How to Configure users using Organization and IAM Identify Center
you will learn how to:
Sign in as the root user
Enable additional security for the root user
Set up additional AWS IAM Identity Center (successor to AWS SSO) users
Sign in to the AWS access portal
Set up MFA for the Identity Center user
When you create an AWS account, a root user is created automatically for your account. The root user is a special entity that has full access to the account, and can perform all actions, including changing the payment methods or closing the account. When you sign-in using the root user you have complete access to all AWS service and resources in the account. Due to this level of permissions, we recommend that you:
Enable additional security for the root user with multi-factor authentication
Set up additional users to perform daily tasks related to your account
AWS Identity and Access Management (IAM). This service provides access control policies and manages long-term users like the root user. If you create users in IAM, those users have long-term access credentials. As a security best practice, it is recommended that you minimize the use of long-term credentials in AWS. In this tutorial you will not create an IAM user.
AWS IAM Identity Center (successor to AWS Single Sign-On). This service provides temporary credentials that are granted each time a user signs in for a session. It can integrate with any existing identity providers you might already have, like Microsoft Active Directory or Okta, so that your users can use the same sign on for AWS as they use for other services in your organization. If you don't have another identity provider, you can create users in IAM Identity Center. This is the recommended way to create additional users for your AWS account and is the method we will walk through in this tutorial.
It is considered a security best practice to not use your root account for everyday tasks, but right now you only have a root user. In this tutorial, we will use IAM Identity Center to create an administrative user. We are using IAM Identity Center because it provides users with unique credentials for every session, also known as temporary credentials. Providing users these credentials results in enhanced security for your AWS account, because they are generated each time the user signs in. Once you have an administrative user, you can sign in with that user to create additional Identity Center users and assign them to groups with permissions to perform specific job functions. Another benefit to creating users in IAM Identity Center is that the users are automatically granted access to the the AWS Billing and Cost Management console.
In the AWS Management Console search bar, enter IAM Identity Center, and then select IAM Identity Center.
The IAM Identity Center service overview page opens. Review the information to learn about the features of the IAM Identity Center service, then under Enable IAM Identity Center, choose Enable.
To use IAM Identity Center, you also need to enable AWS Organizations. AWS Organizations lets you organize multiple AWS accounts so that you can have separate AWS accounts for different use cases. AWS Organizations is a feature of your AWS account offered at no additional charge.
The management account for the AWS Organization is now the root user
After enabling AWS Organizations, AWS will send a verification email to the root user. Verifying your root user account allows you to invite other accounts to become members of your organization. You don’t need to verify your account before continuing with this tutorial. For more information about account management, see the AWS Organizations user guide.
Set up your identity source to manage users and groups. Once configured, you can easily locate users or groups for providing single sign-on access to AWS accounts, cloud applications, or both.
Organizations can have only one identity source. Options include:
Identity Center Directory:
When you activate IAM Identity Center, it automatically establishes an Identity Center directory as the default identity source. This directory is where you’ll oversee user and group management.
Active Directory:
Users and groups can be administered in either the AWS Managed Microsoft AD directory through AWS Directory Service or your self-managed Active Directory (AD).
External Identity Provider:
Users and groups can be supervised through an external identity provider (IdP) such as Okta or Azure Active Directory.
Access the IAM Identity Center console and click on “Users.” From there, choose the option to add a new user.
Utilizing user groups allows you to define permissions for numerous users, simplifying the process of managing their respective permissions.
Select Create Group
Under Group details, in Group name, enter Admins.
Select Create group.
Tick the checkbox adjacent to the Admins group, and subsequently click on “Next.”
19. You will be directed back to the main IAM Identity Center > Users page, where a notification confirms the successful addition of the user.
Congratulations! You have successfully added a user to your AWS Organization. Feel free to replicate these steps to include more users and groups as needed.
While your new user has been created, they currently lack access to any resources, services, or applications. As a result, the user cannot yet take over daily administrative tasks from your root user. To grant access, we will associate the user’s group with an account and then add a permission set outlining what group members can access.
For this process, continue using the root user credentials.
Go to the IAM Identity Center console, and within the Recommended setup steps, select “Manage access to multiple AWS accounts.”
