Teleport AWS Identity Center Test Plan

[smallinsky]

AWS Identity Center Integration Manual Test Plan

• UI Enrollment Flow
  • Verify the plugin enrollment flow in the UI
  • Autogenerated Policy has proper IAM Permission.
  • Verify that all AWS groups and AWS Group - User Assignment are imported as access lists and members during enrollment.
    • Verify that plugin first initial groups/users import is preformed only once and after plugin is successfully created the initial import flow is skipped.
  • Verify that after enrollment users can still login to AWS with permissions they are assigned with zero extra configuration on Teleport side
  • Ensure that deleting the integration cleans up all created resources, and recreating it re-establishes these resources accurately.
  • Validate migration flow
    • When Okta AWS IC SCIM/Identity Source integraiton is replaced by Teleport AWS Integration.
    • With Okta Teleport Plugin integration when Teleport Okta Plugin and Teleport AWS IC are both configure and users/groups are shared.

• Access List Synchronization
  • Verify that moving users in/out of Teleport access lists makes appropriate changes in AWS IC groups.
  • Confirm that updating role assignments in Teleport access lists updates AWS IC group assignments accordingly.
  • Check that creating a new access list in Teleport creates a corresponding group in AWS IC.
    • On new Access list
      • Ensure role updates or deletions in Teleport access lists are provisioned or deprovisioned in AWS IC.
      • Confirm that member assignments and unassignments in Teleport are accurately reflected in AWS IC.

• Direct Role Assignment in AWS IC
  • Verify that assigning/unassigning roles with AWS IC permissions directly to users creates or removes user permission assignments in AWS IC.
  • Permission restricted by locked role should be deprovisoned from AWS IC.
    • Verify that teleport role lock is reflected in AWS IC and AWS permission are deprovioned.
    • User Lock depression AWS permissions and is reflected in access list.

• Access List.
  • Verify that membership expiration in Teleport access lists is accurately reflected in AWS IC.
  • Ensure renaming access list Title in Teleport reflects the changes in AWS IC and don't break the sync.
  • Nested Access List
    • Validate that permissions from a parent access list are inherited by nested access list members in AWS IC.
    • Confirm that adding/removing users in a nested access list reflects the parent access list’s permissions in AWS IC.
    • Ensure that deleting a nested access list removes AWS permissions granted through the parent access list.
    • Verify behavior when moving users between multiple overlapping access lists with different permissions.

• Multi AWS Accounts Setup
  • Verify Direct Role Assignment in IC with multiple AWS Accounts setup.
  • Validate Access List Synchronization with multiple AWS Accounts setup.

• Large Scale
  • Verify provisioning with a large number of Teleport users and access lists (100+ users/lists)
  • Confirm provisioning from an access list with over 100 users and more than 100 roles.
  • Verify Sync provisioning time is reasonable.
  • Verify Log verbosity is reasonable.
  • Check that AWS throttling and response times.

• Audit Logs
  • TODO Implement