In this step either your Security or Cloud Administrators will onboard the few people that make up the initial foundation team so that they can stop using system users and start using their own user accounts to manage the foundation.
This step should take about 20 minutes to complete.
In prepartion for adding foundation team users to AWS SSO, decide on the format of the user name. Typically, the user name will simply be the user’s corporate email address that is often used for SaaS services.
Next, access the AWS SSO service to begin adding an AWS SSO user for each foundation team member:
AWS Control Tower Administrator
user.master
account.Management console
associated with the AWSAdministratorAccess
role.AWS SSO
.Users
in AWS SSO.Add user
.Next: Groups
.Add user
.Reach out to each foundation team member to inform them of the context of the email message they received, what they should do next, and what access they have been granted.
Their initial sign on experience will consist of:
Accept invitation
link to set their initial password.Inform the foundation team members that use of MFA is required and how they can register an MFA device on their own via the AWS SSO service.
Since you’ve onboarded foundation team members with the appropriate permissions, as a security and compliance best practice, there’s no longer any reason for your Cloud Administrators to use the AWS Control Tower Administrator user.
From this point forward, the vast majority of your work to administer and manage your AWS environment should be done via your personal users that are defined in AWS SSO. By using personal users, all operations will be auditable and tied to specific individuals.
Meet with the foundation team members to brief them on their access, responsibilities, and other topics covered in the Example Getting Started Guide for Foundation Team Members.