AWS SSO

There are several ways to enable a user to access resources across multiple accounts. One of them makes use of the AWS SSO service as covered at a high level in the course “Security Engineering on AWS”.

This service is integrated with AWS Organisations and allows a user to logon to a portal and choose the account they wish to access.

For a brief getting started, the following assumes you have set up a least 2 accounts as part of an AWS Organisation.

Go to AWS Organisations, Settings. There are several services which can be enabled, including AWS SSO.

Go to AWS SSO to see the following options:

Choose “manage your directory”, and create an sso user. You will need to supply a valid email address.¬† The user will receive an invitation to accept.

Next create a permission set. There are a number of built in job function policies. I chose “ViewOnlyAccess”.

The trust relationship policy associated with the permissions policy looks like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::xxxxxxxxxx:saml-provider/AWSSSO_047700dc7e52a8bb_DO_NOT_DELETE"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}

 

Assign the permission set to the user. You are given a “user logon portal” which can be customised. I used¬†https://thetrainit.awsapps.com/start

Logon as the user using the email address.

The user can then choose from a list of accounts and gets directed to the management console.

You can also configure single sign-on (SSO) access to multiple cloud applications and any custom applications that support identity federation with SAML 2.0.