Step-by-Step Guide to Setting Up AWS IAM, Identity Center, and Organization

Adisa Barakat AdekemiAdisa Barakat Adekemi
4 min read

Table of contents

Introduction

Effectively managing access and security across multiple AWS accounts can be challenging without the appropriate tools. This comprehensive guide offers a detailed, step-by-step approach to setting up AWS IAM, AWS Identity Center, and AWS Organizations. By following this guide, you can streamline user management, enforce robust access controls, and maintain a secure multi-account environment. Whether you're new to AWS or looking to enhance your cloud security practices, this guide provides the essential foundation you need.

Project Objectives

  1. Establish AWS organization accounts for development, staging, and production environments.

  2. Organize users into groups based on their roles.

  3. Develop permission sets tailored for each group.

  4. Enhance user login security with Multi-Factor Authentication (MFA).

Prerequisite

Before we dive into the article, you need to have an AWS account and a basic understanding of AWS services.

Steps

Step 1: AWS Organization

  • Set up an AWS Organization for a company managing three AWS accounts - Development, Staging, and Production accounts.

  • Create the AWS Organization from the root account.

Create AWS Organization member accounts for the development, staging, and production environments.

Note: You might encounter the error below when creating multiple member accounts. This happens because AWS limits the number of accounts you can create as a new user. To resolve this, contact their support team, explain your issue, and request a service quota increase. Alternatively, you can search for "Service Quotas" in the console and look for "AWS Organization" under AWS services, as shown in the diagram below.

Click on the first option you see on the AWS Organization page, then click on the request increase button. Follow the instructions provided.

Step 2: Set up IAM Identity Center (also known as Single Sign On or SSO)

  • Create users and organize them into groups based on their roles.

  • We’ll create three groups and five users (You can create as many as you want).

Navigate to IAM Identity Center and click on groups to create the groups.

After creating the groups, we can move on to creating the users we need.

Please note that each email must be unique. For learning purposes, you can use your own email address by adding a "+" sign and any additional text to make it unique. The emails will still be delivered to your original email address.

  • We will add the users to the groups we created based on their roles. The admin user should be added to the admin group, the dev user to the dev team, and so on.

  • Review and add the user. Be sure to save the user information displayed, as it will be needed to log in the user you just created.

Step 3: Create Permission Set

  • We'll create permission sets for the groups created. It is recommended to set permissions on the groups rather than on users. This is more efficient and maintainable.

  • Navigate to the permission set still on identity center amd click on it.

Click on Create permission set.

AWS has predefined permission sets, and you can also create your custom permission set as you deem fit.

Note that there are three types of users in AWS: we have the root user, the IAM user, and the federated user (identity center).

Step 4: Assign Permission Set to Groups for each AWS Account

Navigate to the AWS accounts in Identity Center, select the account, and click on Assign users or groups.

Step 5: Set up MFA for each User

MFA is automatically set up for each user when they sign in using the SSO.

We need to choose one of the options—I chose the Authenticator app. Download the Authenticator app on your phone and scan the QR code.

The user will be prompted to change their password.

For the Admin user, these are the accounts they can access:

Switching to another account through SSO (no need for manually using "Switch Role").

  • The management account.

  • The Development account.

Make sure to activate it for other users.

Conclusion

In conclusion, this guide provides a comprehensive approach to managing access and security in a multi-account AWS environment using AWS IAM, AWS Identity Center, and AWS Organizations. It covers setting up AWS organization accounts for different environments, organizing users into role-based groups, developing tailored permission sets, and enhancing security with Multi-Factor Authentication. Aimed at both beginners and those refining their cloud security, it offers practical steps to establish a secure and efficient AWS infrastructure.

0
Subscribe to my newsletter

Read articles from Adisa Barakat Adekemi directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSIAMcloud securitySSO - Single Sign-OnDevopsCloud ComputingDevSecOps

Written by

Adisa Barakat Adekemi
Adisa Barakat Adekemi