How IAM is used to securely manage access
Managing user identities with long term credentials in IAM
Managing access using IAM user groups & roles
Using IAM policies to define and manage permissions
AWS Web Application Firewall
AWS Firewall Manager
AWS Security Hub Overview
Other AWS Security Services
The course is part of this learning path
This course looks at the key Security services within AWS relevant to the Solution Architect associate exam. Core to security is Identity & Access Management, commonly referred to as IAM. This service manages identities and their permissions that are able to access your AWS resources and so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. IAM is an important service in ensuring your resources are secure.
Want more? Try a lab playground or do a Lab Challenge!
- Learn about identity and access management on AWS including users, groups & roles, IAM policies, MFA, identity federation, and cross-account access
- Learn the fundamentals of AWS Web Application Firewall (WAF) including what it is, when to use it, how it works, and why use it
- Understand how to configure and monitor AWS WAF
- Learn about AWS Firewall Manager and its components
- Learn how to configure AWS Shield
- Learn the fundamentals of AWS Cognito
Hello, my name is Stuart Scott and today I want to introduce you to AWS SSO and perform a demonstration on how to create and configure a single sign-on portal for users to access multiple AWS accounts within a single AWS Organization without the users having an IAM account. By the end of this course, you will have a greater understanding of the benefits of AWS SSO and how it can be used to simplify user access at scale.
To get the most from this course, it would be beneficial if you have a basic understanding of AWS Organizations as this tightly integrates with the AWS SSO service. If you have any feedback on this course, positive or negative, it would be greatly appreciated if you can contact support at cloudacademy.com.
So what is SSO? For those unfamiliar with the AWS SSO service, let me briefly explain what the service is used for and some of its key features. AWS SSO, which stands for Single Sign-On, is used to help you implement a federated access control system providing a portal to your users allowing them to access multiple accounts within your AWS Organization without having to supply IAM credentials for each one. It can also be used to federated access to cloud applications, such as Microsoft Office 365 and Salesforce.
For those unfamiliar with AWS Organizations, it provides a means of centrally managing and categorizing multiple AWS accounts that you own, bringing them together into a single organization, helping to maintain your AWS environment from a security, compliance, and account management perspective. For more information on this service, please see our existing course here.
So some key features of AWS SSO include the following: It's a highly available managed AWS service. It has personalized portals for your end-users to centrally gain access to your AWS accounts and cloud applications. It comes with full integration with AWS CloudTrail for auditing SSO activity between your accounts. As already highlighted, it integrated with AWS Organizations enabling SSO for multiple accounts. It also has support for Azure Active Directory and Okta Universal Directory. It also supports multi-factor authentication for additional security protection, and it has the ability to use IAM fine-grained controls to manage access to resources.
So as you can see from these features alone it has some great advantages to help you manage and implement a single-sign on approach in your organization. Now there are a number of prerequisites that you must meet before you configure and enable AWS SSO within your accounts. The first of which requires you to configure AWS Organizations for your accounts using the 'All features' option rather than just 'Consolidated billing features'.
You must also use the Management AWS account of your AWS Organization to enable and configure AWS SSO. The configuration and implementation can't be done using one of your member accounts. And then once you have performed these two simple steps, you then have the decision of deciding which identity pool you want to have AWS SSO use as your source of users.
You can either use an external identity pool supported by AWS SSO with SAML two, such as Azure Active Directory or Okta Universal Directory, or you can choose to manage your users with the default identity user store that comes natively with AWS SSO, and it's this option that I am going to focusing on today in our demonstration.
Before I start the demonstration, I just want to highlight what I shall be doing. So the aim of this demonstration is to show you how to configure AWS SSO enabling full S3 and RDS access for a user in two different AWS accounts using a customized user portal. The steps required to achieve this will include: Selecting my identity source, and this is where I can select to use the native AWS SSO user directory, or Active Directory, or another supported SAML 2.0 based identity provider. And I shall be using the AWS SSO user directory.
I shall customize the URL of the portal that I want users of AWS SSO to use to gain access to my AWS Accounts I will then add a new user to the AWS SSO directory using an e-mail address to uniquely identify them as a user. I shall create a new group and add the user to that group, and I must also create a permission set defining full S3 and RDS access for the user to inherit. I will then associate this permission set to the new group which will be applied to specific AWS accounts in my Organization. And I will then test access by signing in to the AWS SSO user portal
Okay, so now we have a basic understanding of what we are going to do. Let's go ahead and try it out!
Okay, so I'm in the AWS management console. So the first thing I need to do is find AWS SSI and that can be found under the security identity and compliance category. So here we have AWS single sign-on. So if I select that, and this will take me to the dashboard.
Now the thing I want to do is to select an identity source. So if I go into the identity source and here we can see that currently the identity source is configured as AWS SSI. Now, if I didn't want to use the inbuilt identity directory offered by SSI, then I could go in here and change it and select active directory or an external identity provider. But for this demonstration, I'm just going to use the AWS SSO directory itself.
