AWS Single Sign-On adds account assignment APIs and AWS CloudFormation support to automate multi-account access management

Posted on: Sep 10, 2020

AWS Single Sign-On (SSO) adds new account assignment APIs and AWS CloudFormation support to automate access across AWS Organizations accounts. You can also use the APIs to retrieve permissions programmatically for audit and governance purposes. The new release enables you to automate control of the AWS SSO central permissions, making it easier to manage access at scale across all your AWS accounts.

AWS SSO account assignment APIs enable you to build automation to create and update permissions that align with your company's common job functions. You can then assign the permissions to users and groups to entitle them for access in their required accounts. For example, you can give your developers broad control over resources in developer accounts, and limit that control to authorized operations personnel in production accounts. The new AWS CloudFormation support enables you to automate account assignments as you build new accounts. You can also use the APIs to decode user and group names from the unique identifiers that appear in AWS CloudTrail logs.

It is easy to get started with AWS SSO. With just a few clicks in the AWS SSO management console, you can choose AWS SSO, Active Directory, or an external identity provider such as Okta Universal Directory, Azure Active Directory, or OneLogin as your identity source. Your users sign in with the convenience of their familiar sign-in experience and get single-click access to all their assigned accounts from the AWS SSO user portal. To learn more, please visit AWS Single Sign-On.

There is no cost for AWS SSO, and it is available in the US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Seoul), Asia Pacific (Tokyo), Asia Pacific (Mumbai), EU (Ireland), EU (Frankfurt), EU (London), and EU (Stockholm) Regions.