In this step your Security and Cloud Administrators will decide on and implement the initial approach to controlling foundation team member access to the AWS platform.
This step should take about 30 minutes to complete.
If your team needs to move very quickly in a matter of 1-2 days to establish your initial development environments and does not have an immediate requirement to integrate your existing enterprise identity management system to help control access to the AWS platform, then it’s recommended that:
What about AWS IAM users and groups?: Although the AWS Identity and Access Management (AWS IAM) service supports management of locally defined users and groups, it’s generally not recommended that customers depend on this capability to help manage human user access to the AWS platform at scale. Instead, AWS recommends that you reuse your preferred enterprise identity management system and associated processes to act as the basis for human user access to the AWS platform.
Earlier in this guide you should have mapped your foundation team members to the initial set of functional roles to be played in support of your AWS environment.
The following table represents a mapping of those functional roles to a set of AWS SSO groups and permissions. Although AWS Control Tower automatically provisioned most of the AWS SSO groups, several of the groups in the table are not pre-defined. You will create these custom groups later in this section.
| Foundation Functional Role | AWS SSO Groups | Effective Permissions |
|---|---|---|
| Cloud Administration | AWSControlTowerAdmins |
Administrator access in the master, log archive, and audit accounts. |
AWSAccountFactory |
Ability to use the Account Factory product via AWS Service Catalog. | |
example-cloud-admin |
Administrator access in all other AWS accounts. | |
| Security Administration | AWSAuditAccountAdmins |
Administrator access in the audit account. |
AWSLogArchiveAdmins |
Administrator access in the log archive account. | |
| Cost Management | example-cost-mgmt |
Billing and cost management access in the management account. |
| Audit | AWSSecurityAuditors |
Read only access in all accounts. |
Your AWS platform access permissions will evolve: The initial mapping of functional roles to groups in AWS SSO and the underlying permissions associated with those groups shown in the table above is only a simple starting point for your AWS platform access permissions for foundation team members. As you progress on your journey, you will evolve these groups and underlying permissions to meet your needs.
You’ll need to use the AWS SSO service to add a new groups for Cloud Administrators and Cost Managers and create users for foundation team members.
Since you have not yet created users in AWS SSO for each member of your foundation team, your Security or Cloud Administrator team members will need to use the AWS Control Tower Administrative user to start adding AWS SSO users for each foundation team member. Once these users have been onboarded in a subsequent step, you can stop using the AWS Control Tower Administrator user.
Access the AWS SSO service:
management account.Management console associated with the AWSAdministratorAccess role.AWS SSO.Permissions error: If you encounter a permissions error when attempting to access AWS SSO via the AWS Management Console, ensure that you’ve selected the proper AWS account and role, AWSAdministratorAccess.
As an optional step, you may want to customize the URL that you use to access the AWS SSO portal.
If you have plans to implement your own vanity URL for the portal, you can skip this step.
The default form the portal URL is similar to this example of: https://d-3a274d5e7d.awsapps.com/start. Via the AWS SSO settings, you can customize the d-3a274d5e7d portion of the URL shown in the example.
Groups in AWS SSO.Settings.User portal, select Customize.Since Cloud Administrators don’t have administrator access to newly created AWS accounts, you’ll need to start laying the groundwork for this access by adding a new group in AWS SSO. In a subsequent step, you’ll add Cloud Administrator team members to the new group. Later on, after the initial set of team development AWS account are created, you will assign this group and a permission set to each of those new accounts so that the Cloud Administrators can gain administrator level access to manage those accounts.
Groups in AWS SSO.Create group.example-cloud-admin. Where you should replace example with a common abbreviation for your organization.Cloud administration.Create.Cloud Resource Naming - Using Qualifiers in Shared Namespaces: When adding cloud resources to a shared namespace, it’s a best practice to prefix those resource names with an organization identifier so that you avoid conflict with AWS-managed resources and can easily identify your own custom resources.
Cloud Resource Naming - Lower Case, Camel Case, etc: Most AWS cloud resource names support using a range of characters and cases. Typically, AWS-managed resources use camel case, but organizations often standardize on one style and strive to use that style throughout their cloud environment.
Since there’s no suitable predefined AWS SSO group for cost management team members, you need to add a new group in AWS SSO and associate the necessary permissions with that group. In a subsequent step, you’ll add cost management team members to the new group.
In the spirit of least privilege access, the resulting permissions will enable cost management team members to access only your master AWS account and only the cost management and billing resources and data accessible within that AWS account.
Groups in AWS SSO.Create group.example-cost-mgmt. Where you should replace example with a common abbreviation for your organization.Create.AWS accounts in AWS SSO.management AWS account.Assign users.Groups.example-cost-mgmt or similar.Next: Permission sets.Use an existing job function policy.Next: Details.Billing.Next: Tags.Next: Review.Create.Billing.Finish.AWS SSO deploys the selected permission set to the selected AWS account.