AWS Security Blog

Tag: SAML

Figure 1: Batch AWS account creation and SSO assignment automation architecture and workflow

How to automate AWS account creation with SSO user assignment

Background AWS Control Tower offers a straightforward way to set up and govern an Amazon Web Services (AWS) multi-account environment, following prescriptive best practices. AWS Control Tower orchestrates the capabilities of several other AWS services, including AWS Organizations, AWS Service Catalog, and AWS Single Sign-On (AWS SSO), to build a landing zone very quickly. AWS […]

Read More
Figure 1: Solution architecture diagram

Configure AWS SSO ABAC for EC2 instances and Systems Manager Session Manager

In this blog post, I show you how to configure AWS Single Sign-On to define attribute-based access control (ABAC) permissions to manage Amazon Elastic Compute Cloud (Amazon EC2) instances and AWS Systems Manager Session Manager for federated users. This combination allows you to control access to specific Amazon EC2 instances based on users’ attributes. I show […]

Read More

Authenticate AWS Client VPN users with AWS Single Sign-On

AWS Client VPN is a managed client-based VPN service that enables users to use an OpenVPN-based client to securely access their resources in Amazon Web Services (AWS) and in their on-premises network from any location. In this blog post, we show you how you can integrate Client VPN with your existing AWS Single Sign-On via […]

Read More

Configure SAML single sign-on for Kibana with AD FS on Amazon Elasticsearch Service

September 9, 2021: Amazon Elasticsearch Service has been renamed to Amazon OpenSearch Service. See details. It’s a common use case for customers to integrate identity providers (IdPs) with Amazon Elasticsearch Service (Amazon ES) to achieve single sign-on (SSO) with Kibana. This integration makes it possible for users to leverage their existing identity credentials and offers […]

Read More

Build an end-to-end attribute-based access control strategy with AWS SSO and Okta

This blog post discusses the benefits of using an attribute-based access control (ABAC) strategy and also describes how to use ABAC with AWS Single Sign-On (AWS SSO) when you’re using Okta as an identity provider (IdP). Over the past two years, Amazon Web Services (AWS) has invested heavily in making ABAC available across the majority […]

Read More

Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM

June 5, 2021: We’ve updated Figure 1: User request flow. Authorizing functionality of an application based on group membership is a best practice. If you’re building APIs with Amazon API Gateway and you need fine-grained access control for your users, you can use Amazon Cognito. Amazon Cognito allows you to use groups to create a […]

Read More

How to delegate management of identity in AWS Single Sign-On

Note on May 13, 2022: AWS SSO supports two forms of delegation. One form is to delegate a member account where you can administer the service, which eliminates the requirement to sign in to the AWS Organizations management account for daily administrative work. See here: https://aws.amazon.com/about-aws/whats-new/2022/05/aws-sign-on-administer-delegated-member-account-in-organization/. The second form, which is covered in this blog, […]

Read More

How to use G Suite as an external identity provider for AWS SSO

May 4, 2021: AWS Single Sign-On (SSO) currently does not support G Suite as an identity provider for automatic provisioning of users and groups, or the open source ssosync project, available on Github. January 11, 2021: This post has been updated to reflect changes to the G Suite user interface. August 3, 2020: This post […]

Read More

How to create SAML providers with AWS CloudFormation

June 24, 2020: We updated the first 3 paragraphs of this post to provide, and link to, more information. As organizations grow, they often experience an inflection point where it becomes impractical to manually manage separate user accounts in disparate systems. Managing multiple AWS accounts is no exception. Many large organizations have dozens or even […]

Read More

Rely on employee attributes from your corporate directory to create fine-grained permissions in AWS

In my earlier post Simplify granting access to your AWS resources by using tags on AWS IAM users and roles, I explained how to implement attribute-based access control (ABAC) in AWS to simplify permissions management at scale. In that scenario, I talked about relying on attributes on your IAM users and roles for access control […]

Read More