Posted On: May 12, 2022

AWS Single Sign-On (AWS SSO) now supports centralized administration and API access from an AWS Organizations delegated administrator account for all member accounts in your organization. This means you can designate an account in your organization that can be used to centrally administer all member accounts. With delegated administration, you can adhere to best practices by reducing the need to use your management account.

AWS SSO is where you create, or connect, your workforce identities in AWS once and manage access centrally across your AWS organization. After enabling AWS SSO in your management account, you can designate a member account from the AWS SSO console. Administrators can sign in to the delegated member account to assign users and groups to applications and to your organization's member accounts. No additional set-up is required within the organization’s individual member accounts.

Delegated administration removes the requirement for you to use your management account to assign access to member accounts. By using this feature, you can adopt an AWS security best practice that recommends delegating responsibilities outside of your management account where possible. To get started, see the following list of resources: