peshkova - Fotolia

AWS SSO puts Amazon at the center of IT access

AWS' Single Sign-On service intends to simplify control over employee access to AWS accounts and outside apps -- and also put AWS at the center of it all.

AWS' latest service is another step in the company's goal to be the hub for corporations' IT activity.

AWS Single Sign-On (AWS SSO), added with little fanfare after AWS re:Invent 2017, is a welcome addition for many users. The service centralizes the management of multiple AWS accounts, as well as additional third-party applications tethered to those accounts.

AWS SSO uses AWS Organizations and can be extended with a configuration wizard to Security Assertion Markup Language (SAML) applications. It also comes with built-in integrations with popular services such as Box, Office 365, Salesforce and Slack.

Users of the service access AWS and outside applications through a single portal, within individually assigned access policies. Sign-in activities and administrative changes are tracked by AWS CloudTrail, and companies can audit employee use of those services themselves or use an outside service such as Splunk or Sumo Logic to analyze those logs.

Permissions to various Amazon cloud services and outside apps can be configured in AWS SSO for common IT job categories or by creating custom groupings. The service also connects to on-premises Microsoft Active Directory to identify credentials and manage which employees or groups of employees can access which AWS accounts.

The service has limitations. It's currently confined to the U.S. East region in Virginia, and can't be accessed through the AWS Command Line Interface or via an API. Also, any changes to permissions can only be made by a master account.

AWS has a reputation for going after segments of IT that it sees as vulnerable, and this could be a direct shot at some of the prominent SSO providers on the market. Okta in particular is popular among the enterprise market, so this free alternative from AWS could be attractive, said Adam Book, principal cloud engineer at Relus Technologies, an AWS consulting partner in Peachtree Corners, Ga.

For large organizations single sign-on is important. ... Once you get into third-party apps your users don't want to remember 50 different passwords.
Adam Bookprincipal cloud engineer, Relus Technologies

"You can manage all your apps in one place and not pay for a third party," he said. "Amazon then becomes your one trusted source for everything."

AWS solved some of the complexity around managing accounts when it enabled administrators to establish roles for users, but this simplifies things further with a single point to track work across development, QA and production accounts, Book said. It also helps to manage onboarding and removal of employees' credentials based on their employment status.

"For large organizations single sign-on is important," he said. "I don't think it's as much for the Amazon accounts, but once you get into third-party apps your users don't want to remember 50 different passwords."

Joe Emison, founder and CTO, BuildFaxJoe Emison

Others see AWS SSO as not just a way to unseat Okta, but to go after Active Directory as well. SSO can be used with or without the Microsoft directory service, which isn't ideal for cloud environments despite an updated version in Microsoft Azure, said Joe Emison, founder and CTO of BuildFax, an AWS customer in Austin, Texas.

"Active Directory, at its core, is really based around the idea that everyone is going to be connected to a local network to start up their computer and connect to a master server and get rules and policies from there," he said. "That's nice if everyone goes into the office, but this is not the world we live in."

Compared to AWS Identity and Access Management (IAM), Active Directory lacks fine-grained access control to assign permissions and can be difficult to integrate with SAML-based applications, Emison said. By incorporating IAM tools within SSO and extending that level of control to outside applications, AWS could eventually supplant Active Directory as organizations' preferred means to manage employee access.

Trevor Jones is a senior news writer with SearchCloudComputing and SearchAWS. Contact him at [email protected].

Dig Deeper on AWS compliance, governance, privacy and regulations