IT teams often find it cumbersome to manage user accounts, even if they follow best practices. And organizations that run workloads in AWS are no exception.
After a migration to the AWS cloud, IT teams build a multi-account architecture for resource and security isolation, easier cost control and stronger disaster recovery. Then, they design a vast Virtual Private Cloud peering network for various environments, choose the services and resource types that best suit their needs and follow recommendations for maximum security.
Even if all that goes smoothly, AWS account management can eventually create huge overhead, especially as a company grows and adds more users that need access to a range of AWS accounts and resources. IT shops can pick from a number of third-party tools to address this issue, or they can get one directly from AWS.
AWS Single Sign-On
AWS Single Sign-On (AWS SSO) simplifies user management across multiple AWS accounts and eliminates the need for users to track multiple login credentials. IT teams can use the service to centralize user access to multiple accounts, business applications, such as Office 365, and even custom applications that support Security Assertion Markup Language 2.0.
With the AWS SSO portal, users can log in and access different AWS accounts for which they have permissions. The use of a single set of corporate credentials can be helpful for developers and project managers who previously relied on a single, repeated password for multiple accounts. AWS SSO can also assist operations engineers who often have to switch between accounts to deploy new infrastructure or troubleshoot various issues.
AWS SSO integrates with Microsoft Active Directory (AD), so companies can pair the two services and rely on existing structures to assign permissions to users and groups. AWS SSO also natively integrates with AWS Organizations, displays existing organizational units and enables administrators to assign permissions for them. Organizations can benefit from logically grouped AWS accounts and resources, so keep that in mind with account structure designs and setup.
Set up AWS SSO
AWS SSO is fairly simple to implement for better AWS account management. Administrators can use AD Connector to redirect requests to on-premises AD or configure an AD trust with their on-premises account. Companies that don't have AD on premises can instead use AWS Microsoft AD. Choose a user -- or entire group -- within AD to grant users access to AWS accounts; create a permission set -- the equivalent of an Identity and Access Management role; and add the desired preset or custom privileges.
Users will see all their accessible AWS accounts in the AWS SSO portal. If they belong to multiple groups -- and, as a consequence, have overlapping privileges for a single AWS account -- they can choose which account(s) to use for a specific session. The portal will also show users all the third-party applications they can access, such as Office 365, Slack or Dropbox.
AWS SSO alternatives
Single sign-on is not a new concept for AWS account management. There are more mature alternatives to AWS SSO, such as Okta, that already have established user bases. And Okta does have its benefits, including a prebuilt integration with thousands of applications and multiple cloud platforms, as well as the ability to work with on-premises systems.
For now, Okta may continue to be the single sign-on tool of choice for those that have a hybrid cloud. But Okta and services like it don't natively integrate with AWS, and they come with a financial cost, whereas AWS SSO is free. This means the native tool might be a better option for those not already invested in a third-party tool for AWS account management.