On the AWS accounts page within Organizational structure, your root account is presented with the test account listed below in the hierarchy. Check the box next to your test account, and then choose “Assign users or groups.”
The Assign Users and Groups process appears, comprising the following stages:
In Step 1: Select Users and Groups, opt for the Admins group established earlier in this tutorial. Proceed by selecting “Next.”
In Step 2: Choose Permission Sets, click on “Create Permission Set” to open a new tab guiding you through the three sub-steps associated with creating the permission set.
A new browser tab will open, presenting Step 1: Choose Permission Set Type. Make the following selections:
For Permission Set Type, choose “Predefined Permission Set.”
For Policy for Predefined Permission Set, select “AdministratorAccess.”
Click “Next” to proceed.
In Step 2: Define Permission Set Details, retain the default configurations and click “Next.” The default settings establish a permission set named AdministratorAccess with a session duration set to one hour.
In Step 3: Review and Create, confirm that the Permission Set Type utilizes the AWS managed policy AdministratorAccess. Click on “Create.”
You are redirected to the Permission Sets page, where a notification at the top confirms the successful creation of the permission set. Click on ‘X’ to close the tab.
In the Assign Users and Groups browser tab, within Step 2: Choose Permission Sets, navigate to the Permission Sets section, and click on Refresh. The AdministratorAccess permission set, which you previously created, will now be visible in the list. Select the checkbox next to that permission set and then click on Next.
In Step 3: Review and Submit, examine the chosen users, groups, and permission set, and then click on Submit.
30. Congratulations! Your user can now log in to the AWS access portal and access resources within your AWS account.
The page will refresh with a message indicating that your AWS account is undergoing configuration. Please wait until the process is complete.
Upon completion, you will be redirected to the AWS accounts page in IAM Identity Center. A notification message will confirm the successful reprovisioning of your AWS account with the updated permission set.
In the Organization Structure section, observe that your AWS account is now designated as the management account under the root of the AWS organization. Note that in this tutorial, a placeholder AWS account name, “Test-acct,” is used; you will see the name of your AWS account instead.
Congratulations! Your user can now log in to the AWS access portal and access resources within your AWS account.
Now that you’ve set up your new administrative user, it’s time to sign in. If you attempted to sign in earlier, you would have only been able to create your password and enable multi-factor authentication (MFA) for your user, as no other permissions were granted at that time. However, your user now has full permissions to access your AWS resources. Nevertheless, they still need to configure a password and set up MFA. Let’s go through these steps.
An email for the new user has been sent to the specified email address during user creation. This email includes three crucial items:
A link to accept the invitation to join.
The URL of your AWS access portal.
Your username for signing in.
Open the email, note the URL of the AWS access portal and the username for future reference, and then click on the “Accept Invitation” link.
Clicking the link opens a new browser window, presenting the New User Sign Up page.
Enter a new password adhering to the following criteria:
Length between 8 and 64 characters
Combination of uppercase and lowercase letters, numbers, and non-alphanumeric characters.
Confirm the password and then click on “Set New Password.”
Along the top bar, next to the User name, select MFA devices to set up MFA.
Within the access portal, choose the AWS account you wish to administer. The permissions configured for your account are displayed, along with two connection options.
Select “Management console” to access the AWS Management Console and oversee your AWS resources through the service console dashboards.
Alternatively, choose “Command line or programmatic access” to obtain credentials for programmatic access to AWS resources or usage with the AWS CLI. For detailed information on obtaining these credentials, refer to the guide on Getting IAM Identity Center user credentials for the AWS CLI or AWS SDKs.
For the purpose of this tutorial, opt for “Management console.”
Upon selecting this option, the AWS Management Console opens. As an administrative user, you can now add services, include additional users, and configure policies and permissions without the necessity of using your root user for these tasks.
Well done! You have successfully concluded the sign-in process, established an administrative user in IAM Identity Center, implemented enhanced security measures for both your root user and administrative user, and are now prepared to engage with AWS services and applications. Please note that when signing in with your Identity Center administrative user, use the access portal URL provided in your invitation email.
Remember: Each AWS Organization possesses a distinct access portal URL. Ensure to keep a record of it along with your user sign-in details.