Putting AWS federated user into separate IAM groups?

0
votes

At my employer, we have an AWS account that uses SAML 2.0 to federate in your user access from the company SSO login to the AWS console. The net effect is that everyone has admin access. Is there a way to place federated users into different IAM groups, thereby giving least privilege access?

The answer we came up with is that all federated users would have very limited access to the console with no programmatic access. Then, create separate IAM users for everyone for programmatic access (no console login) and to place these separate users into IAM groups with varying access. Would this method be considered best practice or is there a better way to accomplish what we would like to do in this case?

2
amazon-web-servicessaml-2.0amazon-iamfederated-identity

2 Answers

0
votes

The best practices is to use groups to set permissions (policies) for each class of user.

Grant users SSO access to AWS accounts in your organization by selecting the AWS accounts from a list populated by AWS SSO, and then selecting users or groups from your directory and the permissions you want to grant them.

AWS Single Sign-On

0
votes

Your SSO SAML 2.0 provider should be able to pass role information to AWS at sign-in. You can then have corresponding IAM roles setup in AWS.

We use Azure AD for SSO and set it up using this example: https://blog.flux7.com/aws-best-practice-azure-ad-saml-authentication-configuration-for-aws-console

Basically you create Azure AD Security Groups and map them to IAM roles.