AWS Single Sign-On

Centrally manage single sign-on (SSO) access to multiple AWS accounts and business applications.

AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications. It enables users to sign in to a user portal with their existing corporate credentials and access all of their assigned accounts and applications from one place. With AWS SSO, you can easily manage SSO access and user permissions to all of your accounts in AWS Organizations centrally. Further, by using the AWS SSO application configuration wizard, you can create Security Assertion Markup Language (SAML) 2.0 integrations and extend SSO access to any of your SAML-enabled applications. AWS SSO also includes built-in SAML integrations to many business applications, such as Salesforce, Box, and Office 365. With just a few clicks, you can enable a highly available SSO service without the upfront investment and on-going maintenance costs of operating your own SSO infrastructure.

Benefits

Centrally manage access to AWS accounts.

AWS SSO enables you to centrally manage SSO access and user permissions for all of your AWS accounts managed through AWS Organizations. No additional setup is required in the individual accounts. AWS SSO configures and maintains all the necessary permissions in your accounts automatically. You can assign users permissions based on common job functions and customize these permissions to meet your specific security requirements. For example, you can give your security team administrative-level access to your AWS accounts running your security tools, but only grant them auditor-level access to your other AWS accounts for monitoring purposes.

Integrate with your existing corporate directory.

AWS SSO integrates with Microsoft Active Directory (AD) through AWS Directory Service, enabling users to sign in to the user portal using their AD credentials. With the AD integration, you can manage SSO access to your accounts and applications for users and groups in your corporate directory. For instance, you can grant the DevOps AD group access to your production AWS accounts. When you add users to this group, they are granted access to your production AWS accounts automatically. This makes it easy to on-board new users and give existing users SSO access to new accounts and applications quickly.

Easy to use.

With AWS SSO, you can enable a highly-available SSO service for your organization with just a few clicks. There is no additional infrastructure to deploy or maintain. All administrative and SSO activity is recorded in AWS CloudTrail, helping you meet your audit and compliance requirements. You can centrally view when users attempt to access accounts and applications, including from what IP address. You can also view when users are granted access to accounts and applications, when their assigned permissions to an AWS account are changed, and when their SSO access is removed. Using AWS SSO, you have the visibility to audit SSO activity in one place.

Access accounts and applications from one place.

AWS SSO provides a user portal so users can find and sign in to all of their assigned AWS accounts and business applications in one place. The AWS SSO application configuration wizard helps you extend SSO access to any application that supports Security Assertion Markup Language (SAML) 2.0. AWS SSO also offers built-in SAML integrations to many business applications, including Salesforce, Box, and Office 365. AWS monitors these integrations for changes and updates the integration on your behalf automatically.