Use AWS SSO to Deny permissions for IAM and SSO itself

05 Nov, 2019

AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications. You can easily manage SSO access and user permissions to all of your accounts in AWS Organisations centrally.

While managing access through AWS SSO you have to restrict or Deny permissions to users for different services especially IAM and SSO itself. You do not need to create SSO in different AWS account. Access to all the AWS account can be managed using single AWS account.

Follow the steps-

1. Login to AWS management console and Enable SSO and go to SSO service

2. Go to AWS accounts –> permission sets –> click Create permission set, you can create custom permission set or use existing job functions.

3. I have created existing job functions with Full Admin access

4. Select the Permission set to Deny permissions for IAM and SSO. Click on Edit permissions

5. Paste the example custom permission set below which will be used to explicitly deny access to AWS SSO and IAM but allows administrator access to other services.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Deny",
      "Action": [
        "iam:*",
        "sso:*"
      ],
      "Resource": "*"
    }
  ]
}

This way the users will not be able to access IAM and SSO services. You can use permissions policy to control access to different services in different AWS accounts.

Use AWS SSO to Deny permissions for IAM and SSO itself

Tools required to install to work with AWS EKS cluster

OAuth 2.0 Client Credentials Grant type flow

Creating custom Terraform providers and extending Terraform’s functionality

An introduction to Terraform and its use cases

Working and investigating issues with AWS ECS containers

What is Docker and how can I use it

Tag to a previous commit in a Git repository that you have cloned locally