Set Up Foundation Access Controls

In this step your Security and Cloud Administrators will decide on and implement the initial approach to controlling foundation team member access to the AWS platform.

This step should take about 30 minutes to complete.

1. Temporarily Use AWS SSO Locally Managed Users and Groups

If your team needs to move very quickly in a matter of 1-2 days to establish your initial development environments and does not have an immediate requirement to integrate your existing enterprise identity management system to help control access to the AWS platform, then it’s recommended that:

  1. Your Security and Cloud Administrators temporarily define and manage users and groups within the AWS SSO service.
  2. Make plans for a parallel workstream to integrate your preferred enterprise identity management system with the AWS platform and transition away from locally managed users and groups in the AWS SSO service. See Federated Access to Your AWS Environment for an overview of your options.

What about AWS IAM users and groups?: Although the AWS Identity and Access Management (AWS IAM) service supports management of locally defined users and groups, it’s generally not recommended that customers depend on this capability to help manage human user access to the AWS platform at scale. Instead, AWS recommends that you reuse your preferred enterprise identity management system and associated processes to act as the basis for human user access to the AWS platform.

2. Map Foundation Functional Roles to Existing AWS Groups

Earlier in this guide you should have mapped your foundation team members to the initial set of functional roles to be played in support of your AWS environment.

The following table represents a mapping of those functional roles to a set of AWS SSO groups and permissions. Although AWS Control Tower automatically provisioned most of the AWS SSO groups, several of the groups in the table are not pre-defined. You will create these custom groups later in this section.

Foundation Functional Role AWS SSO Groups Effective Permissions
Cloud Administration AWSControlTowerAdmins Administrator access in the master, log archive, and audit accounts.
AWSAccountFactory Ability to use the Account Factory product via AWS Service Catalog.
example-cloud-admin Administrator access in all other AWS accounts.
Security Administration AWSAuditAccountAdmins Administrator access in the audit account.
AWSLogArchiveAdmins Administrator access in the log archive account.
Cost Management example-cost-mgmt Billing and cost management access in the management account.
Audit AWSSecurityAuditors Read only access in all accounts.

Your AWS platform access permissions will evolve: The initial mapping of functional roles to groups in AWS SSO and the underlying permissions associated with those groups shown in the table above is only a simple starting point for your AWS platform access permissions for foundation team members. As you progress on your journey, you will evolve these groups and underlying permissions to meet your needs.

3. Access AWS SSO Using Your AWS Control Tower Administrator User

You’ll need to use the AWS SSO service to add a new groups for Cloud Administrators and Cost Managers and create users for foundation team members.

Since you have not yet created users in AWS SSO for each member of your foundation team, your Security or Cloud Administrator team members will need to use the AWS Control Tower Administrative user to start adding AWS SSO users for each foundation team member. Once these users have been onboarded in a subsequent step, you can stop using the AWS Control Tower Administrator user.

Access the AWS SSO service:

  1. Sign in to the AWS SSO URL for your environment using the AWS Control Tower Administrator user.
  2. Select the AWS management account.
  3. Select Management console associated with the AWSAdministratorAccess role.
  4. Select the appropriate AWS region.
  5. Navigate to AWS SSO.

Permissions error: If you encounter a permissions error when attempting to access AWS SSO via the AWS Management Console, ensure that you’ve selected the proper AWS account and role, AWSAdministratorAccess.

4. Customize AWS SSO Portal URL

As an optional step, you may want to customize the URL that you use to access the AWS SSO portal.

If you have plans to implement your own vanity URL for the portal, you can skip this step.

The default form the portal URL is similar to this example of: https://d-3a274d5e7d.awsapps.com/start. Via the AWS SSO settings, you can customize the d-3a274d5e7d portion of the URL shown in the example.

  1. Access Groups in AWS SSO.
  2. Select Settings.
  3. Under User portal, select Customize.
  4. Set the first portion of the URL to a unique value. Use your identifier, stock ticker symbol, or another identifier that you use as an abbreviated reference to your environments.

5. Add a Cloud Admin Group in AWS SSO

Since Cloud Administrators don’t have administrator access to newly created AWS accounts, you’ll need to start laying the groundwork for this access by adding a new group in AWS SSO. In a subsequent step, you’ll add Cloud Administrator team members to the new group. Later on, after the initial set of team development AWS account are created, you will assign this group and a permission set to each of those new accounts so that the Cloud Administrators can gain administrator level access to manage those accounts.

  1. Access Groups in AWS SSO.
  2. Select Create group.
  3. Provide a group name. For example example-cloud-admin. Where you should replace example with a common abbreviation for your organization.
  4. Provide a description. For example, Cloud administration.
  5. Select Create.

Cloud Resource Naming - Using Qualifiers in Shared Namespaces: When adding cloud resources to a shared namespace, it’s a best practice to prefix those resource names with an organization identifier so that you avoid conflict with AWS-managed resources and can easily identify your own custom resources.

Cloud Resource Naming - Lower Case, Camel Case, etc: Most AWS cloud resource names support using a range of characters and cases. Typically, AWS-managed resources use camel case, but organizations often standardize on one style and strive to use that style throughout their cloud environment.

6. Add a Cost Management Group and Assign Permissions in AWS SSO

Since there’s no suitable predefined AWS SSO group for cost management team members, you need to add a new group in AWS SSO and associate the necessary permissions with that group. In a subsequent step, you’ll add cost management team members to the new group.

In the spirit of least privilege access, the resulting permissions will enable cost management team members to access only your master AWS account and only the cost management and billing resources and data accessible within that AWS account.

Add Cost Management Group in AWS SSO

  1. Access Groups in AWS SSO.
  2. Select Create group.
  3. Provide a group name. For example example-cost-mgmt. Where you should replace example with a common abbreviation for your organization.
  4. Provide a description. For example, ‘Cost management and billing`.
  5. Select Create.

Associate Group and Permission Set with AWS Management Account

  1. Access AWS accounts in AWS SSO.
  2. Select the checkbox next to your management AWS account.
  3. Select Assign users.
  4. Select Groups.
  5. Select the checkbox next to example-cost-mgmt or similar.
  6. Select Next: Permission sets.

Create New Permission Set for Billing

  1. Select Use an existing job function policy.
  2. Select Next: Details.
  3. Select Billing.
  4. Select Next: Tags.
  5. Select Next: Review.
  6. Select Create.

Associate Billing Permission Set

  1. Select the checkbox next to Billing.
  2. Select Finish.

AWS SSO deploys the selected permission set to the selected AWS account.