How to enable secure seamless single sign-on to Amazon EC2 Windows instances with AWS IAM Identity Center
September 23, 2022: This blog post has been updated with correction on sample custom permissions policy download URL.
September 12, 2022: This blog post has been updated to reflect the new name of AWS Single Sign-On (SSO) – AWS IAM Identity Center. Read more about the name change here.
Today, we’re launching new functionality that simplifies the experience to securely access your AWS compute instances running Microsoft Windows. We took on this update to respond to customer feedback around creating a more streamlined experience for administrators and users to more securely access their EC2 Windows instances. The new experience utilizes your existing identity solutions to run and manage your Microsoft Windows workloads on AWS. You can create and administer users in AWS IAM Identity Center or an AWS IAM Identity Center supported identity provider (such as Okta, Ping, and OneLogin), and provide a one-click IAM Identity Center to your EC2 Windows instances from the AWS Fleet Manager console. You can also use your existing corporate usernames, passwords, and multi-factor authentication devices to securely access your EC2 windows instances, without having to enter your credentials multiple times.
Using AWS IAM Identity Center eliminates the use of shared administrator credentials and the need to configure remote access client software. You can centrally grant and revoke access to your EC2 Windows instances at scale across multiple AWS accounts. For example, if you remove an employee from your AWS IAM Identity Center integrated identity system, their access to all AWS resources (including EC2 Windows instances) is automatically revoked. Individual user actions can now be viewed in the Amazon EC2 Windows instances event log, making it easier to meet audit and compliance requirements.
AWS IAM Identity Center background
AWS IAM Identity Center simplifies managing IAM Identity Center access to AWS accounts and business applications, and it is the central location where you can create or connect your workforce identities in AWS. You can control IAM Identity Center access and user permissions across all your AWS accounts in AWS Organizations. You can choose to manage access to your AWS accounts, to cloud applications, or both.
When managing access to AWS accounts, AWS IAM Identity Center enables you to define and assign roles centrally across your AWS Organizations account using permission sets. Permission sets are role definitions (templates) that AWS IAM Identity Center uses to create and maintain roles in your AWS Organizations accounts. The permission set defines the session duration and policies for the role. When you assign a permission set to a user or group in a selected AWS account, AWS IAM Identity Center creates a corresponding role in the target account, and AWS IAM Identity Center controls access to the role through the AWS IAM Identity Center user portal.
This post uses a permission set that manages access to AWS Fleet Manager to deliver one-click access into EC2 instances.
You will accomplish this in three steps:
- Create an AWS IAM Identity Center permission set (for example, demoFMPermissionSet)
- Assign the permission set to an existing AWS IAM Identity Center group (for example, demoFMGroup)
- Login to the AWS IAM Identity Center User Portal and connect to your EC2 Windows instance via the AWS Fleet Manager console
The prerequisites for this example are that you have:
- Configured AWS IAM Identity Center in your account with provisioned users and groups
- An EC2 Windows instance managed by AWS Systems Manager Fleet Manager
The following diagram shows the steps you will follow to configure and use an AWS IAM Identity Center user identity to login to an EC2 Windows instance.
How it works
The AWS IAM Identity Center permission set creates a role in a target account that gives an authorized user permissions to use AWS Fleet Manager to sign into EC2 Windows instances. When a user chooses the role in the account, the user signs onto the AWS Fleet Manager console and selects the EC2 instance where they want to sign in.
AWS Fleet Manager creates a local Windows user account and a credential for that user, and then automates their sign-in to the instance.
To create an AWS IAM Identity Center permission set
This procedure creates a permission set that grants assigned users and groups permissions to use AWS Fleet Manager for IAM Identity Center to EC2 instances.
- From the AWS IAM Identity Center console, go to AWS Accounts, select the Permission sets tab, select Create permission set and choose Create a custom permission set.
