E-learningLatestNews

How To Use AWS Single Sign On?

How To Use AWS Single Sign On. AWS Single Sign-On (AWS SSO) is where you create, or connect, your workforce identities in AWS once and manage access centrally across your AWS organization. You can choose to manage access just to your AWS accounts or cloud applications. You can create user identities directly in AWS SSO, or you can bring them from your Microsoft Active Directory or a standards-based identity provider, such as Okta Universal Directory or Azure AD.

What Does AWS Single Sign On Do?

For example, with AWS SSO, you get a unified administration experience to define, customize, and assign fine-grained access. Your workforce users get a user portal to access all of their assigned AWS accounts, Amazon EC2 Windows instances, or cloud applications. AWS SSO can be flexibly configured to run alongside or replace AWS account access management via AWS IAM.

In addition, It’s easy to get started with AWS SSO. With just a few clicks in the management console, you can connect AWS SSO to your existing identity source and configure permissions that grant users access to their assigned AWS accounts, cloud applications, and other SAML-based applications that you add to AWS SSO.

How AWS Single Sign On Works?

How To Use AWS Single Sign On
AWS Single Sign On

First of all, You have the option to create your users’ identities and groups in AWS SSO. Or, you can connect to your existing users and groups from Microsoft Active Directory Domain Services, Okta Universal Directory, Azure AD, or another standards-based identity provider.

Basically, With AWS Organizations integration, AWS SSO enables you to manage access across multiple accounts with no additional setup within individual accounts.

With AWS Single Sign-On, you can easily control who has access to your cloud applications. Your users can utilize their directory credentials to sign in to their AWS SSO web user portal and get one-click access to their assigned applications like Amazon SageMaker Studio, AWS Systems Manager Change Manager, and standards-based cloud applications including Salesforce, Box, and Microsoft 365

How to create and manage users within AWS Single Sign-On

Basically, AWS Single Sign-On (AWS SSO) is a cloud service that allows you to grant your users access to AWS resources, such as Amazon EC2 instances, across multiple AWS accounts. By default, AWS SSO now provides a directory that you can use to create users, organize them in groups, and set permissions across those groups.

Thus, you can also grant the users that you create in AWS SSO permissions to applications such Salesforce, Box, and Office 365. AWS SSO and its directory are available at no additional cost to you.

Therefore, A directory is a key building block that allows you to manage the users to whom you want to grant access to AWS resources and applications. 

How To Use AWS Single Sign On: Details

AWS Identity and Access Management (IAM) provides a way to create users that can be used to access AWS resources within one AWS account.

Above all, You can now create your users centrally in AWS SSO and manage user access to all your AWS accounts and applications.

Next, the users sign in to a user portal with a single set of credentials configured in AWS SSO, allowing them to access all of their assigned accounts and applications in a single place.

Hence, how to use AWS single sign on is very easy to use. Furthermore, let’s take a look at the steps.

How To Use AWS Single Sign On? Step By Step

Firstly, To illustrate how to add users in AWS SSO and how to grant permissions to multiple AWS accounts. Therefore, imagine that you’re the IT manager for a company, Example.com, that wants to make it easy for its users to access resources in multiple AWS accounts.

For instance, example.com has five AWS accounts: a master account (called MasterAcct), two developer accounts (DevAccount1 and DevAccount2), and two production accounts (ProdAccount1 and ProdAccount2). Example.com uses AWS Organizations to manage these accounts and has already enabled AWS SSO.

Thus, Example.com has two developers, Martha and Richard, who need full access to Amazon EC2 and Amazon S3 in the developer accounts (DevAccount1 and DevAccount2) and read-only access to EC2 and S3 resources in the production accounts (ProdAccount1 and ProdAccount2).

Diagram Representation

Manage SSO

The above diagram illustrates how you can grant Martha and Richard permissions:

How To Use AWS Single Sign On: Steps

  1. Firstly, add users and groups in AWS SSO: Add users Martha and Richard in AWS SSO. Add a group called Developers in AWS SSO and add Martha and Richard to the Developers group.
  2. Create permission sets: Create two permission sets. In the first permission set, include policies that give full access to Amazon EC2 and Amazon S3. In second permission set, include policies that give read-only access to Amazon EC2 and Amazon S3.
  3. Secondly, simply assign groups to accounts and permission sets:
  4. Assign the Developers group to your developer accounts and assign the permission set.
  5. Hence, next, assign the Developers group to your production accounts. Then assign the permission set that gives read-only access to Amazon EC2 and Amazon S3.
  6. Basically, Martha and Richard now have full access to Amazon EC2 and Amazon S3 in the developer accounts. Also, they have read-only access in the production accounts.
  7. Hence, users sign into the User Portal to access accounts: Martha and Richard receive email from AWS to set their passwords with AWS SSO.
  8. Basically, Martha and Richard can now sign into the AWS SSO User Portal using their email addresses and the passwords they set with AWS SSO, allowing them to access their assigned AWS accounts.

1: Go To Dashboard and Directory

How To Use AWS Single Sign On

2: Add users

Directory
Add User

3: Add User To Groups

Add user to groups

How To Use AWS Single Sign On

On the Add users to group page, check the box next to the group you just created, and then choose Add user

AWS Documentation
Add users to group

4: Create Permission Sets

Create permission set

Next, simply create the permission set

How To Use AWS Single Sign On
Custom

5: Assign groups to accounts and permission sets

Furthermore, in this step, you’ll assign your Developers group full access to Amazon EC2 and Amazon S3. In the developer accounts and read-only access to these resources in the production accounts.

Assign groups to accounts
How To Use AWS Single Sign On
How To Use AWS Single Sign On
How To Use AWS Single Sign On
DevOps Engineer

6: Users sign into User Portal to access accounts

How To Use AWS Single Sign On
How To Use AWS Single Sign On
How To Use AWS Single Sign On
How To Use AWS Single Sign On

Summary

Therefore, AWS provides you with a directory that you can use to manage users and groups within AWS SSO. At the same time, grant user permissions to resources in multiple AWS accounts and business applications.

Thus, you have learned how to manage users and groups within AWS SSO. In addition, grant them permissions to multiple AWS accounts. In addition, you also learned how your users sign into the user portal to access their assigned AWS accounts.