Enable Single Sign On (SSO)

You will create an AWS Organization, and join two or more accounts to the management account. An organization will allow you to centrally manage multiple AWS accounts efficiently and consistently. It is recommended to have a management account that is used for security and administration, with access provided for limited billing tasks. A dedicated member account will be created for the Cost Optimization team or function, and another (or multiple) member account/s created to contain workload resources.

You will need organizations:CreateOrganization access, and 2 or more AWS accounts. When you join a member account to a management account, it will contain all billing information for that member account. Member accounts will no longer have any billing information, including historical billing information. Ensure you backup or export any reports or data before joining accounts to a management account.

Configure SSO

You will create an AWS Organization with the management account.

  1. Login to the AWS console as an IAM user with the required permissions, start typing SSO into the Find Services box and click on AWS Single Sign-On: Images/home_sso.png

  2. Click Enable AWS SSO: Images/sso_enable.png

  3. Select Groups: Images/ssodashboard_groups.png

  4. Click Create group: Images/ssogroups_create.png

  5. Enter a Group name of Cost_Optimization and a description, click Create group: Images/ssogroup_details.png

  6. Click Users: Images/ssodashboard_users.png

  7. Click Add user: Images/ssouser_adduser.png

  8. Enter the following details:

  • Username
  • Password -
  • Email address
  • First name
  • Last name
  • Display name
  • Configure the optional fields as required click Next: Images/ssouser_detail.png
  1. Select the Cost_Optimization group and click Next: Images/ssouser_group.png

  2. Review user details and click Add User Images/ssouser_addusersubmit.png

  3. The user will receive an email, with a link to Accept invitation, the Portal URL and their Username: Images/ssouser_email.png

  4. When the user goes to the portal, they will enter in a Password and click Set new password: Images/ssouser_login.png

  5. Enter the new SSO Username and Password click Sign In: Images/ssouser_activate.png

Users will not have permissions until you complete the rest of this step. A management and member permission set will be created

  1. Create the management permission set. Click on Permission sets, and click Create permission set: Images/ssoaccount_createpermission.png

  2. Select Custom permission set and click Next: Images/ssouser_permission.png

  3. Select Inline Policy. Use the policy below as a starting point, modify it to your requirements and paste it in the policy field, click Next.

You MUST work with your security team/specialist to ensure you create the policies inline with least privileges for your organization.

Click here for Custom permissions policy
Images/ssouser_inlinepolicy.png

  1. Enter a Permission set name of management_CostOptimization, enter a Description, set the Session duration, click Next. Images/ssouser_permissionsetdetails.png

  2. Review and Create the custom permissions policy. Images/ssopermissionset_create.png

  3. Create the member permission set. Click on Permission sets, and click Create permission set: Images/ssoaccount_createpermission.png

  4. Select Custom permission set and click Next: Images/ssouser_permission.png

  5. Select Inline Policy. Use the policy below as a starting point, replace (management CUR bucket) and (Cost Optimization Member Account ID) click Next.

You MUST work with your security team/specialist to ensure you create the policies inline with least privileges for your organization.

Click here for Custom permissions policy
Images/ssouser_inlinepolicy.png

  1. Enter a Permission set name of member_CostOptimization, enter a Description, set the Session duration, click Next. Images/ssouser_memberpermissionsetdetails.png

  2. Review and Create the custom permissions policy. Images/ssopermissionset_create.png

  3. Setup the Cost Optimization management account. Click AWS accounts, select the management account, click Assign users or groups: Images/ssoaccount_organizationusers.png

  4. Select Groups, select the Cost_Optimization group, click Next: Images/ssoaccount_groups.png

  5. Select the management_CostOptimization Permission set, click Next: Images/ssoaccount_grouppermission.png

  6. Review and Submit: Images/ssoaccount_permissionsubmit.png

  7. Verify account was updated with permission set: Images/ssoaccount_success.png

  8. Setup the Cost Optimization member account. Click AWS accounts, select the member account, click Assign users or groups: Images/ssoaccount_memberorganizationusers.png

  9. Select Groups, select the Cost_Optimization group, click Next: Images/ssoaccount_groups.png

  10. Select the member_CostOptimization Permission set, click Next: Images/ssoaccount_membergroups.png

  11. Review and Submit: Images/ssoaccount_memberpermissionsubmit.png

  12. Verify account was updated with permission set: Images/ssoaccount_success.png

You have now setup your Cost Optimization users, group and their permissions.