Enable Single Sign On (SSO)

You will create an AWS Organization, and join two or more accounts to the master account. An organization will allow you to centrally manage multiple AWS accounts efficiently and consistently. It is recommended to have a master account that is used for security and administration, with access provided for limited billing tasks. A dedicated member account will be created for the Cost Optimization team or function, and another (or multiple) member account/s created to contain workload resources.

You will need organizations:CreateOrganization access, and 2 or more AWS accounts. When you join a member account to a master account, it will contain all billing information for that member account. Member accounts will no longer have any billing information, including historical billing information. Ensure you backup or export any reports or data before joining accounts to a master account.

Configure SSO

You will create an AWS Organization with the master account.

  1. Login to the AWS console as an IAM user with the required permissions, start typing SSO into the Find Services box and click on AWS Single Sign-On: Images/home_sso.png

  2. Click Enable AWS SSO: Images/sso_enable.png

  3. Select Groups: Images/ssodashboard_groups.png

  4. Click Create group: Images/ssogroups_create.png

  5. Enter a Group name of Cost_Optimization and a description, click Create: Images/ssogroup_details.png

  6. Click Users: Images/ssodashboard_users.png

  7. Click Add user: Images/ssouser_adduser.png

  8. Enter the following details:

  • Username
  • Password
  • Email address
  • First name
  • Last name
  • Display name
  • Configure the optional fields as required click Next: Groups: Images/ssouser_detail.png
  1. Select the Cost_Optimization group and click Add user: Images/ssouser_group.png

  2. The user will receive an email, with a link to Accept invitation, the Portal URL and their Username: Images/ssouser_email.png

  3. When the user goes to the portal, they will enter in a Password and click Update user: Images/ssouser_login.png

  4. The user will then Click Continue: Images/ssouser_activate.png

Users will not have permissions until you complete the rest of this step.

  1. Click on AWS accounts, select Permission sets, and click Create permission set: Images/ssoaccount_createpermission.png

  2. Select Create a custom permission set, enter a name of Master_CostOptimization, enter a Description, set the Session duration, select Create a custom permissions policy. Use the policy below as a starting point, modify it to your requirements and paste it in the policy field, click Create.

You MUST work with your security team/specialist to ensure you create the policies inline with least privileges for your organization.

Click here for Custom permissions policy

Images/ssopermissionset_create.png

  1. Click Create permission set

  2. Select Create a custom permission set, enter a name of Member_CostOptimization, enter a Description, set the Session duration, select Create a custom permissions policy. Use the policy below as a starting point, modify it to your requirements, replace (Master CUR bucket) and (This Account ID) and paste it in the policy field, click Create.

You MUST work with your security team/specialist to ensure you create the policies inline with least privileges for your organization.

Click here for Custom permissions policy

Images/ssopermissionset_create.png

  1. Click AWS organization, select the Master account, click Assign users: Images/ssoaccount_organizationusers.png

  2. Select Groups, select the Cost_Optimization group, click Next: Permission sets: Images/ssoaccount_groups.png

  3. Select the Master_CostOptimization Permission set, click Finish: Images/ssoaccount_grouppermission.png

  4. Click Proceed to AWS accounts: Images/ssoaccount_success.png

  5. setup the Cost Optimization member account, select the Memeber account, click Assign users

  6. Select Groups, select the Cost_Optimization group, click Next: Permission sets: Images/ssoaccount_groups.png

  7. Select the Member_CostOptimization Permission set, click Finish

  8. Click Proceed to AWS accounts

You have now setup your Cost Optimization users, group and their permissions.