docs
First Steps
IAM Identity Center

Setting Up User Accounts

We have successfully created accounts for production and staging. However, what if multiple users need access to the production and staging accounts with different permission? Let's go through the steps to grant other user accounts access to production and staging.

1. Create a Group and User

  • In the AWS Management Console, go to IAM Identity Center (formerly AWS Single Sign-On).

Create Permission Set

  • Enable IAM Identity Center:
    • If it's not already enabled, click on "Enable" and choose the Enable with AWS Organizations (Recommended) option.

Create Permission Set

  • Create a Group:
    • Navigate to "Groups".
    • Click "Create group".
    • Group Name: Enter a name AdminAccess.
    • Create Group: Click "Create group".

Create Permission Set

Groups simplify permission management by allowing you to assign permissions to multiple users at once.

  • Add a User:
    • Go to "Users".
    • Click "Add user".
    • User Details:
      • Username: Use the first and last name or a preferred alias.
      • Email Address: Enter the email of the authorized person.
      • Password Setup: Choose "Send an email to this user with password setup instructions".
      • Additional Fields: Fill in as desired.
    • Next: Click "Next".

Create Permission Set

  • Assign User to Group:
    • Select Groups: Choose the AdminAccess.
    • Next: Proceed to the next step.
    • Review and Add User: Confirm the details and click "Add user".
You'll receive an email with instructions to set up your password. Make sure you also set up the MFA to protect your account!!!

2. Set Up Permission Sets

Permission sets define the level of access users have within your AWS accounts.

  • Create Permission Sets:

    • On the left sidebar under Multi-account permissions, select "Permission sets".
    • Click "Create permission set".

  • AdministratorAccess Permission Set:

    • Choose Permission Type: Select "Predefined permission set".
    • Select Policy: Choose "AdministratorAccess". Create Permission Set
    • Session Duration: Set how long a user can be signed in before re-authenticating. 1 hour is recommended.
    • Create: click "Next" then click "Create". Create Permission Set

3. Assign Permissions to Accounts

Now, we'll assign our group to both the production and staging accounts with the appropriate permission sets.

  • Click on "AWS accounts" under Multi-account permissions.

Create Permission Set

  • Select Accounts:
    • Check the boxes next to both prod and staging accounts.
    • Click "Assign users or groups".

Create Permission Set

  • Assign Group:
    • Select Users or Groups: Choose the AdminAccess.
    • Next: Click to proceed.

Create Permission Set

  • Select Permission Set:

    • Choose "AdministratorAccess".

    Create Permission Set

    • Next: Review and confirm the assignments.

    • Submit: Click "Submit" to finalize.

🎉 Great Job!

You've successfully:

  • Created separate AWS accounts for production and staging.
  • Created a group and user for efficient permission management.
  • Established permission set to control access levels.
  • Assigned permission to your account.

We've only created AdministratorAccess permission set, but in the real world, you can create permissions like ReadOnlyAccess or even customize them for each user account or group.

Sticking to best practices can be time-consuming, but it's crucial for security and scalability. Kudos for making it through this essential setup!

AWS OrganizationsAWS Configure SSO