A Guide to Set Up Single Sign-On (SSO) between Two AWS Accounts

Overview

In the contemporary era of cloud computing, managing various applications, services, and resources across multiple AWS accounts can become a complex and challenging task.

With the rapid growth of cloud services and the increasing emphasis on security, there is a growing need for a streamlined and secure authentication process. Single Sign-On (SSO) offers a robust solution, enabling users to access multiple applications and services with a single login credentials.

Amazon Web Services (AWS) provides a powerful SSO solution, allowing businesses to simplify access management and enhance security across different AWS accounts. In this comprehensive guide, we will delve into setting up AWS SSO for an external application, ensuring secure and seamless access between two AWS accounts.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Objective

Setting up a Single Sign-On (SSO) between two AWS accounts, with one serving as the Identity Provider (IdP) and the other as the Service Provider (SP), involves several steps. This guide will walk you through establishing SSO between the two accounts, assuming the AWS account IDs are confidential. Follow these steps carefully to set up the SSO:

Prerequisites:

Access to the AWS IAM Identity Centre console in the source AWS account (IdP) with permissions to manage applications.
Access to the destination AWS account (SP) with admin permissions for AWS IAM.

Step-by-Step Guide

Step 1: Create an Application in the AWS IAM Identity Center (Source AWS Account )

step1

Create a new application for SSO in a pre-integrated application. Select External AWS Account & provide it with a unique display name.

step1b

step1c

Download and save the AWS IAM Identity Center SAML metadata for this application. This metadata will be used in the next steps.

step1d

Step 2: Configure the SAML Identity Provider (Destination AWS Account)

Log in to the AWS Management Console for the destination AWS account.
Navigate to the AWS IAM console.
Click on Identity Provider.

step2

Create a SAML identity provider and upload the AWS IAM Identity Center SAML metadata file you downloaded in Step 1.

step2b

Step 3: Create an AWS IAM Policy (Destination AWS Account)

In the destination AWS account (SP), create an AWS IAM policy defining the SSO role’s permissions. This policy will specify the SSO role’s permissions in the SP account.

step3

Step 4: Create an AWS IAM Role for SAML Federation (Destination AWS Account)

In the AWS IAM console of the destination AWS account, create an AWS IAM role that trusts the SAML identity provider you created in Step 2.

step4

Attach the AWS IAM policy you created in step 3 to this role. You can also attach multiple policies if needed.

step4b

Step 5: Attribute Mappings (Source AWS Account)

In the AWS IAM Identity Center console in the source AWS account, configure attribute mappings for the SSO role:

Create a new attribute mapping.
Add the following attributes for the Role:

step5

step5b

Step 6: Assign a User (Source AWS Account)

Assign a user from the source AWS account (IdP) to the AWS IAM Identity Center application you created. This user can access the destination AWS account (SP) using SSO.

step6

Advantages of AWS SSO for External Applications

Enhanced Security: By implementing AWS SSO for external applications, businesses can fortify their security measures, mitigating the risks associated with unauthorized access and data breaches. The centralized authentication and authorization framework bolsters security protocols and enables administrators to enforce stringent access controls.
Simplified Access Management: AWS SSO streamlines access management across multiple AWS accounts, reducing the administrative overhead associated with user provisioning and access control. Administrators can efficiently manage user access and permissions with a unified authentication mechanism, ensuring a seamless and user-friendly experience.
Efficient User Experience: The integration of AWS SSO for external applications enhances the user experience by providing a seamless and hassle-free authentication process. Users can conveniently access various applications and services across multiple AWS accounts using a single set of credentials, eliminating the need for repetitive logins and authentication procedures.
Centralized Control and Monitoring: AWS SSO enables centralized control and monitoring of user activities, providing administrators with comprehensive insights into user access patterns and behavior. This centralized approach facilitates effective auditing, monitoring, and enforcement of compliance policies, ensuring adherence to regulatory requirements and industry standards.
Cost Optimization: With AWS SSO, businesses can optimize access management and user provisioning costs. The streamlined authentication process reduces operational complexities and minimizes the resources required for managing user access, leading to cost savings and improved operational efficiency.

Conclusion

This guide provides a comprehensive and step-by-step approach to setting up Single Sign-On (SSO) between two AWS accounts while safeguarding the confidentiality of the AWS account IDs. Following the procedures outlined in this document, you have successfully established a more secure and streamlined authentication process, allowing seamless access between the two AWS accounts. This implementation enhances the overall security posture, simplifies user management, and ensures a more efficient and user-friendly experience. As you continue to explore and leverage the benefits of SSO between your AWS accounts, please remember to adhere to best practices for access control and regularly review and update your SSO configuration to meet evolving security requirements and user needs. Your commitment to maintaining the confidentiality and integrity of your AWS accounts is pivotal in ensuring the ongoing success of this SSO integration.

Drop a query if you have any questions regarding AWS SSO and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

FAQs

1. What is the purpose of Single Sign-On (SSO) in AWS, and how does it benefit businesses?

ANS: – Single Sign-On (SSO) in AWS enables users to access multiple applications and services using a single login credentials. It streamlines access management, enhances security, and simplifies authentication across various AWS accounts. By centralizing user authentication and authorization, AWS SSO improves operational efficiency, reduces administrative overhead, and fortifies security measures, mitigating the risks associated with unauthorized access and data breaches.

2. How can AWS SSO help businesses optimize operational costs and access management resources?

ANS: – AWS SSO optimizes operational costs and access management resources by simplifying the authentication process and reducing the administrative complexities associated with user provisioning and access control. AWS SSO minimizes the resources required for managing user access through a unified authentication mechanism, leading to cost savings and improved operational efficiency. By streamlining access management, businesses can allocate resources more effectively and focus on core operations and strategic initiatives.

3. What security measures should businesses consider when setting up SSO between AWS accounts?

ANS: – When setting up SSO between AWS accounts, businesses should prioritize security measures such as implementing robust access controls, regularly reviewing and updating SSO configurations, and adhering to best practices for access management. It is crucial to enforce stringent security protocols, monitor user activities, and ensure compliance with regulatory requirements and industry standards. By maintaining the confidentiality and integrity of AWS accounts, businesses can establish a more secure authentication process and safeguard sensitive data from potential threats or unauthorized access.

WRITTEN BY Samarth Kulkarni

Samarth is a Senior Research Associate and AWS-certified professional with hands-on expertise in over 25 successful cloud migration, infrastructure optimization, and automation projects. With a strong track record in architecting secure, scalable, and cost-efficient solutions, he has delivered complex engagements across AWS, Azure, and GCP for clients in diverse industries. Recognized multiple times by clients and peers for his exceptional commitment, technical expertise, and proactive problem-solving, Samarth leverages tools such as Terraform, Ansible, and Python automation to design and implement robust cloud architectures that align with both business and technical objectives.