How do SSO groups work in an AWS organization? How do you restrict root users at lower levels in an organization?

AWS SSO Groups and Permission Sets

  1. Users use their directory credentials to sign in to the user portal.
  2. Users then choose the AWS account name that will give them federated access to the AWS Management Console for that account.
  3. Users who are assigned multiple permission sets choose which IAM role to use.

Permission sets are a way to define permissions centrally in AWS SSO so that they can be applied to all of your AWS accounts. These permission sets are provisioned to each AWS account as an IAM role. The user portal gives users the ability to retrieve temporary credentials for the IAM role of a given AWS account so they can use it for short-term access to the AWS CLI.

To use AWS SSO with AWS Organizations, you must first Enable AWS SSO, which grants AWS SSO the capability to create Service-linked roles in each account in your AWS organization. These roles are not created until after you Assign user access for a given account.

Restrict Root User Access at Sub Account Levels

While a root users can exist at the master account level, it is not a good idea to leave root users enabled at each of the lower level accounts.

Fortunately, there’s an SCP to restrict that. This Service Control Policies Restricts the Use of the Root User in an AWS Account.

This SCP prevents restricts throot user in an AWS account from taking any action, either directly as a command or through the console.