Okay, then further down we can configure the user portal. So this will be the link that everyone will receive, who's set up on AWS SSO to access the AWS account. And you can customize this to whatever you'd like it to. So let me just click on customize and I'll just enter my name Stuart Scott and then save. And now my link is customized, making it much more user friendly.
Okay, so I've now selected my identity source and also customize my user portal URL. Let's now go and create a user. So on the left-hand side here, you can select users. At the moment you can see I don't have any users configure at all. If I click on add user, now I can set up a user name. I'll just call this Stuart Scott. And for password, I can select to send an email to the user with a password to set them instructions or generate a one-time password that I can then share with the user. I'm just gonna leave it as a default send an email to a user. I'll put in an email address, then just confirm those details, add in the extra details and that's it. And then further down this optional other metadata and attributes that you can add if needed, but for now I'm just going to leave it as there, the setup of the user itself.
If I click on next groups, now here, I can create a group for easier management of the older different users that you have. So let's go ahead and do that. And this helps with permission access as well as we'll see as we go through the demonstration. So if I select create group and I'll just call this S3 and RDS access, 'cause this is what I want the group permissions to have.
So let's make it nice and easy. If I select create and I can select that group to make sure the user is a part of that group and then say, add user. So that user is now added to our group and we have the user Stuart Scott added to this AWS SSO directory. Now, what I need to do is create permissions for that user. So if we go over to our AWS accounts on the left here, and I can see the different accounts that I have in my AWS organization.
So, like I said, as a prerequisite, when you use AWS SSO, you need to make sure that you have AWS organizations already set up. And these are my two accounts that I have in my organization. Now at the top here, you can see two different tabs, your AWS organization, and also permission sets. So if I select permission sets, at the moment I don't have any permission sets. So if I create one, and I can use an existing job function policy or create a custom permission set.
For this demonstration, I want to create a custom permission set. Click on next. And I'll just call this S3 and RDS access again. And you can configure session durations, which will define the length of time a user can be logged on before the console logs him out of this session. So you have a number of different options here. I'm just gonna leave it as a default one hour. And I want to attach AWS managed policies. So let me just type in S3, 'cause I want full S3 access and also full RDS access. So here we have the AWS managed policy of S3 and I also want RDS as well. And here we have Amazon RDS full access.
So if I then click on next, we can add any tags if you want to. I'm just gonna leave that blank for now. Then in the final review screen, we can see the policies that I've attached, the S3 Full Access and RDS Full Access, and also the name of this permission set. And then click on create.
Now the next thing I want to do is associate this permission set with the group and assign that group to the AWS accounts in my organization. So I go across to AWS organization here, and if I select the two accounts that I want to add the users to, then I can click on assign users. Now I can either split the use individually or the group, and the best practice would be to use the group for easier managements. I'm going to select the S3 and RDS access because we know that the user is already a part of this group.
Now, from here, we can click on next to assign the permission sets. And here we have our permission set that we would like. So this will associate that permission set with the group on those two AWS accounts. Now we can see here that this is now successfully configured for my AWS accounts and our users can use these accounts with the permissions that we assigned. So if we click on proceed to AWS accounts and it takes us back to this screen here.
Now let's look at from the user perspective. So now in my inbox of that user that was created. So this is the automatic email that is sent out to say that we've been invited to use the AWS SSO user portal and we can see the URL here, and we need to accept the invitation first. So let's go ahead and do that.
Now I'm prompted to enter a new password, so let me just go ahead and do that. Making sure it meets all the recommendations, set new password. And then once that's done, we can then click on our user portal here. So let's go ahead and try that. So we have our username of Stuart Scott. If I enter my password, and I'm taken to this user portal here and we can see here that it's got that URL that we initially set up.
Now, what we have here is our AWS accounts. Now, if I select this account, it shows the two accounts that this user has access to. And if I select one of those accounts, it then shows the permissions and roles that I effectively set up, the S3 and RDS access. And from here, I can either select the management console to gain access to the management console or use the CLI to gain programmatic access.
So let's just go ahead and click on the management console. And that takes me straight into that specific account. So from here, this user can now administer S3 and RDS as well. And I can go back to the portal and also select the secondary account and do exactly the same thing.
So that's how you can easily use AWS SSO to set up single sign on access to multiple AWS accounts when you're running AWS organizations. That brings me to the end of this course which demonstrated how the AWS SSO service can be configured and implemented to help you manage a single sign-on portal to access multiple AWS accounts with a single AWS organization using the default user directory provided.
If you have any feedback on this course, positive or negative, please send an email to email@example.com. Your feedback is greatly appreciated. Thank you for your time and good luck with your continued learning of cloud computing. Thank you.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.