Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Deleting a passport account from an organization

Written by
Updated at January 26, 2024

This guide describes how to delete a privileged passport account with the organization-manager.organizations.owner role from an organization.

This may be necessary if you require full control of a privileged account's authentication. In this case, a privileged account is an account that has full privileges to an organization and all organization's resources.

You can delete a privileged account if you have previously granted the organization-manager.organizations.owner role to a federated account. However, this creates the risk of it becoming impossible to manage the organization with the help of any of the federated accounts should the federation fail (on the cloud or client side).

The guide covers actions for mitigation of risks related to federation failure.

Primary actions

  1. Create a federation.

  2. Verify federation functionality by logging in as a federated user.

  3. Assign the organization-manager.organizations.owner role to a federated user:

    yc organization-manager organization add-access-binding \
    --id= <organization_ID> \
    --subject= federatedUser:<federated_user_ID> \
    --role=organization-manager.organizations.owner

  4. Create a service cloud called security.

  5. Assign the admin role for the security cloud to security officers to enable them to restore access to the cloud if the federation fails.

  6. Create a service account in the security cloud as a way to recover access to the organization in an emergency.

    If you are using an existing service account, make sure it does not have static or API keys.

    yc iam api-key list --service-account-id=<service_account_ID>
yc iam access-key list --service-account-id=<service_account_ID>

    Warning

    A security officer can upgrade their role up to organization-manager.organizations.owner by being in control of the service account assigned this role. Make sure that only security officers have administrator access to the security cloud and the service account by running the command below:

    yc iam service-account list-access-bindings --id <service_account_ID>

    Remember that a service account can be controlled by any user with the admin role for the folder, cloud, or organization hosting the service account. Thus, after gaining control of the service account, users will be able to perform any actions in the organization, including granting themselves various roles up to that of organization-manager.organizations.owner. Make sure that only trusted users have the admin role for the service account as well as for the folder, cloud, and organization hosting this account.

  7. Assign the organization-manager.organizations.owner role to the service account:

    yc organization-manager organization add-access-binding \
    --id= <organization_ID> \
    --service-account-id=<service_account_ID> \
    --role=organization-manager.organizations.owner

  8. Create an authorized key for a service account.

  9. Save the key file in trusted storage.

  10. Delete the organization-manager.organizations.owner role for the passport account using the console or the command-line interface:

    yc organization-manager organization remove-access-binding \
    --id=<organization_ID> \
    --user-account-id=<passport_account_ID> \
    --role=organization-manager.organizations.owner

Additional measures

Configure Audit Trails to process the service and the federated accounts with the organization-manager.organizations.owner role:

  1. Configure the collection of audit logs at the organization level in Yandex Audit Trails.

  2. At least track the following events (in Object Storage, a log group, Managed ELK, and your SIEM):

    • Creating service account keys (events: yandex.cloud.audit.iam.CreateAccessKey, yandex.cloud.audit.iam.CreateKey, yandex.cloud.audit.iam.CreateApiKey, and authentication.subject_id = <service_account_ID>).
    • Assigning access rights to the service account (event: UpdateServiceAccountAccessBindings and details.service_account_id = <service_account_ID>).
    • Any action using the organization-manager.organizations.owner privilege (.authentication.subject_id == <ID_of_user_with_this_privilege>).

You can use Managed ELK to analyze and respond to events in Audit Trails.

Response to federation failure

  1. Access the authorized key saved in trusted storage.

  2. Authenticate as a service account.

  3. Next:

    • Either assign the organization-manager.organizations.owner role to the passport account and use this account to restore the federation.
    • Or restore the federation from the command-line interface (CLI).

  4. Verify access as a federated user.

Actions following federation recovery

  1. If the passport account was granted the organization-manager.organizations.owner role, revoke this role.
  2. Create a new authorized key for the service account and save it to trusted storage.
Previous
Service account with an OS Login profile for VM management via Ansible
Next
If you are being attacked from Yandex Cloud addresses