform for users outside of JusticeUK
This page was last reviewed on 14 June 2024. It needs to be reviewed again on 14 December 2024 by the page owner #analytical-platform-notifications .
This page was set to be reviewed before 14 December 2024 by the page owner #analytical-platform-notifications. This might mean the content is out of date.