Control Tower Integrated SSO and Permission Sets
AWS Permission Sets vs Control Tower SSO
1. AWS Control Tower SSO
Purpose: Provides a managed way to centrally set up and govern multiple AWS accounts with pre-configured security and governance best practices.
Integration: Built on top of AWS IAM Identity Center (formerly AWS SSO).
Primary Use Case:
- Centralized identity management across all AWS accounts in your organization.
- Simplifies user access management in a multi-account environment.
Features:
- Users log in via a single portal to access multiple AWS accounts.
- Integrates with existing identity providers (IdPs) like Azure AD, Okta, etc.
- Works with Control Tower to automatically apply baseline guardrails and account structures.
2. AWS Permission Sets
Purpose: Define what permissions users get when they access an AWS account via IAM Identity Center (SSO).
Integration: Used within Control Tower SSO / IAM Identity Center to assign access to AWS accounts.
Primary Use Case:
- Assign role-based permissions to groups or users.
- Can define permissions using AWS managed policies, custom policies, or a combination.
Features:
- Can be reused across multiple accounts.
- Can assign session duration, permission boundaries, and MFA requirements.
- Supports fine-grained control over user permissions in multi-account setups.
Key Differences
| Aspect | Control Tower SSO | Permission Sets |
|---|---|---|
| Function | Centralized identity access across multiple accounts | Defines permissions/roles for users within SSO |
| Scope | Multi-account user login and governance | Specific permissions in each account |
| Setup | Part of Control Tower landing zone | Created and assigned inside IAM Identity Center |
| Granularity | Account-level access | Role/permission-level access inside accounts |
How They Work Together
- Control Tower SSO provides the portal and identity integration for all users.
- Permission Sets are assigned to users or groups to define exactly what they can do in each AWS account they have access to.
- Example:
- Control Tower SSO gives Alice access to accounts Dev and Prod.
- Permission Sets assign AdministratorAccess in Dev and ReadOnlyAccess in Prod.
Leave a Reply