AWS Security Blog

Tag: SAML

Authenticate AWS Client VPN users with AWS Single Sign-On

AWS Client VPN is a managed client-based VPN service that enables users to use an OpenVPN-based client to securely access their resources in Amazon Web Services (AWS) and in their on-premises network from any location. In this blog post, we show you how you can integrate Client VPN with your existing AWS Single Sign-On via […]

Read More

Configure SAML single sign-on for Kibana with AD FS on Amazon Elasticsearch Service

September 9, 2021: Amazon Elasticsearch Service has been renamed to Amazon OpenSearch Service. See details. It’s a common use case for customers to integrate identity providers (IdPs) with Amazon Elasticsearch Service (Amazon ES) to achieve single sign-on (SSO) with Kibana. This integration makes it possible for users to leverage their existing identity credentials and offers […]

Read More

Build an end-to-end attribute-based access control strategy with AWS SSO and Okta

This blog post discusses the benefits of using an attribute-based access control (ABAC) strategy and also describes how to use ABAC with AWS Single Sign-On (AWS SSO) when you’re using Okta as an identity provider (IdP). Over the past two years, Amazon Web Services (AWS) has invested heavily in making ABAC available across the majority […]

Read More

Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM

June 5, 2021: We’ve updated Figure 1: User request flow. Authorizing functionality of an application based on group membership is a best practice. If you’re building APIs with Amazon API Gateway and you need fine-grained access control for your users, you can use Amazon Cognito. Amazon Cognito allows you to use groups to create a […]

Read More

How to delegate management of identity in AWS Single Sign-On

November 4, 2021: We fixed an error in the policy in the section “Use case 1: Accounts-based delegation model.” In this blog post, I show how you can use AWS Single Sign-On (AWS SSO) to delegate administration of user identities. Delegation is the process of providing your teams permissions to manage accounts and identities associated […]

Read More

How to use G Suite as an external identity provider for AWS SSO

May 4, 2021: AWS Single Sign-On (SSO) currently does not support G Suite as an identity provider for automatic provisioning of users and groups, or the open source ssosync project, available on Github. January 11, 2021: This post has been updated to reflect changes to the G Suite user interface. August 3, 2020: This post […]

Read More

How to create SAML providers with AWS CloudFormation

June 24, 2020: We updated the first 3 paragraphs of this post to provide, and link to, more information. As organizations grow, they often experience an inflection point where it becomes impractical to manually manage separate user accounts in disparate systems. Managing multiple AWS accounts is no exception. Many large organizations have dozens or even […]

Read More

Rely on employee attributes from your corporate directory to create fine-grained permissions in AWS

In my earlier post Simplify granting access to your AWS resources by using tags on AWS IAM users and roles, I explained how to implement attribute-based access control (ABAC) in AWS to simplify permissions management at scale. In that scenario, I talked about relying on attributes on your IAM users and roles for access control […]

Read More

Use attribute-based access control with AD FS to simplify IAM permissions management

June 19, 2020: The Prerequisites section of this post has been updated to include the prerequisite to enable Sts:tagSession to the role trust policy. AWS Identity and Access Management (IAM) allows customers to provide granular access control to resources in AWS. One approach to granting access to resources is to use attribute-based access control (ABAC) […]

Read More

How to automate SAML federation to multiple AWS accounts from Microsoft Azure Active Directory

December 2, 2019: Since the author wrote this post, AWS Single Sign On (AWS SSO) has launched native features that simplify using Azure Active Directory as an identity provider. Therefore, AWS SSO is now the recommended solution for enabling SAML federation using Azure AD. See this blog post for details. You can use federation to […]

Read More