AWS SSO for external client AWS accounts not in an organization - Best Practices

Question

I have multiple different clients I work with that are completely independent of each other. If a client I'm working with already has an AWS account, I may develop software in their existing AWS account, but if they don't have an account then I'll create a new AWS account.

Today, I'm storing my clients' AWS username/passwords in LastPass within separate folders and/or LastPass identities. However, I'd like to know if there is a better/easier way to do this and also what the recommended method is.

I know that AWS SSO can be used to manage multiple AWS accounts under one organization (e.g., for a large company), but can AWS SSO be used to manage multiple completely independent client accounts that are either not in an AWS organization or in separate AWS organizations?

What are the best practices for a scenario with managing multiple AWS accounts that are for completely independent companies? Is there an AWS recommended whitepaper on this?

This SO question is related, but it's also 6 years old: AWS: how to manage authentication for multiple accounts

Thank you!

Answer 1

I would say that for accounts which are part of your organization, you should use AWS SSO.

For accounts which are 'owned' by someone else. Have them create a role which you can assume from one of your accounts. Possibly you could create a separate account under your organization, to contain the roles which the other accounts trust.

Answer 2

For cli access to non org accounts, you have to create a permissionset with the relevant permissions and assign it to the SSO account.

Create the relevant roles in the non org accounts, create a permission set in the SSO account that allows STS to these roles.

Answer 3

but can AWS SSO be used to manage multiple completely independent client accounts that are either not in an AWS organization or in separate AWS organizations?

It is possible to add these accounts to AWS SSO as External AWS Accounts under the Applications section. For each target account, you’ll need to

• register a SAML Identity Provider in IAM
• create an IAM Role for AWS SSO to assume

Steps:

In AWS SSO,

• Add a new Application and specify “External AWS Account” as the type
• Supply a name for the application
• Download the SAML metadata file

In the target AWS account, register a SAML Identity Provider in IAM:

• In IAM, navigate to the Identity provider section and choose Add provider
• Select the SAML Identity provider type
• Give the provider a meaningful name (e.g. “AWS-SSO”)
• Upload the SAML metadata you obtained from AWS SSO

Next, add an IAM Role in the target AWS account for AWS SSO to assume. The easiest way to do this is to choose Assign role → Create a new role from the details page of the Identity provider you just created in IAM. From there, AWS will present the familiar Role creation wizard where you can set permissions and tags.

If you prefer to have AWS SSO assume an existing IAM Role, edit the Role’s trust policy to include the SAML IdP as a trusted entity:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::ACCOUNTID:saml-provider/SAMLPROVIDERNAME"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}

where ACCOUNTID is the id of the target AWS account and SAMLPROVIDERNAME is the name of the IdP you created.

Finally, back in AWS SSO,

• Open the External AWS Account Application you created

• Choose the Attribute Mappings tab

• Add a new attribute mapping for the Role in the target AWS account

  • Field: https://aws.amazon.com/SAML/Attributes/Role
  • Value: arn:aws:iam::ACCOUNTID:saml-provider/SAMLPROVIDERNAME,arn:aws:iam::ACCOUNTID:role/ROLENAME
  • Format: unspecified

where ACCOUNTID, SAMLPROVIDERNAME, and ROLENAME reference the artifacts in the target AWS account.

With the External AWS Account Application configured, you can assign users to the Application in AWS SSO as usual.

AWS documentation notes that each External AWS Account application can target only one Role

External AWS Account service only supports one IAM Role attribute mapping per application instance. So, you would have to create multiple External AWS Account application instances to use multiple roles.

Reference: AWS Single Sign-On (AWS SSO) Integration Guide for External AWS Account