Security, Identity & Compliance | AWS Single Sign-On Flashcards
What is AWS Single Sign-On (AWS SSO)?
General
AWS Single Sign-On | Security, Identity & Compliance
AWS SSO is an AWS service that enables you to use your existing credentials from your Microsoft Active Directory to access your cloud-based applications, such as AWS accounts and business applications (Office 365, Salesforce, Box), by using single sign-on (SSO).
What are the benefits of AWS SSO?
General
AWS Single Sign-On | Security, Identity & Compliance
You can use AWS SSO to quickly and easily assign and manage your employees’ access to multiple AWS accounts, SAML-enabled cloud applications (such as Salesforce, Office 365, and Box), and custom-built in-house applications, all from a central place. Employees can be more productive by signing in with their existing corporate Active Directory user names and passwords to access their applications from their personalized user portal. Now, employees won’t need to remember multiple sets of credentials and access URLs to cloud applications, and new employees can be productive starting on day one. After you’ve added users to the appropriate Active Directory group, they will automatically gain access to accounts and applications that are enabled for members of that group. You’ll get better visibility into cloud application use because you can monitor and audit sign-in activity centrally from AWS CloudTrail.
What problems does AWS SSO solve?
General
AWS Single Sign-On | Security, Identity & Compliance
AWS SSO eliminates the administrative complexity of custom SSO solutions you use to provision and manage identities across AWS accounts and business applications. As you use multiple AWS accounts and add accounts regularly, setting up SSO with Active Directory Federation Services (AD FS) to access these accounts requires learning the custom AD FS claims programming language. You also need to prepare the AWS accounts with necessary permissions to access these accounts. AWS SSO is available at no additional cost, and it reduces the complexity of repetitive setup and disparate management by tightly integrating with AWS. If you use separate passwords to access different AWS accounts or cloud applications, AWS SSO simplifies the user experience and improves security by eliminating individual passwords needed for each AWS account or cloud business application. AWS SSO also solves the problem of limited visibility of the access to your cloud applications by integrating with AWS CloudTrail and providing a central place for you to audit SSO access to AWS accounts and SAML-enabled cloud applications, such as Office 365, Salesforce, and Box.
Why should I use AWS SSO?
General
AWS Single Sign-On | Security, Identity & Compliance
You should use AWS SSO to help your employees become productive quickly by granting them access to AWS accounts and business cloud applications, without writing custom scripts or investing in general-purpose SSO solutions. You should also use AWS SSO to reduce the administrative complexity and cost of setting up and managing SSO access.
AWS SSO is the place where your employees can access your AWS accounts and the applications they need in the course of their work from the AWS SSO user portal, regardless of where these applications were built or are hosted.
What can I do with AWS SSO?
General
AWS Single Sign-On | Security, Identity & Compliance
You can use AWS SSO to quickly and easily assign your employees access to AWS accounts managed with AWS Organizations, business cloud applications (such as Salesforce, Office 365, and Box), and custom applications that support Security Assertion Markup Language (SAML) 2.0. Employees can sign in with their existing corporate user names and passwords to access their business applications from a single user portal. AWS SSO also allows you to audit users’ access to cloud services by using AWS CloudTrail.
Who should use AWS SSO?
General
AWS Single Sign-On | Security, Identity & Compliance
AWS SSO is for administrators who manage multiple AWS accounts and business applications, want to centralize user access management to these cloud services, and want to provide employees a single location to access these accounts and applications without them having to remember yet another password.
How do I start using AWS SSO?
General
AWS Single Sign-On | Security, Identity & Compliance
As a new AWS SSO customer, you:
Sign in to the AWS Management Console of the master account in your AWS account and navigate to the AWS SSO console.
Select the directory you use for storing the identities of your users and groups from the AWS SSO console by clicking through a list of Active Directory and Active Directory Connector instances that AWS SSO discovers in your account automatically. If you have not set up a directory yet, see Getting Started.
Grant users SSO access to AWS accounts in your organization by selecting the AWS accounts from a list populated by AWS SSO, and then selecting users or groups from your directory and the permissions you want to grant them.
Give users access to business cloud applications by:
Selecting one of the applications from the list of preintegrated applications supported in AWS SSO.
Configuring the application by following the configuration instructions.
Selecting the users or groups that should be able to access this application.
Give your employees the AWS SSO sign-in web address that was generated when you connected the directory so that they can sign in to AWS SSO with their Active Directory user name and password, and access accounts and business applications.
How much does AWS SSO cost?
General
AWS Single Sign-On | Security, Identity & Compliance
AWS SSO is offered at no extra charge.
In which AWS regions is AWS SSO is available?
Directories and Applications Support
AWS Single Sign-On | Security, Identity & Compliance
See the AWS Region Table for AWS SSO availability by Region.
What directories can I use with AWS SSO?
Directories and Applications Support
AWS Single Sign-On | Security, Identity & Compliance
You can connect AWS SSO to Microsoft Active Directory, running either on-premises or in the AWS Cloud. AWS SSO supports AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, and AD Connector. AWS SSO does not support Simple AD. See AWS Directory Service Getting Started to learn more.
Can I use my Amazon Cognito User Pools as the connected directory in AWS SSO?
Directories and Applications Support
AWS Single Sign-On | Security, Identity & Compliance
Not at this time. Today, AWS SSO only supports Microsoft Active Directory as a user directory. Other directory types may be added over time based on customer feedback and demand.
Which cloud-based applications can I connect to using AWS SSO?
Directories and Applications Support
AWS Single Sign-On | Security, Identity & Compliance
You can connect the following applications to AWS SSO:
AWS Management Console: You can set up SSO access to the AWS Management Console.
Third-party SaaS applications: AWS SSO comes preintegrated with commonly used business applications. For a comprehensive list, see the AWS SSO console.
Custom SAML applications: AWS SSO supports applications that allow identity federation using SAML 2.0. For applications that are not preintegrated with AWS SSO, you can set up SSO by using the AWS SSO custom application wizard.
I manage users and groups in Active Directory on premises. How do I connect my directory to AWS SSO?
You have two options for connecting Active Directory–hosted on premises to AWS SSO: (1) Use a AWS Managed Microsoft AD trust relationship, or (2) use AD Connector.
AWS Managed Microsoft AD creates a fully managed Active Directory in the AWS Cloud and can be used to set up a forest trust relationship between your on-premises directory and AWS Managed Microsoft AD. To set up a trust relationship, see When to Create a Trust Relationship.
AD Connector is a directory gateway that can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. To connect an on-premises directory using AD Connector, see AD Connector.
I manage users and groups in AWS Identity and Access Management (IAM). Can I connect my directory to AWS SSO?
AWS SSO does not support AWS IAM users and groups at this time.
Can I connect more than one directory to AWS SSO?
SSO Access to AWS Accounts
AWS Single Sign-On | Security, Identity & Compliance
No. At any given time, you can have only one directory connected to AWS SSO. But, you can change the directory that is connected to a different one.
Which AWS accounts can I connect to AWS SSO?
SSO Access to AWS Accounts
AWS Single Sign-On | Security, Identity & Compliance
You can add any AWS account managed using AWS Organizations to AWS SSO. You need to enable all features in your organizations to manage your accounts SSO.
How do I set up SSO to AWS accounts in an organizational unit (OU) within my organization?
SSO Access to AWS Accounts
AWS Single Sign-On | Security, Identity & Compliance
You can pick accounts within the organization or filter accounts by OU.
