AWS Single Sign-On
Centrally manage single sign-on (SSO) access to multiple AWS accounts and business applications.
AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications. With just a few clicks, you can enable a highly available SSO service without the upfront investment and on-going maintenance costs of operating your own SSO infrastructure. With AWS SSO, you can easily manage SSO access and user permissions to all of your accounts in AWS Organizations centrally. AWS SSO also includes built-in SAML integrations to many business applications, such as Salesforce, Box, and Office 365. Further, by using the AWS SSO application configuration wizard, you can create Security Assertion Markup Language (SAML) 2.0 integrations and extend SSO access to any of your SAML-enabled applications. Your users simply sign in to a user portal with credentials they configure in AWS SSO or using their existing corporate credentials to access all their assigned accounts and applications from one place.
Centrally manage access to AWS accounts
AWS SSO enables you to centrally manage SSO access and user permissions for all of your AWS accounts managed through AWS Organizations. No additional setup is required in the individual accounts. AWS SSO configures and maintains all the necessary permissions in your accounts automatically. You can assign users permissions based on common job functions and customize these permissions to meet your specific security requirements. For example, you can give your security team administrative-level access to your AWS accounts running your security tools, but only grant them auditor-level access to your other AWS accounts for monitoring purposes.
Create users in AWS SSO or connect to existing directory
AWS SSO makes it easy for you to create and manage your users within AWS SSO. You can organize users into groups and manage SSO access centrally to multiple AWS accounts as well as many business applications. Your users sign in to a user portal with credentials they configure with AWS SSO to access their assigned accounts and applications in a single place. AWS SSO also integrates with Microsoft Active Directory (AD) through AWS Directory Service, enabling users to sign in to the user portal using their AD credentials. With the AD integration, you can manage SSO access to your accounts and applications for users and groups in your corporate directory
Easy to use
With AWS SSO, you can enable a highly-available SSO service for your organization with just a few clicks. There is no additional infrastructure to deploy or maintain. All administrative and SSO activity is recorded in AWS CloudTrail, helping you meet your audit and compliance requirements. You can centrally view when users attempt to access accounts and applications, including from what IP address. You can also view when users are granted access to accounts and applications, when their assigned permissions to an AWS account are changed, and when their SSO access is removed. Using AWS SSO, you have the visibility to audit SSO activity in one place.
Access accounts and applications from one place
AWS SSO provides a user portal so users can find and sign in to all of their assigned AWS accounts and business applications in one place. The AWS SSO application configuration wizard helps you extend SSO access to any application that supports Security Assertion Markup Language (SAML) 2.0. AWS SSO also offers built-in SAML integrations to many business applications, including Salesforce, Box, and Office 365. AWS monitors these integrations for changes and updates the integration on your behalf automatically.
How it works
Image API uses AWS Single Sign-On (SSO) to manage its AWS single tenant environments and other critical applications from one dashboard. SSO was so intuitive that it took just a few weeks to implement from the time we learned about it at re:Invent. Without SSO, we would have different usernames and passwords for each VPC and all other applications. This capability not only positions us well to scale, it makes environment management simple – which is how we like to do business.
- Bill Joy, IT Director, Image API
Invenia is a cloud-based machine learning platform that uses big, high frequency data to solve complex energy intelligence problems in real-time. As a cloud-based business ourselves, we rely extensively on AWS and a number of SaaS-based applications, but didn't like the security and compliance risks associated with managing end-user credentials to so many independent systems. Deploying AWS SSO allowed us to provide access to those same applications, but using our existing corporate credentials instead, and without any of the hassle of managing a traditional SSO solution - Brilliant!
- Sascha McDonald, Head of Architecture and Operations, Invenia
Syncron is a provider of cloud-based after-sales service solutions focused on empowering the world’s leading manufacturers to maximize product uptime and deliver exceptional customer experiences. As a cloud-based business, we're very mindful of the productivity disruptions and security challenges that can arise when users are overloaded with unique credentials. With AWS SSO, we can quickly and easily connect users into AWS using their normal enterprise credentials – allowing us to focus on continuing to deliver exceptional services to our customers instead of managing the lifecycle of users’ credentials in our AWS multi-account structure.
- Richard Barkestam, CTO, Syncron
Built-in support for AWS accounts and business applications
AWS SSO helps manage access to your business applications. For a full list of business applications pre-integrated with AWS SSO, see AWS SSO Cloud Applications.