- Name your permission set, and fill out the required fields, making sure to select Create a custom permissions policy at the bottom of the page. See Sample custom permissions policy below for details on the policy.
- After creating the custom permissions policy, you can also apply optional tagging. When you are done, review and choose Create to complete creating your custom permission set, as shown in Figure 2.
Sample custom permissions policy
This is the sample policy you’ll use; you can download it here.
This permission policy contains a separate statement ID (Sid) for each service, with the required actions for each.
On line 84, notice the reference to an AWSSSO-CreateSSOUser document resource. This document is responsible for creating a local Windows account based on the AWS IAM Identity Center logged in user, as well as setting/resetting the user’s password for automatic log in to the Windows instance.
On lines 96-98, you will see a new ssm-guiconnect action. This is used to make the secure connection to your EC2 Windows instance, and render the GUI desktop in the Fleet Manager console.
To assign your AWS IAM Identity Center group
Assign your AWS IAM Identity Center group to the AWS Fleet Manager permission set in your selected accounts
In this procedure, we will select two AWS accounts in our AWS organization, and grant our AWS IAM Identity Center group access to the previously-created permission set that enables sign-in via Fleet manager.
- From the AWS IAM Identity Center console, navigate to AWS accounts and select an account (for example, demoAccount1 and demoAccount2), as shown in Figure 3.
- Choose the Assign users button. If you wish, you may also assign access to multiple groups or to users individually.
- To enable multiple AWS IAM Identity Center users to access this feature, choose an AWS IAM Identity Center group from the Groups tab and then choose the Next button, as shown in Figure 4
- Select the permission set you created previously and choose the Next button.
- Review your choices, and press Submit to submit your assignments, as shown in Figure 6.
AWS IAM Identity Center will now use the permission set definition to create a role in each selected account, which grants users access to sign in via Fleet Manager. Users gain access to that role by signing into the AWS IAM Identity Center user portal.
To access Fleet Managed EC2 instances
- From the console, navigate to your AWS IAM Identity Center user portal URL and login as any AWS IAM Identity Center user who is a member of the group (e.g., demoFMGroup) you selected in step 3 above.
- From the AWS IAM Identity Center user portal page, choose Management console and navigate to the Fleet Manager console where you have your EC2 Windows managed instance, as shown in Figure 7
- Select a managed Windows instance and select Instance actions and then Connect with Remote Desktop as shown in Figure 8.
- Select IAM Identity Center and then select Connect, as shown in Figure 9.
- From the single session tab, we can see that AWS Fleet Manager created a local Windows Server user for the AWS IAM Identity Center user (demoUser1).
This automatically logs you in using your AWS IAM Identity Center credential. If this is the first time connecting to the instance, a new local user will be created.
Once connected, you will see your EC2 Windows instance in the All sessions tab, enabling you to have up to four concurrent sessions in a single view, as shown in Figure 10. For a single session view, select the Instance ID tab.
After creating the local user, AWS Fleet Manager used the credentials it created to sign into the EC2 Windows server as IAM Identity Center-demoUser1 from the Windows Event Viewer, giving you individual user logging on your EC2 Windows servers. These logs are also available from within the Fleet Manager console.
This post described how to provide a single sign-in experience to Windows EC2 instances using AWS Fleet Manager with AWS IAM Identity Center. Doing this allows you to create users in AWS IAM Identity Center, or to connect any supported identity provider to AWS IAM Identity Center, and to give users one-click access to their EC2 instances through AWS Fleet Manager.
This is done by creating an AWS IAM Identity Center permission set that grants users access to AWS Fleet Manager, then assigning a group from AWS IAM Identity Center to the permission set in the selected AWS accounts. Users can sign into the AWS IAM Identity Center user portal, navigate to the AWS Fleet Manager, select their Windows EC2 instance, and land in the Windows user experience without having to enter Windows credentials separately.
If you have feedback about this blog post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the AWS IAM Identity Center forum.
Want more AWS Security news? Follow us on Twitter.