Skip to content

AWS Single Sign‐On

Jump to bottom
Richard T. Miles edited this page Jun 21, 2024 · 1 revision

Introduction

AWS Single Sign-On is a cloud-based single sign-on (SSO) service that makes it easy to centrally manage SSO access to all of your AWS accounts and cloud applications. Specifically, it helps you manage SSO access and user permissions across all your AWS accounts in AWS Organizations.AWS SSO includes a user portal where your end-users can find and access all their assigned AWS accounts, cloud applications, and custom applications in one place.

AWS SSO has the following features:

  • Integration with AWS Organizations
  • SSO access to your AWS accounts and cloud applications
  • Create and manage users and groups in AWS SSO
  • Leverage your existing corporate identities
  • Compatible with commonly used cloud applications
  • Easy to set up and monitor usage
  • Co-exists with existing IAM users, roles, and policies
  • No-cost identity management

User/Group Management

Miles Systems is using the AWS-provided directory to manage users and groups. This built-in directory allows the organization to create users/groups and assign permissions to those users/groups in various AWS accounts. It is possible to integrate Azure AD with AWS SSO if that is desired in the future.

For more details on managing users, please see the AWS Documentation for Managing identities in AWS SSO.

Permission Sets

Overview

A permission set is a collection of administrator-defined policies that AWS SSO uses to determine a user's effective permissions to access a given AWS account. Permission sets can contain either AWS managed policies or custom policies that are stored in AWS SSO. Policies are essentially documents that act as containers for one or more permission statements. These statements represent individual access controls (allow or deny) for various tasks that determine what tasks users can or cannot perform within the AWS account.

Permission sets are stored in AWS SSO and are only used for AWS accounts. They are not used to manage access to cloud applications. Permission sets ultimately get created as IAM roles in a given AWS account, with trust policies that allow users to assume the role through AWS SSO.

Create Permission Set

  1. Go to AWS Single Sign-On service
  2. Choose AWS accounts.
  3. Select the Permission sets tab.
  4. Choose Create permission set.
  5. On the Create new permission set page, choose from one of the following options, and then follow the instructions provided under that option:
    • Use an existing job function policy
      • Under Select job function policy, select one of the default IAM job function policies in the list. For more information, see AWS Managed Policies for Job Functions
      • Choose Create.
    • Create a custom permission set
      • Under Create a custom permission set, type a name that will identify this permission set in AWS SSO. This name will also appear as an IAM role in the user portal for any users who have access to it.
      • (Optional) You can also type a description. This description will only appear in the AWS SSO console and will not be visible to users in the user portal.
      • (Optional) Specify the value for Session duration. This value is used to determine the length of time a user can be logged on before the console logs them out of their session. For more information, see Set Session Duration.
      • (Optional) Specify the value for Relay state. This value is used in the federation process to redirect users within the account. For more information, see Set Relay State.
      • Select either Attach AWS managed policies or Create a custom permissions policy. Or select both if you need to link more than one policy type to this permission set.
      • If you chose Attach AWS managed policies, under Attach AWS Managed policies, select up to 10 job-related or service-specific AWS managed policies from the list.
      • If you chose Create a custom permissions policy, under Create a custom permissions policy, paste in a policy document with your preferred permissions.
      • Choose Create.

Delete Permission Set

  1. Go to AWS Single Sign-On service
  2. Choose AWS accounts.
  3. Choose the Permission sets tab.
  4. Select the permission set you want to delete, and then choose Delete.
  5. In the Delete permission set dialog box, choose Delete.

Miles Systems Permissions Sets

As of right now, the only custom permission set we've created is BillingAccess in the Master account. This allows management to access needed billing information about the AWS accounts as well as have access to the AWS Activate funding program for startups. This permissions set is only associated the BillingAccess Group (same name as the permission set) and the Master account.

BillingAccess

  • Description: Provides access to AWS Billing, Cost Explorer, and AWS Activate Funding program
  • Relay State: https://console.aws.amazon.com/billing/home?region=us-east-1#/
  • Managed Policies:
    • ReadOnlyAccess
    • SupportUser
    • Billing
  • Inline Policy: 
    • {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSActivateAccess",
            "Effect": "Allow",
            "Action": [
                "activate:*"
            ],
            "Resource": "*"
        }
    ]
}

Helpful Links

Clone this wiki locally