Multicloud security and identity with Azure and Amazon Web Services (AWS)
Many organizations are finding themselves with a de facto multicloud strategy, even if that wasn't their deliberate strategic intention. In a multicloud environment, it's critical to ensure consistent security and identity experiences to avoid increased friction for developers, business initiatives and increased organizational risk from cyberattacks taking advantage of security gaps.
Driving security and identity consistency across clouds should include:
- Multicloud identity integration
- Strong authentication and explicit trust validation
- Cloud Platform Security (multicloud)
- Microsoft Defender for Cloud
- Privilege Identity Management (Azure)
- Consistent end-to-end identity management
Multicloud identity integration
Customers using both Azure and AWS cloud platforms benefit from consolidating identity services between these two clouds using Microsoft Entra ID and Single Sign-on (SSO) services. This model allows for a consolidated identity plane through which access to services in both clouds can be consistently accessed and governed.
This approach allows for the rich role-based access controls in Microsoft Entra ID to be enabled across the Identity and Access Management (IAM) services in AWS using rules to associate the user.userprincipalname
and user.assignrole
attributes from Microsoft Entra ID into IAM permissions. This approach reduces the number of unique identities users and administrators are required to maintain across both clouds including a consolidation of the identity per account design that AWS employs. The AWS IAM solution allows for and specifically identifies Microsoft Entra ID as a federation and authentication source for their customers.
A complete walk-through of this integration can be found in the Tutorial: Microsoft Entra single sign-on (SSO) integration with Amazon Web Services (AWS).
Strong authentication and explicit trust validation
Because many customers continue to support a hybrid identity model for Active Directory services, it's increasingly important for security engineering teams to implement strong authentication solutions and block legacy authentication methods associated primarily with on-premises and legacy Microsoft technologies.
A combination of multifactor authentication and Conditional Access policies enable enhanced security for common authentication scenarios for end users in your organization. While multifactor authentication itself provides an increase level of security to confirm authentications, additional controls can be applied using conditional access controls to block legacy authentication to both Azure and AWS cloud environments. Strong authentication using only modern authentication clients is only possible with the combination of multifactor authentication and Conditional Access policies.
Cloud Platform Security (multicloud)
Once a common identity has been established in your multicloud environment, the Cloud Platform Security (CPS) service of Microsoft Defender for Cloud Apps can be used to discover, monitor, assess, and protect those services. Using the Cloud Discovery dashboard, security operations personnel can review the apps and resources being used across AWS and Azure cloud platforms. Once services are reviewed and sanctioned for use, the services can then be managed as enterprise applications in Microsoft Entra ID to enable Security Assertion Markup Language (SAML), password-based, and linked Single Sign-On mode for the convenience of users.
CPS also provides for the ability to assess the cloud platforms connected for misconfigurations and compliance using vendor specific recommended security and configuration controls. This design enables organizations to maintain a single consolidated view of all cloud platform services and their compliance status.
CPS also provides access and session control policies to prevent and protect your environment from risky endpoints or users when data exfiltration or malicious files are introduced into those platforms.
Microsoft Defender for Cloud
Microsoft Defender for Cloud provides unified security management and threat protection across your hybrid and multicloud workloads, including workloads in Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). Defender for Cloud helps you find and fix security vulnerabilities, apply access and application controls to block malicious activity, detect threats using analytics and intelligence, and respond quickly when under attack.
To protect your AWS-based resources on Microsoft Defender for Cloud, you can connect an account with either the Classic cloud connectors experience or the Environment settings page (in preview), which is recommended.
Privileged Identity Management (Azure)
To limit and control access for your highest privileged accounts in Microsoft Entra ID, Privileged Identity Management (PIM) can be enabled to provide just-in-time access to Azure services. Once deployed, PIM can be used to control and limit access using the assignment model for roles, eliminate persistent access for these privileged accounts, and provide additional discover and monitoring of users with these account types.
When combined with Microsoft Sentinel, workbooks and playbooks can be established to monitor and raise alerts to your security operations center personnel when there is lateral movement of accounts that have been compromised.
Consistent end-to-end identity management
Ensure that all processes include an end-to-end view of all clouds as well as on-premises systems and that security and identity personnel are trained on these processes.
Using a single identity across Microsoft Entra ID, AWS Accounts and on-premises services enable this end-to-end strategy and allows for greater security and protection of accounts for privileged and non-privileged accounts. Customers who are currently looking to reduce the burden of maintaining multiple identities in their multicloud strategy adopt Microsoft Entra ID to provide consistent and strong control, auditing, and detection of anomalies and abuse of identities in their environment.
Continued growth of new capabilities across the Microsoft Entra ecosystem helps you stay ahead of threats to your environment as a result of using identities as a common control plane in your multicloud environments.
Next steps
- Microsoft Entra B2B: enables access to your corporate applications from partner-managed identities.
- Azure Active Directory B2C: service offering support for single sign-on and user management for consumer-facing applications.
- Microsoft Entra Domain Services: hosted domain controller service, allowing Active Directory compatible domain join and user management functionality.
- Getting started with Microsoft Azure security
- Azure Identity Management and access control security best practices