by Vijay Sharma, Senior Product Manager, AWS Creating multiple AWS accounts helps manage AWS resources for different users, teams, and applications, but managing access for multiple AWS accounts can be difficult to scale. AWS Single Sign-On (SSO), a new cloud SSO service, makes it easy to sign in to multiple AWS accounts and business applications. You will learn how to use AWS SSO and AWS Directory Service to enable users to access their AWS accounts and business applications using their existing corporate credentials. You will also learn how to manage user permissions centrally to AWS resources when users access the AWS Management Console using AWS SSO.

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pop-up Loft
How to Enable Single Sign On to Multiple AWS Accounts and
Business Applications Using Your Corporate Credentials
Vijay Sharma
Senior Product Manager, AWS Directory Service
Amazon Web Services

2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• Challenges of managing access to cloud services
• Introducing AWS SSO
• Demonstration
• Q &A

3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customers wish to use their Corporate Directory to access
AWS services
Use it to control access to
AWS resources through existing corporate Active Directory
AWS account
Permissions
S3 buckets
Lambda
functions
EC2
instances
RDS database
instances
On-premises
Microsoft Active
Directory
On-premises users
and groups
On-premises
Active Directory
Corporate data center

4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Organizations – Multi-Account Management
A6
Development Test Production
A8A1
A5
A4A3
A2
A9
A7
OU OU OU
Root

5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customers want to sign in to multiple AWS accounts using
single identity
Multiple AWS accounts
Single Sign on to multiple
AWS accounts
On-premises
Microsoft Active
Directory
On-premises users
and groups
On-premises
Active Directory
Corporate data center

6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Similar to signing into multiple business applications using
corporate credentials
Single Sign on to multiple
AWS business applications
On-premises
Microsoft Active
Directory
On-premises users
and groups
On-premises
Active Directory
Corporate data center
Business cloud applications

7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
You want to be able to access AWS resources and business
applications using single identity
Multiple AWS accounts
On-premises users
Business cloud applications
SSO access SSO access

8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Challenges
• Managing access to multiple AWS accounts and business
applications is complex, expensive, and time-consuming.
Managing multiple
AWS accounts
requires effort
Numerous
credentials and no
centralized security
controls
Access to business
applications takes
time and effort,
and is expensive

9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Challenges – Managing multiple AWS accounts
Managing multiple
AWS accounts
requires effort
• Maintain a list of AWS accounts
• General-purpose SSO solutions treat AWS accounts
as separate applications
• New account? Repeat the setup process
• Set up roles in each account - Keep the roles
updated
• Managing user access to accounts

10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Challenges – Access to business applications
• Setting up SSO and troubleshooting each
application typically took days
• Requires you to understand the nuances of SAML
integration
• Expensive – pay per user per month
Access to business
applications takes
time and effort,
and is expensive

11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Introducing AWS SSO
• Centrally manage single sign-on (SSO) access to multiple AWS
accounts and business applications.
Centrally manage
access to multiple
AWS accounts
Easy to enable and
use
Use your existing
corporate
identities
SSO access to
business
applications

12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Centrally manage access to multiple AWS accounts
• Connects to AWS Organizations
and lists your AWS accounts
• Allows filtering accounts by OU
• Centralized management of
account permission sets
• Define, apply, and reapply
permission sets to all AWS
accounts
AWS accounts managed in
AWS Organizations
AWS consoles
OU = Development OU = Production
Manage
permissions to
AWS accounts
SSO access
Permissions
AWS SSO

13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Central place to access business applications
• One place to access all applications:
• Business applications
• Easily search and find applications
• No need to distribute or remember
URLs or roles
• Single corporate credentials give access
to cloud services

14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Connect your existing Active Directory
AWS accounts managed in
AWS Organizations
AWS consoles
OU = Development OU = Production
Manage
permissions to
AWS accounts
SSO access
Permissions
On-premises
Microsoft Active
Directory
On-premises users
and groups
On-premises
Active Directory
Corporate data center
AD Connector/
AD Trust
AWS SSO

15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD
AWS
SE/EE
AD
Managed AD
1
On-premises
Service account
AD
AD Connector
2
On-premises
1-way or 2-way trust
Managed AD with Trust
3
Corporate Active Directory connection options
Corporate Active Directory

16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Supports SAML 2.0 for custom applications
Supports Security Assertion Markup Language 2.0
(SAML)
• Configure applications not in the preintegrated list
• Internal applications built by you
• Internal applications supplied by partners
SAML 2.0

17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo

18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Centralized auditing
• Audit all SSO access in AWS CloudTrail
• Increased visibility into users’ SSO access to
AWS accounts and cloud applications

19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pricing and availability
• Included with your AWS accounts at no additional charge
• GA in the US East (N. Virginia) Region

20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Questions?