Deleting a passport account from an organization
This guide describes how to delete a privileged passport account with the organization-manager.organizations.owner
role from an organization.
This may be necessary if you require full control of a privileged account's authentication. In this case, a privileged account is an account that has full privileges to an organization and all organization's resources.
You can delete a privileged account if you have previously granted the organization-manager.organizations.owner
role to a federated account. However, this creates the risk of it becoming impossible to manage the organization with the help of any of the federated accounts should the federation fail (on the cloud or client side).
The guide covers actions for mitigation of risks related to federation failure.
Primary actions
-
Create a federation.
-
Verify federation functionality by logging in as a federated user.
-
Assign the
organization-manager.organizations.owner
role to a federated user:CLIyc organization-manager organization add-access-binding \ --id= <organization_ID> \ --subject= federatedUser:<federated_user_ID> \ --role=organization-manager.organizations.owner
-
Create a service cloud called
security
. -
Assign the
admin
role for thesecurity
cloud to security officers to enable them to restore access to the cloud if the federation fails. -
Create a service account in the
security
cloud as a way to recover access to the organization in an emergency.If you are using an existing service account, make sure it does not have static or API keys.
CLIyc iam api-key list --service-account-id=<service_account_ID> yc iam access-key list --service-account-id=<service_account_ID>
Warning
A security officer can upgrade their role up to
organization-manager.organizations.owner
by being in control of the service account assigned this role. Make sure that only security officers have administrator access to thesecurity
cloud and the service account by running the command below:CLIyc iam service-account list-access-bindings --id <service_account_ID>
Remember that a service account can be controlled by any user with the
admin
role for the folder, cloud, or organization hosting the service account. Thus, after gaining control of the service account, users will be able to perform any actions in the organization, including granting themselves various roles up to that oforganization-manager.organizations.owner
. Make sure that only trusted users have theadmin
role for the service account as well as for the folder, cloud, and organization hosting this account. -
Assign the
organization-manager.organizations.owner
role to the service account:CLIyc organization-manager organization add-access-binding \ --id= <organization_ID> \ --service-account-id=<service_account_ID> \ --role=organization-manager.organizations.owner
-
Create an authorized key for a service account.
-
Save the key file in trusted storage.
-
Delete the
organization-manager.organizations.owner
role for the passport account using the console or the command-line interface:CLIyc organization-manager organization remove-access-binding \ --id=<organization_ID> \ --user-account-id=<passport_account_ID> \ --role=organization-manager.organizations.owner
Additional measures
Configure Audit Trails to process the service and the federated accounts with the organization-manager.organizations.owner
role:
-
Configure the collection of audit logs at the organization level in Yandex Audit Trails.
-
At least track the following events (in Object Storage, a log group, Managed ELK
, and your SIEM):- Creating service account keys (events:
yandex.cloud.audit.iam.CreateAccessKey
,yandex.cloud.audit.iam.CreateKey
,yandex.cloud.audit.iam.CreateApiKey
, andauthentication.subject_id = <service_account_ID>
). - Assigning access rights to the service account (event:
UpdateServiceAccountAccessBindings
anddetails.service_account_id = <service_account_ID>
). - Any action using the
organization-manager.organizations.owner
privilege (.authentication.subject_id == <ID_of_user_with_this_privilege>
).
- Creating service account keys (events:
You can use Managed ELK
Response to federation failure
-
Access the authorized key saved in trusted storage.
-
Authenticate as a service account.
-
Next:
- Either assign the
organization-manager.organizations.owner
role to the passport account and use this account to restore the federation. - Or restore the federation from the command-line interface (CLI).
- Either assign the
-
Verify access as a federated user.
Actions following federation recovery
- If the passport account was granted the
organization-manager.organizations.owner
role, revoke this role. - Create a new authorized key for the service account and save it to trusted storage.