Getting started with AWS Single Sign-On (SSO)

Posted by Ben Potter on Saturday, August 21, 2021

Contents

It’s an AWS Well-Architected best practices to Rely on a centralized identity provider. If you have one or more AWS accounts, you should use AWS Single Sign-On (SSO) that allows you to configure users, including yourself, as an alternative to logging in as the root user. The users can have permissions following least-privilege, and be members of groups. My two favourite features are:

  1. Can be used across all your AWS accounts in your AWS Organization. SSO automatically provisions roles in your accounts which are used by SSO users. No more managing users or roles in every account.
  2. SSO provides you access to the AWS console across all your accounts.You can easily generate temporary credentials including an access key which you can use in the AWS CLI.

AWS SSO also helps you manage access and permissions to commonly used third-party software as a service (SaaS) applications, AWS SSO-integrated applications as well as custom applications that support Security Assertion Markup Language (SAML) 2.0.

The best part of SSO is there is no cost! I use SSO even for a couple of my personal testing accounts so I’d encourage you to do the same. If you already have a central identity/directory service, it most likely supports SAML 2.0 or Open ID Connect (OIDC).

1. Setup AWS Organizations

To use AWS SSO you will first need to setup AWS Organizations. It’s pretty easy, and is another service with no cost. AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. Follow the getting started tutorial. You won’t need to worry Organizational Units (OU’s) or Service Control Policies (SCP’s) to get started, although they are strongly recommended as you explore options to better protect your AWS accounts.

2. Setup AWS SSO

To setup AWS SSO;

  1. Sign in to the AWS Management Console with your AWS Organizations management account credentials.
  2. Open the AWS SSO console
  3. Choose Enable AWS SSO.
  4. Create your first user by choosing Users in the main SSO console.
  5. Choose Add user and provide the following required information:
    • Username – This user name will be required to sign in to the user portal and cannot be changed later.
    • Password – Choose from one of the following choices to send the user’s password.
      Send an email to the user with password setup instructions – This option automatically sends the user an email addressed from Amazon Web Services. The email invites the user on behalf of your company to access the AWS SSO user portal.
      Generate a one-time password that you can share with the user – This option provides you with the user portal URL and password details that you can manually send to the user from your email address.
    • Email address and Confirm email address – The value you provide here must be unique.
    • First name – You must enter a name here for automatic provisioning to work.
    • Last name – You must enter a name here for automatic provisioning to work.
    • Display name - Enter display name.
  6. Choose Next: Groups. For this simple example we’re not configuring groups so choose Choose Add user.
  7. Choose AWS accounts in the main SSO console.
  8. Under the AWS organization tab, in the list of AWS accounts, choose one or more accounts to which you want to assign access.
  9. Choose Assign users.
  10. On the Select users or groups page, select your user, and then choose Next: Permission sets.
  11. On the Select permission sets page, select the permission sets that you want to apply to the users or groups from the table. Then choose Finish. You can optionally choose to Create a new permission set if none of the permissions in the table meets your needs. Check out Create a permission set for more info. Think of a permission set as a set of policies, a bit like IAM users if you use them.
  12. Choose Finish to begin the process of configuring your AWS account.
  13. Login as the user you have just setup, and enable MFA.

That’s the most basic way to setup AWS SSO! If its only for your own personal accounts you can leave it as is. For business use you should use groups, and configure your other users either in the same way inside of SSO, or using an existing identity provider if you have one. You can find more info here.

Further reading:
Understanding key AWS Single Sign-On concepts
AWS Well-Architected Security Pillar